firefox apparmor updates for trusty

Bug #1288260 reported by James Troup on 2014-03-05
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Undecided
Unassigned

Bug Description

Attached is a patch to fix the apparmor syslog noise I see after
upgrading to trusty. It follows the chromium apparmor profile in
terms of what to allow and deny.

--- ./usr.bin.firefox 2014-03-05 13:52:13.470886569 +0000
+++ /etc/apparmor.d/usr.bin.firefox 2014-03-05 13:56:42.640802391 +0000
@@ -38,7 +38,9 @@
   /etc/ r,
   /etc/mime.types r,
   /etc/mailcap r,
+ /etc/udev/udev.conf r,
   /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
+ /sys/devices/pci[0-9]*/**/uevent r,
   /usr/share/xubuntu/applications/defaults.list r,
   owner @{HOME}/.local/share/applications/defaults.list r,
   owner @{HOME}/.local/share/applications/mimeapps.list r,
@@ -73,6 +75,9 @@
   # TODO: investigate
   deny /usr/bin/gconftool-2 x,

+ # This is requested, but doesn't seem to actually be needed so deny for now
+ deny /run/udev/data/** r,
+
   # These are needed when a new user starts firefox and firefox.sh is used
   @{MOZ_LIBDIR}/** ixr,
   /usr/bin/basename ixr,

James Troup (elmo) wrote :
Changed in firefox (Ubuntu):
status: New → Fix Committed

The attachment "Firefox apparmor profile updates for Trusty" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
tags: added: trusty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 28.0+build1-0ubuntu1

---------------
firefox (28.0+build1-0ubuntu1) trusty; urgency=medium

  * New upstream stable release (FIREFOX_28_0_BUILD1)

  [ Jamie Strandboge <email address hidden> ]
  * usr.bin.firefox.apparmor*: updates for new firefox releases (LP: #1288260)
    - allow read of /sys/devices/pci[0-9]*/**/uevent
    - allow read of /etc/udev/udev.conf
    - explicityly deny /run/udev/data/**, like we do with evince

  [ Chris Coulson <email address hidden> ]
  * Make geolocation work
  * Backport changeset from mozilla-central for aarch64 support
    - add debian/patches/aarch64-support.patch
    - update debian/patches/series
  * Use --enable-system-libffi on arm64, as the bundled libffi doesn't
    support this yet
  * Switch to the release channel
 -- Chris Coulson <email address hidden> Wed, 05 Mar 2014 08:11:10 -0600

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

This actually was not fixed in the latest upload to trusty.

Changed in firefox (Ubuntu):
status: Fix Released → In Progress
Jamie Strandboge (jdstrand) wrote :

Sorry, to be clear, the fix was only partially applied to the beta branch. The udev rules are present, but the uevent rule is missing.

Jamie Strandboge (jdstrand) wrote :

This will be fixed in the next upload.

Changed in firefox (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 29.0+build1-0ubuntu0.13.10.3

---------------
firefox (29.0+build1-0ubuntu0.13.10.3) saucy-security; urgency=medium

  * New upstream stable release (FIREFOX_29_0_BUILD1)
    - see LP: #1313464 for USN information

  [ Jamie Strandboge <email address hidden> ]
  * usr.bin.firefox.apparmor*: updates for new firefox releases (LP: #1288260)
    - allow read of /sys/devices/pci[0-9]*/**/uevent
    - allow read of /etc/udev/udev.conf
    - explicityly deny /run/udev/data/**, like we do with evince

  [ Chris Coulson <email address hidden> ]
  * Add Malay language pack
  * Backport changeset from mozilla-central for aarch64 support
    - add debian/patches/aarch64-support.patch
    - update debian/patches/series
  * Use --enable-system-libffi on arm64, as the bundled libffi doesn't
    support this yet
  * Refresh patches
    - update debian/patches/unity-menubar.patch
    - update debian/patches/no_neon_on_arm.patch
  * Backport changeset from aurora to fix armhf build
    - add debian/patches/fix-armhf-build.patch
    - update debian/patches/series
 -- Chris Coulson <email address hidden> Mon, 28 Apr 2014 00:44:59 +0100

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 29.0+build1-0ubuntu0.12.04.2

---------------
firefox (29.0+build1-0ubuntu0.12.04.2) precise-security; urgency=medium

  * New upstream stable release (FIREFOX_29_0_BUILD1)
    - see LP: #1313464 for USN information

  [ Jamie Strandboge <email address hidden> ]
  * usr.bin.firefox.apparmor*: updates for new firefox releases (LP: #1288260)
    - allow read of /sys/devices/pci[0-9]*/**/uevent
    - allow read of /etc/udev/udev.conf
    - explicityly deny /run/udev/data/**, like we do with evince

  [ Chris Coulson <email address hidden> ]
  * Add Malay language pack
  * Backport changeset from mozilla-central for aarch64 support
    - add debian/patches/aarch64-support.patch
    - update debian/patches/series
  * Use --enable-system-libffi on arm64, as the bundled libffi doesn't
    support this yet
  * Refresh patches
    - update debian/patches/unity-menubar.patch
    - update debian/patches/no_neon_on_arm.patch
  * Backport changeset from aurora to fix armhf build
    - add debian/patches/fix-armhf-build.patch
    - update debian/patches/series
 -- Chris Coulson <email address hidden> Mon, 28 Apr 2014 00:49:13 +0100

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 29.0+build1-0ubuntu0.12.10.3

---------------
firefox (29.0+build1-0ubuntu0.12.10.3) quantal-security; urgency=medium

  * New upstream stable release (FIREFOX_29_0_BUILD1)
    - see LP: #1313464 for USN information

  [ Jamie Strandboge <email address hidden> ]
  * usr.bin.firefox.apparmor*: updates for new firefox releases (LP: #1288260)
    - allow read of /sys/devices/pci[0-9]*/**/uevent
    - allow read of /etc/udev/udev.conf
    - explicityly deny /run/udev/data/**, like we do with evince

  [ Chris Coulson <email address hidden> ]
  * Add Malay language pack
  * Backport changeset from mozilla-central for aarch64 support
    - add debian/patches/aarch64-support.patch
    - update debian/patches/series
  * Use --enable-system-libffi on arm64, as the bundled libffi doesn't
    support this yet
  * Refresh patches
    - update debian/patches/unity-menubar.patch
    - update debian/patches/no_neon_on_arm.patch
  * Backport changeset from aurora to fix armhf build
    - add debian/patches/fix-armhf-build.patch
    - update debian/patches/series
 -- Chris Coulson <email address hidden> Mon, 28 Apr 2014 00:48:05 +0100

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers