** Description changed:
Every time I open Firefox apparmor-notify displays a deny message of
type "m" access to "/dev/zero". I added the line "/dev/zero m," to my
/etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash
videos, which it can now do after doing that. Question #1: What security
risks play a role when I allow "m" (?) access to this folder for Firefox
and do the benefits outway the risk to the sandbox?
After I updated my apparmor profile to allow flash videos, I no longer
receive a deny message for it at every Firefox startup, but I now get a
deny message of “rw” (read and write) to “/dev/nvidiactl”. Question #2:
Is it okay to do that (i.e. add line "/dev/nvidiactl rw," to the Firefox
profile configuration for apparmor), what are the security risks of
doing so, and what purpose is such a permission good for?
What I want to add to a Wishlist for the apparmor package: enable
apparmor sandboxing for Firefox to every Ubuntu user once the flash gets
fixed after the quoted bugs below are patched.
Here is the log that I get before I add the permission in the apparmor
firefox profile to get flash to work,
"
Mar 29 17:11:53 username kernel: [27877.596655] type=1400
audit(1333066313.785:410): apparmor="DENIED" operation="file_mmap" parent=4670
profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/dev/zero" pid=4673
comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
"
Here is the log that I get after I add the permission in the apparmor firefox
profile even though by this time flash started working,
"
Mar 25 19:26:29 username kernel: [21002.394793] type=1400
audit(1332728789.574:427): apparmor="DENIED" operation="open" parent=4894
profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/dev/nvidiactl"
pid=4897 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
"
- Flash content stops working after enabling "/dev/nvidiactl rw," as line
- in the firefox apparmor profile and there is no way to get it back. Not
- a daemon restart without changes to apparmor firefox profile besides the
- one that made flash work, which is needed to get flash to work again,
- yet I tried with default profile nonetheless. Nor a restart of the whole
- computer made flash work again like it did before. Nor uninstall of
- apparmor or setting firefox profile to complain. NOT EVEN A FULL
- REINSTALL OF UBUNTU FROM DISK WOULD GET FLASH TO WORK AGAIN. I'm going
- to reinstall Ubuntu from disk now. It was a fresh install when I started
- filing the bug reports too. I don't think I'll use apparmor again if it
- doesn't come with flash enabled by default. After enabling
- "/dev/nvidiactl rw," I got these bugs in the log one by one after
- granting permissions for each in order as follows.
+ After enabling "/dev/nvidiactl rw," I got these bugs in the log one by
+ one after granting permissions for each in order as follows.
Denied log before adding this line to the firefox profile, "/dev/nvidia0 rw,"
“
Mar 30 13:04:18 username kernel: [ 1766.955718] type=1400
audit(1333137858.144:3974): apparmor="DENIED" operation="open" parent=2635
profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/dev/nvidia0"
pid=2638 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
“ (i.e. I get it after I enable "/dev/nvidiactl rw,").
Denied log before adding this line to the firefox profile, "/proc/interrupts
r,"
“
Mar 30 13:04:18 username kernel: [ 1766.955873] type=1400
audit(1333137858.144:3975): apparmor="DENIED" operation="open" parent=2635
profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/interrupts"
pid=2638 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
“ (i.e. I get it after I enable "/dev/nvidia0 rw,").
After enabling all of the permissions up to adding the line "/proc/interrupts
r," I get the following two message examples
“
Mar 30 13:04:37 username kernel: [ 1786.222046] type=1400
audit(1333137877.411:3977): apparmor="DENIED" operation="capable" parent=1
profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" pid=2686 comm="firefox"
capability=19 capname="sys_ptrace"
“
“
Mar 30 12:57:57 username kernel: [ 1386.424496] type=1400
audit(1333137477.616:2029): apparmor="DENIED" operation="ptrace" parent=1
profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" pid=2479 comm="firefox"
target=8002C0E98002C0E9EE
“
To receive no related logs of this bug I had to add the final line
"sys_ptrace mixr," to the firefox apparmor profile.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/968752
Title:
Bug prevents flash plugin to load during firefox sessions. Audit logs
are provided. Known update to firefox profile may help; wondering if
it is secure?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/968752/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
