Apparmor prevents the crash reporter from working

Bug #1322738 reported by Simon Déziel on 2014-05-23
This bug affects 2 people
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)

Bug Description

Recently Firefox crashed on me twice. Looking at "about:crashes" showed nothing but very old crash reports.
Looking at the audit.log I found that Apparmor is not allowing the crash report to use ptrace:

type=AVC msg=audit(1400782417.435:3304): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=20821 comm="firefox" requested_mask="read" denied_mask="read" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
type=SYSCALL msg=audit(1400782417.435:3304): arch=c000003e syscall=0 success=no exit=-13 a0=60 a1=7f17b2501c48 a2=10 a3=22 items=0 ppid=5690 pid=20821 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="firefox" exe="/usr/lib/firefox/firefox" key=(null)
type=AVC msg=audit(1400874279.170:5966): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=29895 comm="firefox" requested_mask="read" denied_mask="read" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
type=SYSCALL msg=audit(1400874279.170:5966): arch=c000003e syscall=0 success=no exit=-13 a0=33 a1=7fdaad5b6c48 a2=10 a3=22 items=0 ppid=29515 pid=29895 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="firefox" exe="/usr/lib/firefox/firefox" key=(null)

Those messages are not in the usual format as I run auditd but the actual content should be the same.

More information:

$ lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04

$ apt-cache policy firefox apparmor linux-image-$(uname -r)
  Installed: 29.0+build1-0ubuntu0.14.04.2
  Candidate: 29.0+build1-0ubuntu0.14.04.2
  Version table:
 *** 29.0+build1-0ubuntu0.14.04.2 0
        500 trusty-updates/main amd64 Packages
        500 trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     28.0+build2-0ubuntu2 0
        500 trusty/main amd64 Packages
  Installed: 2.8.95~2430-0ubuntu5
  Candidate: 2.8.95~2430-0ubuntu5
  Version table:
 *** 2.8.95~2430-0ubuntu5 0
        500 trusty/main amd64 Packages
        100 /var/lib/dpkg/status
  Installed: 3.13.0-27.50
  Candidate: 3.13.0-27.50
  Version table:
 *** 3.13.0-27.50 0
        500 trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: firefox 29.0+build1-0ubuntu0.14.04.2
ProcVersionSignature: Ubuntu 3.13.0-27.50-generic 3.13.11
Uname: Linux 3.13.0-27-generic x86_64
AddonCompatCheckDisabled: False
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
 /dev/snd/controlC0: simon 4895 F.... pulseaudio
 /dev/snd/pcmC0D0p: simon 4895 F...m pulseaudio
BuildID: 20140428193813
Channel: Unavailable
CurrentDesktop: Unity
CurrentDmesg: dmesg: klogctl failed: Operation not permitted
Date: Fri May 23 15:50:44 2014
 Français Language Pack - <email address hidden>
 Default - {972ce4c6-7e08-4474-a285-3208198ce6fd}
 Google Talk Plugin - /opt/google/talkplugin/ (google-talkplugin)
 Google Talk Plugin Video Renderer - /opt/google/talkplugin/ (google-talkplugin)
 TLSAValidatorPlugin_x86_64 - [Profile]/<email address hidden>/plugins/
 DNSSECValidatorPlugin_x86_64 - [Profile]/<email address hidden>/plugins/
 Shockwave Flash - /usr/lib/adobe-flashplugin/ (adobe-flashplugin)
 [Profile]/<email address hidden>/defaults/preferences/preferences.js
 [Profile]/<email address hidden>/defaults/preferences/dnssec.js
ForcedLayersAccel: False
InstallationDate: Installed on 2014-01-26 (116 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140124)
Profile1IncompatibleExtensions: Default - {972ce4c6-7e08-4474-a285-3208198ce6fd}
 Google Talk Plugin - /opt/google/talkplugin/ (google-talkplugin)
 Google Talk Plugin Video Renderer - /opt/google/talkplugin/ (google-talkplugin)
 Shockwave Flash - /usr/lib/adobe-flashplugin/ (adobe-flashplugin)
 [Profile]/<email address hidden>/defaults/preferences/preferences.js
Profile2IncompatibleExtensions: Default - {972ce4c6-7e08-4474-a285-3208198ce6fd}
 TLSAValidatorPlugin_x86_64 - [Profile]/<email address hidden>/plugins/
 DNSSECValidatorPlugin_x86_64 - [Profile]/<email address hidden>/plugins/
 Shockwave Flash - /usr/lib/flashplugin-installer/
 Google Talk Plugin - /opt/google/talkplugin/ (google-talkplugin)
 Google Talk Plugin Video Renderer - /opt/google/talkplugin/ (google-talkplugin)
 [Profile]/<email address hidden>/defaults/preferences/dnssec.js
 Profile0 (Default) - LastVersion=29.0/20140428193813 (In use)
 Profile1 - LastVersion=29.0/20140428193813
 Profile2 - LastVersion=28.0/20140410211200 (Out of date)
 0: phy0: Wireless LAN
  Soft blocked: no
  Hard blocked: no
RunningIncompatibleAddons: True
SourcePackage: firefox
UpgradeStatus: No upgrade log present (probably fresh install) 02/14/2013
dmi.bios.vendor: LENOVO
dmi.bios.version: 6IET85WW (1.45 ) 2516CTO
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr6IET85WW(1.45):bd02/14/2013:svnLENOVO:pn2516CTO:pvrThinkPadT410:rvnLENOVO:rn2516CTO:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable: 2516CTO
dmi.product.version: ThinkPad T410
dmi.sys.vendor: LENOVO

Simon Déziel (sdeziel) wrote :
Quinn Balazs (qbalazs) on 2014-05-24
Changed in firefox (Ubuntu):
status: New → Confirmed
Quinn Balazs (qbalazs) wrote :

The ability to support ptrace rules was recently added to apparmor. It looks like we're trying to enforce ptrace rules that either aren't there, or that are improperly configured. The current behaviour of denying ptrace read masks leaves Firefox incapable of producing a crash dump, which leads to no crash reports being generated or submitted, which is a bit of a nuisance.

Quinn Balazs (qbalazs) wrote :
Download full text (5.8 KiB)

A quick and dirty way to fix it is to just add someting along the lines of

#New ptrace rules require something like this
ptrace (read),

to our profile for firefox (/etc/apparmor.d/usr.bin.firefox) and then reload the profile (sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox)

Here's the full text of my firefox profile

# vim:syntax=apparmor
# Author: Jamie Strandboge <email address hidden>

# Declare an apparmor variable to help with overrides

#include <tunables/global>

# We want to confine the binaries that match:
# /usr/lib/firefox/firefox
# /usr/lib/firefox/firefox
# but not:
# /usr/lib/firefox/
/usr/lib/firefox/firefox{,*[^s][^h]} {
  #include <abstractions/audio>
  #include <abstractions/cups-client>
  # TODO: finetune this for required accesses
  #include <abstractions/dbus>
  #include <abstractions/dbus-accessibility>
  #include <abstractions/dbus-session>
  #include <abstractions/gnome>
  #include <abstractions/ibus>
  #include <abstractions/nameservice>
  #include <abstractions/p11-kit>

  # Addons
  #include <abstractions/ubuntu-browsers.d/firefox>

  # for networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,
  @{PROC}/[0-9]*/net/dev r,
  @{PROC}/[0-9]*/net/wireless r,

  # should maybe be in abstractions
  /etc/ r,
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
  /usr/share/xubuntu/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeapps.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  owner /tmp/** m,
  owner /var/tmp/** m,
  /tmp/.X[0-9]*-lock r,
  /etc/udev/udev.conf r,
  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
  # Possibly move to an abstraction if anything else needs it.
  deny /run/udev/data/** r,

  /etc/timezone r,
  /etc/wildmidi/wildmidi.cfg r,

  # firefox specific
  /etc/firefox*/ r,
  /etc/firefox*/** r,
  /etc/xul-ext/** r,
  /etc/xulrunner-2.0*/ r,
  /etc/xulrunner-2.0*/** r,
  /etc/gre.d/ r,
  /etc/gre.d/* r,

  # noisy
  deny @{MOZ_LIBDIR}/** w,
  deny /usr/lib/firefox-addons/** w,
  deny /usr/lib/xulrunner-addons/** w,
  deny /usr/lib/xulrunner-*/components/*.tmp w,
  deny /.suspended r,
  deny /boot/initrd.img* r,
  deny /boot/vmlinuz* r,
  deny /var/cache/fontconfig/ w,
  deny @{HOME}/.local/share/recently-used.xbel r,

  # TODO: investigate
  deny /usr/bin/gconftool-2 x,

  #Ptrace seems to need something like this
  ptrace (read),

  # These are needed when a new user starts firefox and is used
  @{MOZ_LIBDIR}/** ixr,
  /usr/bin/basename ixr,
  /usr/bin/dirname ixr,
  /usr/bin/pwd ixr,
  /sbin/killall5 ixr,
  /bin/which ixr,
  /usr/bin/tr ixr,
  @{PROC}/ r,
  @{PROC}/[0-9]*/cmdline r,
  @{PROC}/[0-9]*/mountinfo r,
  @{PROC}/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  @{PROC}/[0-9]*/status r,
  @{PROC}/filesystems r,
  /sys/devices/pci[0-9]*/**/uevent r,
  owner @{HOME}/.thumbnails/*/*.png r,

  /etc/mtab r,
  /etc/fstab r,

  # Needed for the crash report...


Quinn Balazs (qbalazs) wrote :
Quinn Balazs (qbalazs) wrote :

I guess technically we wouldn't want to make a new section for the ptrace requirements, they would belong under the "Needed for the crash reporter" subheading.

Quinn Balazs (qbalazs) on 2014-05-25
Changed in firefox (Ubuntu):
assignee: nobody → Quinn Balazs (qbalazs)
status: Confirmed → In Progress
Quinn Balazs (qbalazs) wrote :
Quinn Balazs (qbalazs) wrote :

The attachment "usr.bin.firefox.apparmor.12.04.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Simon Déziel (sdeziel) wrote :

Quinn, I appreciate the time you spent to create patches for Precise and Saucy but unfortunately, those release ship an Apparmor version that do not support ptrace rules. Support for those only made it into Trusty.

Paul White (paulw2u) wrote :

We are sorry that we do not always have the capacity to review all reported bugs in a timely manner.

Do you still see a problem related to the one that you reported in a currently supported version of Ubuntu? Please let us know if you do and in which version of Ubuntu otherwise this report can be left to expire in approximately 60 days time.

Thank you for helping make Ubuntu better.

Paul White
[Ubuntu Bug Squad]

Changed in firefox (Ubuntu):
assignee: Quinn Balazs (qbalazs) → nobody
status: In Progress → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for firefox (Ubuntu) because there has been no activity for 60 days.]

Changed in firefox (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.