Firefox 12's launcher script is not allowed in abstractions/ubuntu-browsers

Bug #989184 reported by Simon Déziel on 2012-04-26
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
Lucid
Low
Unassigned
Natty
Low
Micah Gersten
Oneiric
Low
Micah Gersten

Bug Description

WORKAROUND: Change /usr/lib/firefox-*/firefox.sh PUx, in /etc/apparmor.d/abstractions/ubuntu-browsers to /usr/lib/firefox*/firefox.sh PUx,

TEST CASE: Launch Firefox from evince

------------------------------------

Since Firefox was updated to version 12, the launcher script is installed as "/usr/lib/firefox/firefox.sh" instead of the old name that included the version in it : "/usr/lib/firefox-11.0/firefox.sh".

$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

$ apt-cache policy apparmor
apparmor:
  Installed: 2.7.0~beta1+bzr1774-1ubuntu2
  Candidate: 2.7.0~beta1+bzr1774-1ubuntu2
  Version table:
 *** 2.7.0~beta1+bzr1774-1ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: BugDistroRelease: Ubuntu 11.10
Package: apparmor 2.7.0~beta1+bzr1774-1ubuntu2
ProcVersionSignature: Ubuntu 3.0.0-19.33-generic 3.0.27
Uname: Linux 3.0.0-19-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Thu Apr 26 15:43:20 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.0.0-19-generic root=/dev/mapper/crypt-root ro quiet splash vt.handoff=7SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apparmor.d.abstractions.aspell: [modified]
mtime.conffile..etc.apparmor.d.abstractions.aspell: 2012-01-18T13:58:44.963987

Simon Déziel (sdeziel) wrote :
Micah Gersten (micahg) wrote :

This is fine in precise onwards as that line was change to:
  /usr/lib/firefox*/firefox*.sh Cx -> sanitized_helper,

Changed in apparmor (Ubuntu):
status: New → Invalid
Changed in apparmor (Ubuntu Oneiric):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Low
status: New → Triaged
Micah Gersten (micahg) wrote :

Thank you for reporting this to Ubuntu.
That patch doesn't work as we want to allow stuff like /usr/lib/firefox-trunk and /usr/lib/firefox-aurora. I'll do something similar to what's in precise

Changed in apparmor (Ubuntu Natty):
importance: Undecided → Low
status: New → Triaged
Changed in apparmor (Ubuntu Lucid):
status: New → Triaged
Changed in apparmor (Ubuntu Natty):
assignee: nobody → Micah Gersten (micahg)
Changed in apparmor (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Low
Simon Déziel (sdeziel) wrote :

According to http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/apparmor/precise/view/head:/profiles/apparmor.d/abstractions/ubuntu-browsers this is not affecting Precise. It looks like it affects all earlier releases, from Lucid to Oneiric.

Micah Gersten (micahg) on 2012-04-26
description: updated
Simon Déziel (sdeziel) wrote :

Micah, the patch would work since it only adds a rule and leave the firefox-* one. I do agree with you that firefox* is better though. Recent versions are using PUx while Lucid uses the subobtimal Ux. Would you mind to also use PUx on Lucid for people using a custom profile ?

Thanks

Micah Gersten (micahg) wrote :

Simon, yes, sorry, you are correct, I'd prefer to just keep it simple though and remove the dash.

This is what I currently have in lucid:
grep firefox /etc/apparmor.d/abstractions/ubuntu-browsers
  # this should cover all firefox browsers and versions (including shiretoko
  /usr/lib/firefox-*/firefox.sh PUx,
ii apparmor 2.5.1-0ubuntu0.10.04.2 User-space parser utility for AppArmor

tags: added: patch-refused
tags: added: needs-packaging
tags: removed: needs-packaging patch-refused
tags: added: lucid natty regression-update

On 12-04-26 04:29 PM, Micah Gersten wrote:
> This is what I currently have in lucid:
> grep firefox /etc/apparmor.d/abstractions/ubuntu-browsers
> # this should cover all firefox browsers and versions (including shiretoko
> /usr/lib/firefox-*/firefox.sh PUx,
> ii apparmor 2.5.1-0ubuntu0.10.04.2 User-space parser utility for AppArmor

Right, sorry for the confusion. I was looking at
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/lucid/apparmor/lucid/view/head:/profiles/apparmor.d/abstractions/ubuntu-browsers

I just confirmed on a Lucid system that it is effectively using PUx
which is perfect. Thanks again.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.4

---------------
apparmor (2.5.1-0ubuntu0.10.04.4) lucid-security; urgency=low

  * fix LP: #989184 - Firefox 12's launcher script is not allowed in
    abstractions/ubuntu-browsers; This was a regression from the firefox
    path changing to a non-versioned path in the Firefox 12 packaging
    - add debian/patches/0016-lp989184.patch
    - update debian/patches/series
  * fix LP: #990931 - Thunderbird is being blocked by apparmor from Firefox;
    This was a regression from the Thunderbird path changing to a non-versioned
    path in the Thunderbird 12 packaging
    - add debian/patches/0015-lp990931.patch
    - update debian/patches/series
 -- Micah Gersten <email address hidden> Wed, 30 May 2012 14:02:17 -0500

Changed in apparmor (Ubuntu Lucid):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6.1-0ubuntu3.1

---------------
apparmor (2.6.1-0ubuntu3.1) natty-security; urgency=low

  * fix LP: #989184 - Firefox 12's launcher script is not allowed in
    abstractions/ubuntu-browsers; This was a regression from the firefox
    path changing to a non-versioned path in the Firefox 12 packaging
    - add debian/patches/0016-lp989184.patch
    - update debian/patches/series
  * fix LP: #990931 - Thunderbird is being blocked by apparmor from Firefox;
    This was a regression from the Thunderbird path changing to a non-versioned
    path in the Thunderbird 12 packaging
    - add debian/patches/0015-lp990931.patch
    - update debian/patches/series
 -- Micah Gersten <email address hidden> Tue, 05 Jun 2012 01:54:14 -0500

Changed in apparmor (Ubuntu Natty):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.0~beta1+bzr1774-1ubuntu2.1

---------------
apparmor (2.7.0~beta1+bzr1774-1ubuntu2.1) oneiric-security; urgency=low

  * fix LP: #989184 - Firefox 12's launcher script is not allowed in
    abstractions/ubuntu-browsers; This was a regression from the firefox
    path changing to a non-versioned path in the Firefox 12 packaging
    - add debian/patches/0016-lp989184.patch
    - update debian/patches/series
  * fix LP: #990931 - Thunderbird is being blocked by apparmor from Firefox;
    This was a regression from the Thunderbird path changing to a non-versioned
    path in the Thunderbird 12 packaging
    - add debian/patches/0015-lp990931.patch
    - update debian/patches/series
 -- Micah Gersten <email address hidden> Tue, 05 Jun 2012 02:01:04 -0500

Changed in apparmor (Ubuntu Oneiric):
status: Triaged → Fix Released
Andre Rue (andre-rue) on 2012-06-24
Changed in apparmor (Ubuntu):
assignee: nobody → Andre Rue (andre-rue)
status: Invalid → Incomplete

The attachment "Allow to call /usr/lib/firefox/firefox.sh in abstractions/ubuntu-browsers" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Steve Langasek (vorlon) on 2012-06-25
Changed in apparmor (Ubuntu):
assignee: Andre Rue (andre-rue) → nobody
status: Incomplete → Invalid
Changed in apparmor (Ubuntu):
assignee: nobody → Opoku Mensah Benjamin (kellis-omb2009)
Micah Gersten (micahg) on 2012-07-02
Changed in apparmor (Ubuntu):
assignee: Opoku Mensah Benjamin (kellis-omb2009) → nobody
Robert Brindza (brindza) on 2017-03-06
Changed in apparmor (Ubuntu Lucid):
assignee: Micah Gersten (micahg) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers