Ubuntu
apparmor package

apparmor complains about webapps and /run/shm/

Bug #1056418 reported by James Troup
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Medium
Steve Beattie
Ubuntu ubuntu-12.10
Quantal
Fix Released
Medium
Steve Beattie
Ubuntu ubuntu-12.10

Bug Description

Sep 25 20:45:33 ornery kernel: [ 66.044761] type=1400 audit(1348602333.026:81): apparmor="DENIED" operation="file_lock" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/james/.local/share/unity-webapps/availableapps.db" pid=3460 comm="firefox" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
Sep 25 20:45:34 ornery kernel: [ 67.419678] type=1400 audit(1348602334.407:82): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/run/shm/sem.iQETGb" pid=3460 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

This is on current quantal with the firefox appamor profile as shipped.

Tags: apparmor
Micah Gersten (micahg)
tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Moving to apparmor because this will be handled in a new abstraction: /etc/apparmor.d/abstractions/ubuntu-browsers.d/webapps.

I can reproduce the first denial, but not the second. What website did you visit that triggered this?

affects: firefox (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
milestone: none → ubuntu-12.10
status: New → Incomplete
Revision history for this message
James Troup (elmo) wrote : Re: [Bug 1056418] Re: apparmor complains about webapps and /run/shm/

Jamie Strandboge <email address hidden> writes:

> I can reproduce the first denial, but not the second. What website did
> you visit that triggered this?

I got it before visiting a website. After bisecting through my plugins,
it appears to be lastpass which is trying to create the /run/shm/
semaphore.

(It still works fine even though the mknod call is blocked, FWIW.)

--
James

Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Incomplete → New
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Steve Beattie (sbeattie)
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu5

---------------
apparmor (2.8.0-0ubuntu5) quantal; urgency=low

  [ Micah Gersten ]
  * Allow /etc/vdpau_wrapper.cfg r and /var/lib/xine/gxine.desktop r
    in the multimedia browser abstraction (LP: #1057642)
    - update profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia

  [ Steve Beattie ]
  * debian/control: make libnotify-bin a Recommends rather than a
    Depends for use in server environments (LP: #1061879)
  * debian/patches/0020-coredump_tests.patch: fix coredump regression
    tests (LP: #1050430)
  * debian/patches/0021-webapps_abstraction.patch: add a few items
    triggered by using and installing webapps in firefox (LP: #1056418)
  * debian/patches/0022-aa-decode-stdin.patch: fix aa-decode to process
    stdin correctly and decode encoded profiles names
 -- Steve Beattie <email address hidden> Tue, 09 Oct 2012 12:44:56 -0700

Changed in apparmor (Ubuntu Quantal):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.