On 10/25/20 5:15 AM, baptx wrote:
> I got it working by adding the 2 lines at the end of the
> /etc/apparmor.d/usr.bin.firefox just before the closing brack "}".
> Without these lines, I had to use another workaround by disabling
> Apparmor completely on Firefox with a command like "sudo aa-complain
> /usr/lib/firefox/firefox" or using the official Firefox binary from
> Mozilla instead of the Ubuntu package.
>
> I saw Daniel wrote "this is not a great way of working (malware could
> write to that location and then load in code)" but do you have an idea
> how to make it more secure?
>
I assume by the 2 lines you mean
ptrace (trace) peer=@{profile_name},
@{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/lib*so m,
from the bug report. Neither of these lines would allow malware to
write to that location. However they do provide some danger.
The first rule allow firefox to ptrace it self, this could potentially
be exploited by injected shell code to further take control of firefox
if say the code gains control of the render process. It won't however
allow removing confinement or attacking other processes the user might
be running.
The second rule allows firefox to load and run code from that location.
But doesn't allow firefox to write to it. So if there is malware on the
system that can write to that location it could have firefox run it.
But if something manages to hack/inject code into firefox it won't be
able to put code there. Dealing with this in apparmor comes down to
making sure the rest of the system confinement is correct, preventing
said malware from writing to that location. Or you could potentially
use IMA to further restrict and only allow signed files from this
location.
The reason this is more dangerous than allowing /lib/*.so or other
system locations is the users home directory can be written by other
processes run by the user. And on most systems, most user processes
are running unconfined hence malware that exists on the system and
isn't confined could write to it.
Again this isn't some much a problem with having the rule in the
apparmor profile but have sufficient policy on the system.
> When will the fix be added officially to the Firefox Apparmor profile?
>
these can be added fairly soon.
https://gitlab.com/apparmor/apparmor/-/merge_requests/684
though that is just landing it upstream and I am not sure when the
next ubuntu upload will be
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1777070
Title:
firefox plugin libwidevinecdm.so crashes due to apparmor denial
Status in apparmor package in Ubuntu:
Confirmed
Status in firefox package in Ubuntu:
Confirmed
Bug description:
Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1
Running firefix, then going to netflix.com and attempting to play a
movie. The widevinecdm plugin crashes, the following is found in
syslog:
Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400
audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400
audit(1529046802.585:247): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault
at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in
libxul.so[7fcdfb77a000+6111000]
Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert (-1)
Jun 15 19:13:22 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!!
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:24 xplt kernel: [301353.960182] audit: type=1400
audit(1529046804.994:248): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16135 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:24 xplt kernel: [301353.960373] audit: type=1400
audit(1529046804.994:249): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:24 xplt kernel: [301353.960398] plugin-containe[16135]: segfault
at 0 ip 00007fe3b57f46af sp 00007ffe6dc0b488 error 6 in
libxul.so[7fe3b34c7000+6111000]
Jun 15 19:13:28 xplt kernel: [301357.859177] audit: type=1400
audit(1529046808.895:250): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16139 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:28 xplt kernel: [301357.859328] audit: type=1400
audit(1529046808.895:251): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:28 xplt kernel: [301357.859349] plugin-containe[16139]: segfault
at 0 ip 00007fcf32ae06af sp 00007ffeb8a136c8 error 6 in
libxul.so[7fcf307b3000+6111000]
Jun 15 19:13:25 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!!
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ERROR block_reap:328:
[hamster] bad exit code 1
Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!!
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:29 xplt kernel: [301358.227635] audit: type=1400
audit(1529046809.263:252): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16188 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:29 xplt kernel: [301358.227811] audit: type=1400
audit(1529046809.263:253): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:29 xplt kernel: [301358.227844] plugin-containe[16188]: segfault
at 0 ip 00007fe5667c66af sp 00007fffe8cc0da8 error 6 in
libxul.so[7fe564499000+6111000]
Jun 15 19:13:31 xplt kernel: [301360.574177] audit: type=1400
audit(1529046811.608:254): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16192 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:31 xplt kernel: [301360.574326] audit: type=1400
audit(1529046811.608:255): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:31 xplt kernel: [301360.574352] plugin-containe[16192]: segfault
at 0 ip 00007f83507606af sp 00007ffdb3d22f08 error 6 in
libxul.so[7f834e433000+6111000]
Jun 15 19:13:35 xplt kernel: [301364.313727] audit: type=1400
audit(1529046815.349:256): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16206 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:35 xplt kernel: [301364.313896] audit: type=1400
audit(1529046815.349:257): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:35 xplt kernel: [301364.313967] plugin-containe[16206]: segfault
at 0 ip 00007f5ff6f746af sp 00007fff60c9c768 error 6 in
libxul.so[7f5ff4c47000+6111000]
Jun 15 19:13:35 xplt /usr/lib/gdm3/gdm-x-session[6549]: message repeated 3
times: [ ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot
send/recv]
If I run Firefox from the snap (rev 60.0.2-1) there's no problem.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1777070/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
