Ubuntu
firefox-3.5 package

apparmor profile denies access to eog

Bug #464016 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox-3.5 (Ubuntu)
Fix Released
Low
Jamie Strandboge
Declined for Dapper by Jamie Strandboge
Declined for Hardy by Jamie Strandboge
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned
Karmic
Fix Released
Low
Jamie Strandboge
Ubuntu karmic-updates
Lucid
Fix Released
Low
Jamie Strandboge

Bug Description

Binary package hint: firefox-3.5

When trying to open a tiff file in firefox-3.5 with the apparmor profile enabled, access is denied because firefox-3.5 does not have permission to execute /usr/bin/eog:

Oct 29 20:30:52 sec-karmic-amd64 kernel: [19156.154672] type=1503 audit(1256848252.144:23): operation="exec" pid=4224 parent=1 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/eog

Oddly, there is already a commented out line in the profile:
  #/usr/bin/eog Uxr,

Uncommenting this and reloading the profile with:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox-3.5

fixes the issue.

See original description
Tags: apparmor

Related branches

lp:~jdstrand/firefox/firefox-452591+455792+447006+464016+473268
Alexander Sack: Pending requested
Diff: 104 lines (+34/-1)
2 files modified
debian/changelog (+22/-0)
debian/usr.bin.firefox.apparmor.in (+12/-1)
lp:ubuntu/lucid/firefox-3.5
Jamie Strandboge (jdstrand)
tags: added: apparmor
Changed in firefox-3.5 (Ubuntu Karmic):
milestone: none → karmic-updates
status: New → Triaged
Changed in firefox-3.5 (Ubuntu Lucid):
status: New → Triaged
Changed in firefox-3.5 (Ubuntu Karmic):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu Lucid):
assignee: nobody → Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu Jaunty):
status: New → Invalid
Changed in firefox-3.5 (Ubuntu Intrepid):
status: New → Invalid
Changed in firefox-3.5 (Ubuntu Lucid):
status: Triaged → In Progress
importance: Undecided → Low
Changed in firefox-3.5 (Ubuntu Karmic):
status: Triaged → In Progress
importance: Undecided → Low
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

SRU REQUEST

1. Users of firefox are unable to use the eog when the AppArmor profile is enabled. The fix is trivial

2. The fix is not in Lucid yet

3. The fix is to adjust the following in debian/usr.bin.firefox.apparmor.in:
- #/usr/bin/eog Uxr,
+ /usr/bin/eog Uxr,

4. TEST CASE:
- sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5
- try to open a tiff file from with firefox

5. The regression potential is very low. The profile is disabled in the default installation, and we only allow access to files that we didn't previously have access to.

Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox-3.5 - 3.5.6+nobinonly-0ubuntu1

---------------
firefox-3.5 (3.5.6+nobinonly-0ubuntu1) lucid; urgency=low

  * New upstream release v3.5.6 (FIREFOX_3_5_6_RELEASE)
    - see USN-874-1

  [ Micah Gersten <email address hidden> ]
  * Bump minimum system cairo to 1.8.8
    - update debian/rules
  * Fix .desktop Name field for Slovak translation (LP: 448683)
    - update debian/firefox-3.5-final.desktop
  * Fix .desktop Name field for Estonian and Arabic translations
    (LP: 419507, LP: 321239)
    - update debian/firefox-3.5-final.desktop

  [ Jamie Strandboge <email address hidden> ]
  * AppArmor fixes:
    - allow access to nautilus, to allow "Open containing folder" to work
      (LP: #452591)
    - allow access for deluge (LP: #455792)
    - work better with KDE by adding kde abstraction, allow access to soffice,
      allow access to okular and read access to /etc/fstab (for print dialog)
      (LP: #447006)
    - allow access to acroread (LP: #473268)
    - allow access to eog (LP: #464016)
    - allow access to transmission (LP: #476299)
    - deny noisy write attempts to deny /usr/lib/xulrunner-*/components/*.tmp
      as seen with 'firefox --help')
    - deny noisy read to /.suspended (when navigating directories)
    - allow access to /usr/bin/liferea-add-feed (LP: #488851)
    - allow access to azureus (LP: #482677)
    - don't require 'owner' for /media (LP: #479580)
    - adjust AppArmor profile binary globbing to match other branches
    - allow ixr access to sed (for first runs)

  [ Alexander Sack <email address hidden> ]
  * bump lower bound for system sqlite3 to >= 3.6.16.1
    - update debian/rules
 -- Alexander Sack <email address hidden> Wed, 16 Dec 2009 00:43:08 +0100

Changed in firefox-3.5 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Jay456 (push-keep)
Changed in firefox-3.5 (Ubuntu Karmic):
status: In Progress → Fix Released
Changed in firefox-3.5 (Ubuntu Jaunty):
status: Invalid → Fix Released
Changed in firefox-3.5 (Ubuntu Intrepid):
status: Invalid → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Jay456, this bug didn't exist in versions prior to Karmic. I am reverting your changes.

Changed in firefox-3.5 (Ubuntu Karmic):
status: Fix Released → In Progress
Changed in firefox-3.5 (Ubuntu Jaunty):
status: Fix Released → Invalid
Changed in firefox-3.5 (Ubuntu Intrepid):
status: Fix Released → Invalid
Changed in firefox-3.5 (Ubuntu Karmic):
assignee: Jamie Strandboge (jdstrand) → nobody
status: In Progress → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in the last security update.

Changed in firefox-3.5 (Ubuntu Karmic):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.