AppArmor blocks access to files

Forgot to mention that I can successfully write into my /home/vlad/ directory and sub-directories.

Attached is a screen shot of Firefox complaining when saving to /var/www/expo (which is owned by me with drwxr-xr-x). Sorry, it's in Spanish.

Firefox opened up a Evince instance for viewing a PDF document, Evince couldn't save in /var/www/anything either. Seems the permissions problem propagates to applications launched by Firefox.

I saved a copy of the PDF in my Desktop, then later I moved it to /var/www/anything, I opened it up from there with Evince and saved a copy in the same folder without problems. So I think it confirms it's because Firefox launched Evince with it's own restrictions.

Thanks for reporting this bug and any supporting documentation. Since this bug has enough information provided for a developer to begin work, I'm going to mark it as Triaged and let them handle it from here. Thanks for taking the time to make Ubuntu better!

Thank you!.

By the way, I just spot another problem related to this. I can't directly visualize with Firefox any html file in /var/www/*, a blank page displays instead. If I move the html file to another directory (ie. /home/me/) it works fine.

So I think reading permissions are being affected too.

Reducing the importance. The profile is an opt-in profile, is disabled by default and the denied access is non-standard. Users who enable the profile are expected to adjust the profile for non-standard usage.

Vladimir, the profile is designed for the average user and not a web developer working out of /var/www. The proper fix for this needs to be carefully considered, and in the meantime I suggest you add to /etc/apparmor.d/usr.bin.firefox-3.5:
  owner /var/www/** rw,

and perform the following:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox-3.5

Please see https://wiki.ubuntu.com/DebuggingApparmor for details. Thanks for the report and please continue to file bugs as you find them.

Thank you for your kind and precise answer.

I think that AppArmor needs some kind of visual indication for when it blocks something, at least I knew it was (or guessed to be) AppArmor because another bug (https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/435285/comments/6).

So I *think* AppArmor it's not being disabled for my Firefox 3.5, and it should be, in base to this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/435285/comments/8

I think I just hit with this:

[Jamie Strandboge]
"While the current profile will likely work well for many people, it could easily break functionality. This would be a massive usability issue, in part because firefox appears 'broken', but also because there aren't GUI tools to easily adjust the profile when something is denied."

-

Maybe it's not really disabled for me?.

Sounds like it was not disabled. It should be disabled on new installs, upgrades from before 3.5.2+nobinonly-0ubuntu3 and (now) upgrades from Ubuntu 9.04. There was a bug for people running firefox-3.5 on Jaunty and upgrading to karmic where the profile was not disabled. This is fixed now. Feel free to adjust the profile for your needs or disable it with:

$ sudo ln -s /etc/apparmor.d/usr.bin.firefox-3.5 /etc/apparmor.d/disable && sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox-3.5

Seems I lose that change because I saw the "disabled firefox-3.5" message from AppArmor at boot before.

Anyway, somehow it got enabled again:

$ dmesg | grep -i firefox
[ 6.587048] type=1505 audit(1254470422.064:10): operation="profile_load" pid=355 name=/usr/lib/firefox-3.5.*/firefox
[ 38.238036] type=1505 audit(1254492053.716:22): operation="profile_replace" pid=900 name=/usr/lib/firefox-3.5.*/firefox

Also it seems to be getting in the way of mplayer plugin:
[ 131.649716] type=1503 audit(1254492146.504:51): operation="open" pid=2367 parent=1 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/mplayerplug-in.conf"

------

For now I'll stay with your solution:
$ sudo ln -s /etc/apparmor.d/usr.bin.firefox-3.5 /etc/apparmor.d/disable && sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox-3.5

Thank you.

[10941.208380] type=1503 audit(1255383107.148:32): operation="open" pid=5902 parent=5889 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/home/vlad/.mozilla/firefox/kay77ibl.default/Cache/749E58F1d01"

This is from "http://www.phpbms.org/trial/print.php" it tries to generate a PDF (firefox does not show where to save) so Evince tries to open the file from cache which seems it's not likely happen.

umm it seems AppAmor profile for Evince makes it useless for opening PDF directly from Firefox's cache.

Anyway, nothing that "sudo ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable && sudo apparmor_parser -R /etc/apparmor.d/usr.bin.evince" can't solve *LOL*

Marking the firefox-3.5 task as 'In Progress' for mplayer. /var/www won't be fixed.

Thank you for taking action in fixing MPlayer & Evince.

By the way, could there be some sort of notification (maybe in the notification applet) that notify the user when AppArmor took an blocking action?.

Like: "For your security AppArmor bloqued the request from %APP% to %FILE%. Click here to report misbehavior if you're sure AppArmor should not be blocking this."

Just a tough :)

You are right this is needed. It won't be implemented for 9.10, but we will discuss this at our next developer summit next month.

This bug was fixed in the package evince - 2.28.0-0ubuntu4

---------------
evince (2.28.0-0ubuntu4) karmic; urgency=low

  * debian/apparmor-profile.abstraction: allow access to mozilla's cache.
    Unfortunately, the method used is not as clean as it should be due to
    LP: #451422. Once that bug is fixed, the added access will be much
    simpler.
    - LP: #439484
    - LP: #449286

 -- Jamie Strandboge <email address hidden> Wed, 14 Oct 2009 13:11:42 -0500

This bug was fixed in the package firefox-3.5 - 3.5.3+build1+nobinonly-0ubuntu4

---------------
firefox-3.5 (3.5.3+build1+nobinonly-0ubuntu4) karmic; urgency=low

  [ Fabien Tassin <email address hidden> ]
  * Bump requirement for system sqlite to >= 3.6.16 (bmo 508104)
    - update debian/rules

  [ Alexander Sack <email address hidden> ]
  * fix LP: #423610 - daily build failures after landing of mozilla-nss.pc droppage
    (bug 422829); we drop our previously used nspr pkgconfig patch and fix
    configure.in to not require in-source nspr if libxul-sdk is used
    - delete debian/patches/nspr_flags_by_pkg_config_hack.patch
    - add debian/patches/bzXXX_libxul_sdk_nspr.patch
    - update debian/patches/series
  * now that we always use libxul-sdk for getting the nspr flags we
    can use --without-system-nspr and --without-system-nss all the time
    - update debian/rules
  * rework localized search engine patch to use ChromeRegistry locale
    information rather than a char pref; also change plugin dir order to allow
    locale specific searchplugins to overlay the ones shipped in
    "searchplugins/common"
    - add debian/patches/bz515232_att399338_distro_locale_searchplugins.patch
    - update debian/patches/series
  * adjust packaging to support localized searchplugins
    + ship default searchplugins in /usr/lib/firefox-addons/searchplugins/en-US/
      and link that directory to $(DEBIAN_FF3_DIR)/distribution/searchplugins instead
      of the main firefox APP_DIR
      - update debian/rules
    + set default searchplugin locale pref to en-US - which is used as a
      fallback if no matching searchplugins/LOCALE directory exists for the
      current locale directory
      - update debian/firefox.js
    + do not install upstream searchplugins through debhelper file and
      install "debsearch" to the new distribution/.../en-US location
      - update debian/firefox-3.0.install
    + ship "common" searchplugins link that points to the old default
      searchplugins location '/usr/lib/firefox-addons/searchplugins/
      - update debian/rules

  [ Jamie Strandboge <email address hidden> ]
  * fix bugs surrounding apparmor profile
    + allow ixr access to gnash (LP: #429061)
    + allow ixr access to pulseaudio (LP: #432702)
    + allow access to plugins directory (LP: #428071)
    + allow access to mounted media (LP: #433362)
    + allow access to abstractions/ubuntu-console-email,
      abstractions/ubuntu-email and abstractions/ubuntu-gnome-terminal
      for mailto:. Add commented section for using xterm and konsole
      - update debian/usr.bin.firefox-3.5
    + allow access to extensions directory (LP: #433128)
    + allow 'k' access to @{HOME}/.mozilla/**/*.sqlite* (LP: #449286)
    + allow Ux access to apport-bug (LP: #449423)
    + allow access to /etc/mplayerplug-in.conf (LP: #439484)

 -- Alexander Sack <email address hidden> Thu, 15 Oct 2009 02:30:48 +0200

Tested and confirmed working for Evince. Thank you :). I hope MPlayer conf fix gets in time :P

Anyway, a new problem with ColorZilla extension:
[ 179.952239] type=1503 audit(1255960998.436:32): operation="file_mmap" pid=3331 parent=1 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="mr::" denied_mask="m::" fsuid=1000 ouid=1000 name="/home/vlad/.mozilla/firefox/kay77ibl.default/extensions/{6AC85730-7D0F-4de0-B3FA-21142DD85326}/platform/Linux/components/ColorZilla.gcc4.so"

[ 180.019101] type=1503 audit(1255960998.502:33): operation="file_mmap" pid=3331 parent=1 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="mr::" denied_mask="m::" fsuid=1000 ouid=1000 name="/home/vlad/.mozilla/firefox/kay77ibl.default/extensions/{6AC85730-7D0F-4de0-B3FA-21142DD85326}/platform/Linux/components/ColorZilla.so"

------------------------------------------------------------
:~$ dpkg -s firefox-3.5
Package: firefox-3.5
Status: install ok installed
Priority: optional
Section: web
Installed-Size: 3624
Maintainer: Ubuntu Mozilla Team <email address hidden>
Architecture: i386
Version: 3.5.3+build1+nobinonly-0ubuntu4
Replaces: firefox-3.0, firefox-3.1
Provides: firefox-3.1, www-browser
Depends: fontconfig, psmisc, debianutils (>= 1.16), xulrunner-1.9.1 (>= 1.9.1), libasound2 (>> 1.0.18), libatk1.0-0 (>= 1.20.0), libc6 (>= 2.4), libcairo2 (>= 1.2.4), libfontconfig1 (>= 2.4.0), libfreetype6 (>= 2.2.1), libgcc1 (>= 1:4.1.1), libglib2.0-0 (>= 2.16.0), libgtk2.0-0 (>= 2.10), libnspr4-0d (>= 4.7.3-0ubuntu1~), libpango1.0-0 (>= 1.14.0), libstdc++6 (>= 4.1.1), firefox-3.5-branding | abrowser-3.5-branding
Recommends: ubufox
Suggests: firefox-3.5-gnome-support (= 3.5.3+build1+nobinonly-0ubuntu4), latex-xft-fonts, libthai0
Conflicts: firefox-3.1 (<< 3.1~b4~hg20090317)
Conffiles:
 /etc/apparmor.d/usr.bin.firefox-3.5 97d80b2693f5e7d9141a4275b91bd883
 /etc/firefox-3.5/profile/bookmarks.html 111416629615cf48b389d1c5d5c11c27
 /etc/firefox-3.5/profile/localstore.rdf ea03cc19c2a3f622fa557cd8ea9da6eb
 /etc/firefox-3.5/profile/prefs.js 99940ecd258d83b3355ab06fca0ffddb
 /etc/firefox-3.5/profile/mimeTypes.rdf 6047f42624d9930caa8d651fa94d28f1
 /etc/firefox-3.5/profile/chrome/userChrome-example.css c63733eef9d337c86e6609bcc478a668
 /etc/firefox-3.5/profile/chrome/userContent-example.css d3765c7d2de5626529195007f4b7144a
 /etc/firefox-3.5/pref/firefox.js 7883cf0689295efef7b5b05472e28461

Vladimir,

This should also be fixed in 3.5.3+build1+nobinonly-0ubuntu4 because it contains the following:
  @{HOME}/.mozilla/**/extensions/** mixr,

Please open a new bug if this is not working for you on an up-to-date 9.10 installation. Thanks

Ok thank you.

/home/vlad/.mozilla/firefox/kay77ibl.default/extensions/

I'm not really into AppArmor, but should "@{HOME}/.mozilla/**/extensions/** mixr" match that?.

I understand it as:
@{HOME}/ = /home/vlad/
.mozilla/ = .mozilla/
firefox = **/
kay77ibl.default/ = ???
extensions/ = extensions/
{6AC85730-7D0F-4de0-B3FA-21142DD85326}/platform/Linux/components/ColorZilla.gcc4.so = **

Anyway, I just would like to know if "**/" is greedy or non-greedy, as it may be the cause of the problem in case of not being greedy, as it would left out the "kay77ibl.default/" segment.

'**' means all files and subdirectories. So:
@{HOME}/ = /home/vlad/
.mozilla/ = .mozilla/
**/ = firefox/kay77ibl.default/
extensions/ = extensions/
** = everything under extensions/