Ubuntu
firefox package

usr.bin.firefox apparmor profile blocks access to mounttracker

Bug #1553712 reported by Jean-Philippe Guérard
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

When I launch Firefox with apparmor enabled, I get the following errors:

Mar 6 13:21:19 tigreraye dbus[2570]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.46" pid=6604 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2781 peer_label="unconfined"
Mar 6 17:31:04 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="IsSupported" mask="send" name=":1.71" pid=4480 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4327 peer_label="unconfined"
Mar 6 17:31:04 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMounts" mask="send" name=":1.43" pid=4480 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4206 peer_label="unconfined"
Mar 6 17:31:04 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="LookupMount" mask="send" name=":1.43" pid=4480 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4206 peer_label="unconfined"
Mar 6 18:47:12 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="List" mask="send" name=":1.76" pid=13082 label="/usr/lib/firefox/firMar 6 19:31:11 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveChanged" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined"
Mar 6 19:32:10 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeAdded" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined"
efox{,*[^s][^h]}" peer_pid=4333 peer_label="unconfined"
Mar 6 19:43:24 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountPreUnmount" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined"
Mar 6 19:43:24 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeChanged" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined"
Mar 6 19:43:24 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountChanged" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined"
Mar 6 19:43:24 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountRemoved" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined"
Mar 6 19:43:25 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeRemoved" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined"
Mar 6 19:43:28 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveDisconnected" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined"
Mar 6 19:43:35 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveConnected" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined"
Mar 6 19:53:42 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountAdded" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined"
Mar 6 20:57:28 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="Mounted" name=":1.43" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4206 peer_label="unconfined"

Adding the following lines to the apparmor profile fixes the issue:

dbus send bus=session path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo",
dbus send bus=session path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMounts",
dbus send bus=session path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="LookupMount",
dbus receive bus=session path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="Mounted",

dbus send bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="IsSupported",
dbus send bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="List",
dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveChanged",
dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveDisconnected",
dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveConnected",
dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeAdded",
dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeRemoved",
dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeChanged",
dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountPreUnmount",
dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountChanged",
dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountRemoved",
dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountAdded",

See original description
Jean-Philippe Guérard (fevrier)
description: updated
Jean-Philippe Guérard (fevrier)
description: updated
Jean-Philippe Guérard (fevrier)
description: updated
Jean-Philippe Guérard (fevrier)
description: updated
description: updated
Jean-Philippe Guérard (fevrier)
description: updated
Jean-Philippe Guérard (fevrier)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in firefox (Ubuntu):
status: New → Confirmed
Revision history for this message
Thomas Mayer (thomas303) wrote :

A patch which might fix this issue, too, is available at 1659988.

https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1659988

Everyone affected, please give it a try and report back.

Revision history for this message
Thomas Mayer (thomas303) wrote :

Also catched a "receive", which is part of VERSION 6 of the patch.

Jan 30 12:45:21 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="Mounted" name=":1.8" mask="receive" pid=836 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=3101 peer_label="unconfined"

Revision history for this message
Simon Déziel (sdeziel) wrote :

@Jean-Philippe, most if not all the rules are covered in the proposed rule addition in LP: #1533232
@Thomas, I just added the dbus session receive Mounted member to the same LP, thanks.

Marking as duplicate now.

Revision history for this message
Daniel Richard G. (skunk) wrote :

Has anyone observed any undesirable behavior from Firefox when access to these mount-related DBus services is denied?

It's not clear to me why Firefox is even calling these in the first place, and given that mounts can include NFS servers and the like, I'd just as soon deny this access if there's no good reason for it.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.