Ubuntu
firefox-3.5 package

apparmor blocks FF 3.5 acroread plugin

Bug #473268 reported by yuri
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
firefox-3.5 (Ubuntu)
Fix Released
Low
Jamie Strandboge
Karmic
Won't Fix
Low
Unassigned
Lucid
Fix Released
Low
Jamie Strandboge

Bug Description

Binary package hint: firefox-3.5

Enabling apparmor profile for Firefox 3.5
1) Disables acroread plugin.
2) Open Containing Folder command in FF Download window does nothing.

Reproduction steps:

1) Run
 sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5

Results:

1) After clicking a PDF link on a webpage FF complains that it cannot open Adobe Acrobat reader 9.2 (even though I have 9.1).
Expected: FF opens downloaded PDF file withing the browser.

2) Go to Tools->Downloads, right click on a downloaded file and select Open Containing Folder. Nothing will happen.
Expected: Nautilus opens the containing folder.

System: Ubuntu 9.10, default installation.

P.S. After disabling apparmor by running
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox-3.5
sudo ln -s /etc/apparmor.d/usr.bin.firefox-3.5 /etc/apparmor.d/disable/usr.bin.firefox-3.5
the effects of the bug disappear.

Tags: apparmor

Related branches

lp:~jdstrand/firefox/firefox-452591+455792+447006+464016+473268
Alexander Sack: Pending requested
Diff: 104 lines (+34/-1)
2 files modified
debian/changelog (+22/-0)
debian/usr.bin.firefox.apparmor.in (+12/-1)
lp:ubuntu/lucid/firefox-3.5
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. Can you paste the output of 'grep audit /var/log/kern.log' after trying to open a PDF file?

The 'Open Containing Folder' is bug #452591.

security vulnerability: yes → no
visibility: private → public
Changed in firefox-3.5 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
status: New → Incomplete
tags: added: apparmor
Revision history for this message
yuri (yuriry) wrote :

The requested log file is attached

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can you add the following to your /etc/apparmor.d/usr.bin.firefox-3.5 profile:
  /opt/Adobe/Reader9/bin/acroread Ux,

Then perform:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.firefox-3.5

and report back if it fixes the problem for you?

Revision history for this message
yuri (yuriry) wrote :

Jamie, thanks a lot for your help. The change fixes the acroread problem.

The second problem of not being able to open Containing Folder is still present. As soon as I disable apparmor profile, I can open the Containing Folder even without re-starting Firefox, so it is definitely caused by apparmor.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

yuri,

Thanks for getting back. As mentioned, the 'Open Containing Folder' is known and is bug #452591. Look in that bug for a workaround until we can get this uploaded.

Changed in firefox-3.5 (Ubuntu):
status: Incomplete → In Progress
Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu Karmic):
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

SRU REQUEST

1. Users of firefox are unable to use the Adobe Acorbat Reader software when the AppArmor profile is enabled. The fix is trivial

2. The fix is not in Lucid yet

3. The fix is to add the following to debian/usr.bin.firefox.apparmor.in:
  # Adobe Acrobat Reader
  /opt/Adobe/Reader9/bin/acroread Uxr,

4. TEST CASE:
- apt-get install acroread from -partner
- try to open a PDF from with firefox

5. The regression potential is very low. The profile is disabled in the default installation, and we only allow access to files that we didn't previously have access to.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I forgot to mention in the test case that you must enable the profile with:
$ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5

Revision history for this message
yuri (yuriry) wrote :

Thanks for your help Jamie, the workaround in bug #452591 works.

Revision history for this message
TimMadden (timmadden) wrote :

The workaround in #3 => https://bugs.launchpad.net/ubuntu/karmic/+source/firefox-3.5/+bug/473268/comments/3 appears to have worked for my karmic install...

Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox-3.5 - 3.5.6+nobinonly-0ubuntu1

---------------
firefox-3.5 (3.5.6+nobinonly-0ubuntu1) lucid; urgency=low

  * New upstream release v3.5.6 (FIREFOX_3_5_6_RELEASE)
    - see USN-874-1

  [ Micah Gersten <email address hidden> ]
  * Bump minimum system cairo to 1.8.8
    - update debian/rules
  * Fix .desktop Name field for Slovak translation (LP: 448683)
    - update debian/firefox-3.5-final.desktop
  * Fix .desktop Name field for Estonian and Arabic translations
    (LP: 419507, LP: 321239)
    - update debian/firefox-3.5-final.desktop

  [ Jamie Strandboge <email address hidden> ]
  * AppArmor fixes:
    - allow access to nautilus, to allow "Open containing folder" to work
      (LP: #452591)
    - allow access for deluge (LP: #455792)
    - work better with KDE by adding kde abstraction, allow access to soffice,
      allow access to okular and read access to /etc/fstab (for print dialog)
      (LP: #447006)
    - allow access to acroread (LP: #473268)
    - allow access to eog (LP: #464016)
    - allow access to transmission (LP: #476299)
    - deny noisy write attempts to deny /usr/lib/xulrunner-*/components/*.tmp
      as seen with 'firefox --help')
    - deny noisy read to /.suspended (when navigating directories)
    - allow access to /usr/bin/liferea-add-feed (LP: #488851)
    - allow access to azureus (LP: #482677)
    - don't require 'owner' for /media (LP: #479580)
    - adjust AppArmor profile binary globbing to match other branches
    - allow ixr access to sed (for first runs)

  [ Alexander Sack <email address hidden> ]
  * bump lower bound for system sqlite3 to >= 3.6.16.1
    - update debian/rules
 -- Alexander Sack <email address hidden> Wed, 16 Dec 2009 00:43:08 +0100

Changed in firefox-3.5 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unassigning myself for the 9.10 task. I don't have time to prepare/test/floow through on an SRU for this, especially since there is an easy workaround. If someone else is inclined to take the lead on an SRU for this, feel free to do so. This should get fixed in the firefox 3.6 update for 9.10 anyway.

Changed in firefox-3.5 (Ubuntu Karmic):
assignee: Jamie Strandboge (jdstrand) → nobody
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. Karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug is
being marked "Won't Fix". Please see this document for currently
supported Ubuntu releases: https://wiki.ubuntu.com/Releases

Please feel free to report any other bugs you may find.

Changed in firefox-3.5 (Ubuntu Karmic):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.