apparmor for firefox blocks access to kde files

Are you using Kubuntu? How are you starting firefox?

Can you add the following to /etc/apparmor.d/usr.bin.firefox-3.5:
  /etc/kde4rc r,
  /usr/bin/kde4-config Ux,

Then run:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.firefox-3.5

Hello Jamie,

I run KUbuntu 9.10 (karmic) beta1 64 bits, x86 64.

I start Firefox by the Internet menu, i have different profile, one traditional, one with plugins like noscript, adblock...

Before i enable the profile apparmor for Firefox, Java worked on all profiles.

I have added in the script your 2 command but was no change. The Java applet are in Grey or it crash firefox

I have try on different category too in script to see but like i said , it refuse Java by me..

my best and just ask me if i need try others things.

Can you please attach the following after trying to use java:
$ grep audit /var/log/kern.log

Hi Jamie,

it's seem not all the list while too long but anyway write same non-stop:

="open" pid=3294 parent=2924 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/mplayerplug-in.conf"
Oct 14 15:42:40 UforiK kernel: [16703.359083] type=1503 audit(1255527757.577:50): operation="open" pid=10020 parent=2924 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name=2F6D656469612F467265654167656E742044726976652F2E6469726563746F7279
Oct 14 15:42:40 UforiK kernel: [16705.705334] type=1503 audit(1255527759.927:51): operation="open" pid=3294 parent=2924 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::w" denied_mask="::w" fsuid=1000 ouid=0 name=2F6D656469612F467265654167656E742044726976652F746F7272656E74732F5365637572696E675F5048505F5765625F4170706C69636174696F6E735F7471775F5F6461726B7369646572672E746F7272656E74
Oct 14 15:42:40 UforiK kernel: [16705.840646] type=1503 audit(1255527760.067:52): operation="unlink" pid=3294 parent=2924 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::w" denied_mask="::w" fsuid=1000 ouid=0 name=2F6D656469612F467265654167656E742044726976652F746F7272656E74732F5365637572696E675F5048505F5765625F4170706C69636174696F6E735F7471775F5F6461726B7369646572672E746F7272656E74
Oct 14 15:42:49 UforiK kernel: [16705.840754] type=1503 audit(1255527760.067:53): operation="truncate" pid=3294 parent=2924 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::w" denied_mask="::w" fsuid=1000 ouid=0 name=2F6D656469612F467265654167656E742044726976652F746F7272656E74732F5365637572696E675F5048505F5765625F4170706C69636174696F6E735F7471775F5F6461726B7369646572672E746F7272656E74
Oct 14 15:42:49 UforiK kernel: [16715.706782] type=1503 audit(1255527769.927:54): operation="open" pid=3294 parent=2924 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/mplayerplug-in.conf"
Oct 14 15:42:49 UforiK kernel: [16715.706980] type=1503 audit(1255527769.927:55): operation="open" pid=3294 parent=2924 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/mplayerplug-in.conf"
Oct 14 15:42:49 UforiK kernel: [16715.707186] type=1503 audit(1255527769.927:56): operation="open" pid=3294 parent=2924 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/mplayerplug-in.conf"
Oct 14 15:42:49 UforiK kernel: [16715.707392] type=1503 audit(1255527769.927:57): operation="open" pid=3294 parent=2924 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/mplayerplug-in.conf"
Oct 14 15:42:49 UforiK kernel: [16715.707618] type=1503 audit(1255527769.927:58): operation="open" pid...

Thank you for the feedback. Next time it would be easier if you attached it rather than putting it in a comment.

Based on your logs, it seems that you are not using the latest firefox-3.5 (which is 3.5.3+build1+nobinonly-0ubuntu4). This will solve your mplayerplugin and access to /media issues. It also seems you either did not add or did not properly reload the profile as instructed, because I'm still seeing access denied errors for the files in question. Please perform the following:

1. upgrade firefox-3.5 to 3.5.3+build1+nobinonly-0ubuntu4
2. add to /etc/apparmor.d/usr.bin.firefox-3.5
  /etc/kde4rc r,
  /usr/bin/kde4-config Ux,
3. perform the following in a konsole:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.firefox-3.5
4. restart firefox

Hi Jamie,

Sorry for that, i will pastebin next time...

I run firefox 3.5.5pre hg20091008r26464+nobinonly-0ubuntu1 -umd1 (amd64)

well i was back on original when i have make your last command.

I will try to add one more time your command in apparmor and execute grep audit with it this time.

my best

That's my apparmor config with your command added under firefox specific:

http://paste.debian.net/49253/

It seem have only mplayer who make error with your command now in kern.log now:

http://paste.debian.net/49255/

I hope have do right and make all my best to help you to provide right infos.

my best

Alexander, it seems that the latest AppArmor fixes haven't been applied to future releases as this user is using 3.5.5pre hg20091008r26464+nobinonly-0ubuntu1 -umd1 and is seeing profile bugs that are fixed already.

Alexander, can you also add the following to the profile for future releases:
  /etc/kde4rc r,
  /usr/bin/kde4-config Ux,

Oct 19 12:33:25 home9200 kernel: [ 286.106646] type=1503 audit(1255980805.759:31): operation="open" pid=3783 parent=3553 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/opt/google/picasa/3.0/lib/npPicasa3.so"

Getting a lot of these.

James,

This is a different bug, but in general if you are going to use 3rd party packages with firefox and opt in to having the profile enabled, you will need to add the necessary rules to the profile. Regardless, if you still feel this is a bug, please feel free to file a new one.

Adding apparmor task since we should update the kde abstraction for these added files.

Alexander, don't commit the above to future releases as requested. We should simply add the kde abstraction to the profile.

i have make a fresh install with kubuntu karmic 9.10 final 64 bits and now are this 2 audits:

[42970.714105] type=1503 audit(1256931563.236:27): operation="open" pid=6640 parent=1887 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/kde4rc"

[42970.712468] type=1503 audit(1256931563.226:26): operation="exec" pid=14393 parent=6640 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/kde4-config"

I will add manually the 2 command in apparmor like you have told me early.

I just post for info while was the final version of karmic

best Regards

i have found new audits who are blocked by apparmor :

[44536.436967] type=1503 audit(1256933128.953:40): operation="open" pid=15659 parent=15658 profile="/usr/sbin/clamd" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/local/lib/torsocks/libtorsocks.so.1.0.0"

[44807.002448] type=1503 audit(1256933399.524:41): operation="exec" pid=15795 parent=15512 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/lib/openoffice/program/soffice"

starlights-- these are different issues:

[44536.436967] type=1503 audit(1256933128.953:40): operation="open" pid=15659 parent=15658 profile="/usr/sbin/clamd" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/local/lib/torsocks/libtorsocks.so.1.0.0"

this is a problem with your clamd profile. You must edit /etc/apparmor.d/usr.sbin.clamd accordingly. If you feel this is a bug in your profile (debatable, since you are using a locally compiled tor), then please file a bug against the clamav package.

[44807.002448] type=1503 audit(1256933399.524:41): operation="exec" pid=15795 parent=15512 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/lib/openoffice/program/soffice"

This is a problem with firefox, but against opening staroffice. Please file another bug against firefox-3.5 with steps to reproduce (openoffice is already allowed access).

oh i have not see that was another profile, i am very sorry. I understand what you mean by debatable, so i have added : "/usr/local/lib/torsocks r, " in clamd. It is correct? so i will know for the future.

About soffice i will open a new bug report like you told me .

Thanks very much for your answers and time :)

best regards

SRU REQUEST (AppArmor)

1. Users of firefox on KDE are unable to use firefox with the profile enabled. The fix is 2 parts, one in apparmor and one in firefox. This SRU request is for the apparmor portion.

2. The fix is not in Lucid yet

3. The fix is to add the following to profiles/apparmor.d/abstractions/kde:
  /etc/kde4rc r,
  /usr/bin/kde4-config Ux,

4. TEST CASE:
- adjust the /etc/apparmor.d/usr.bin.firefox-3.5 file to have:
  #include <abstractions/kde>
- in KDE, use 'aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5' to enable the profile
- launch firefox

5. The regression potential is very low. We only allow access to files that we didn't previously have access to.

Uploaded apparmor_2.3.1+1403-0ubuntu27.1 to karmic-proposed.

SRU REQUEST (firefox)

1. Users of firefox on KDE are unable to use firefox with the profile enabled. The fix is 2 parts, one in apparmor and one in firefox. This SRU request is for the firefox portion. This has not been uploaded yet, and won't fix the problem until apparmor is also uploaded.

2. The fix is not in Lucid yet

3. The fix is to add the following in debian/usr.bin.firefox.apparmor.in:
  #include <abstractions/kde>

4. TEST CASE:
- sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5
- launch firefox from within KDE

5. The regression potential is very low. The profile is disabled in the default installation, and we only allow access to files that we didn't previously have access to.

Accepted apparmor into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Hi Jamie,

I have updated from proposed but still same problem with java applet, FF hang on and crash now with the update, was a few crash before but not always, now all broswer freeze and be blocked, i need kill the process to quit.

A question about : add to /etc/apparmor.d/usr.bin.firefox-3.5
  /etc/kde4rc r,
  /usr/bin/kde4-config Ux,

Need i delete the command added like you told me early or i just leave like it is ?

best regards

I installed apparmor 2.3.1+1403-0ubuntu27.1 in a karmic/kubuntu/amd64 VM and added to the firefox profile:
  #include <abstractions/kde>

Then performed:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.firefox-3.5

and firefox works fine. Adding the verification-done tag for apparmor.

starlights,

I tried out the java plugin in a fresh 9.10 kubuntu install with firefox with the firefox profile loaded. Doing the above (comment #22), firefox works fine, along with java using the openjdk plugin, icedtea6-plugin. Can you post a link to the java applet that is causing you problems?

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu28

---------------
apparmor (2.3.1+1403-0ubuntu28) lucid; urgency=low

  [ Jamie Strandboge ]
  * update skype profile in extras. Based on work by Андрей Калинин.
    (LP: #226624)
  * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778)
  * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and
    epiphany-webkit were already present, but the recent changes in
    epiphany packaging require /usr/bin/epiphany) (LP: #472952)
  * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818)
  * abstractions/gnome: allow access to ~/.themes (LP: #460125)
  * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config
    (LP: #447006)

  [ Marc Deslauriers ]
  * utils/Subdomain.pm: don't skip reading profiles that are also in the
    cache directory (LP: #446449)
  * utils/Subdomain.pm: correctly parse PUxr modes
  * utils/Subdomain.pm: support include directories

 -- Jamie Strandboge <email address hidden> Wed, 04 Nov 2009 11:02:27 -0600

hi Jamie, i have not do the task #22 while i have mean that was done by the update, i will add the command and try again.

Give me your java link too for test and i give mine, that's probable it need block for the jondo test while are to test resistance but for decloak not and anyway it must not crash the browser.

test it: https://www.jondos.de/en/anontest and the other : http://decloak.net/ and start test

best regard

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu27.1

---------------
apparmor (2.3.1+1403-0ubuntu27.1) karmic-proposed; urgency=low

  [ Jamie Strandboge ]
  * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778)
  * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and
    epiphany-webkit were already present, but the recent changes in
    epiphany packaging require /usr/bin/epiphany) (LP: #472952)
  * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818)
  * abstractions/gnome: allow access to ~/.themes (LP: #460125)
  * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config
    (LP: #447006)

  [ Marc Deslauriers ]
  * utils/Subdomain.pm: don't skip reading profiles that are also in the
    cache directory (LP: #446449)
  * utils/Subdomain.pm: correctly parse PUxr modes
  * utils/Subdomain.pm: support include directories

 -- Jamie Strandboge <email address hidden> Tue, 03 Nov 2009 14:30:19 -0600

starlights,

I tried both of those sites. https://www.jondos.de/en/anontest seemed to work fine and http://decloak.net/ didn't work the first time, but did the second. If you are continuing to have problems with java and apparmor, please move the discussion to bug #484148.

This bug was fixed in the package firefox-3.5 - 3.5.6+nobinonly-0ubuntu1

---------------
firefox-3.5 (3.5.6+nobinonly-0ubuntu1) lucid; urgency=low

  * New upstream release v3.5.6 (FIREFOX_3_5_6_RELEASE)
    - see USN-874-1

  [ Micah Gersten <email address hidden> ]
  * Bump minimum system cairo to 1.8.8
    - update debian/rules
  * Fix .desktop Name field for Slovak translation (LP: 448683)
    - update debian/firefox-3.5-final.desktop
  * Fix .desktop Name field for Estonian and Arabic translations
    (LP: 419507, LP: 321239)
    - update debian/firefox-3.5-final.desktop

  [ Jamie Strandboge <email address hidden> ]
  * AppArmor fixes:
    - allow access to nautilus, to allow "Open containing folder" to work
      (LP: #452591)
    - allow access for deluge (LP: #455792)
    - work better with KDE by adding kde abstraction, allow access to soffice,
      allow access to okular and read access to /etc/fstab (for print dialog)
      (LP: #447006)
    - allow access to acroread (LP: #473268)
    - allow access to eog (LP: #464016)
    - allow access to transmission (LP: #476299)
    - deny noisy write attempts to deny /usr/lib/xulrunner-*/components/*.tmp
      as seen with 'firefox --help')
    - deny noisy read to /.suspended (when navigating directories)
    - allow access to /usr/bin/liferea-add-feed (LP: #488851)
    - allow access to azureus (LP: #482677)
    - don't require 'owner' for /media (LP: #479580)
    - adjust AppArmor profile binary globbing to match other branches
    - allow ixr access to sed (for first runs)

  [ Alexander Sack <email address hidden> ]
  * bump lower bound for system sqlite3 to >= 3.6.16.1
    - update debian/rules
 -- Alexander Sack <email address hidden> Wed, 16 Dec 2009 00:43:08 +0100

Unassigning from Karmic task for the bug. I won't have time to prepare/test/follow through on an SRU for this. If someone else is so inclined, feel free to do so. This should be fixed in the 3.6 update for 9.10 anyway.