AppArmor

ptrace should not be needed for firefox profile (/proc/<pid>/fd)

Bug #498317 reported by Jamie Strandboge on 2009-12-18

This bug affects 1 person

	Status	Importance	Assigned to
AppArmor	Fix Released	Medium	John Johansen
apparmor (Ubuntu)	Invalid	Medium	John Johansen
Lucid	Invalid	Medium	John Johansen
firefox (Ubuntu)	Fix Released	Undecided	Jamie Strandboge
Lucid	Fix Released	Undecided	Jamie Strandboge
linux (Ubuntu)	Fix Released	Medium	John Johansen
Lucid	Fix Released	Medium	John Johansen

Bug Description

At UDS Lucid, we reviewed the Ubuntu firefox profile and decided we really wanted to get rid of 'capability sys_ptrace'. It is assumed that this is needed for access to /proc/<pid>/fd.

Related branches

lp:ubuntu/lucid/firefox

Jamie Strandboge (jdstrand) on 2009-12-18

Changed in apparmor:
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → John Johansen (jjohansen)

Jamie Strandboge (jdstrand) on 2009-12-18

Changed in linux (Ubuntu):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → John Johansen (jjohansen)
Changed in apparmor (Ubuntu Lucid):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → John Johansen (jjohansen)

Andy Whitcroft (apw) on 2010-01-13

tags:

added: kernel-series-unknown

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-02-12:

Add firefox task since the profile will need to be updated once the underlying issue is fixed.

Changed in firefox (Ubuntu Lucid):
assignee:	nobody → Jamie Strandboge (jdstrand)
status:	New → Triaged

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-03-05:

This is fixed in the recent Lucid kernels. Invalidated the apparmor task.

Changed in apparmor (Ubuntu Lucid):
status:	In Progress → Invalid
Changed in linux (Ubuntu Lucid):
status:	In Progress → Fix Released
Changed in apparmor:
status:	Confirmed → Fix Released

Jeremy Foshee (jeremyfoshee) on 2010-03-10

tags:

removed: kernel-series-unknown

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-04-01:

This bug was fixed in the package firefox - 3.6.2+nobinonly-0ubuntu1

---------------
firefox (3.6.2+nobinonly-0ubuntu1) lucid; urgency=low

* New upstream release v3.6.2 (FIREFOX_3_6_2_RELEASE)

  [ Felix Geyer <email address hidden> ]
  * Rebase mozilla-kde.patch for 3.6.2
    - update debian/patches/mozilla-kde.patch

  [ Jamie Strandboge <<email address hidden> > ]
  * AppArmor profile cleanup for Lucid users:
    - remove sys_ptrace now that the kernel DTRT (LP: #498317)
    - don't use @{PROC}/[0-9]*/mounts or /etc/gnome/defaults.list (part of
      gnome abstraction now)
    - don't use @{PROC}/[0-9]*/maps (part of base abstraction)
    - don't use /etc/sound (part of audio abstraction)
    - use 'owner' for Desktop and all dot files and directories in @{HOME}
    - use ubuntu-bittorrent-clients abstraction
    - use ubuntu-media-players abstraction
    - allow access to xubuntu default app list (LP: #500231)
    - add ark and xarchiver for KDE and XFCE archive managers
    - add thunar for XFCE
    - add editors supported by It's All Text, thanks to James Troup
      (LP: #507711)
    - allow RealPlayer plugin and access to /usr/local/lib (LP: #501822)
    - allow Ux for scim and scim-bridge
    - allow ix for gst-plugin-scanner
  * ship different AppArmor profiles for different releases:
    - move usr.bin.firefox.apparmor.in to usr.bin.firefox.apparmor.9.10
    - add usr.bin.firefox.apparmor.10.04
    - debian/rules: ship AppArmor profile based on release:
      + add DISTRIB, DISTRIB_VERSION_MAJOR and DISTRIB_VERSION_MINOR
      + ship 9.10 profile for Karmic and under and 10.04 profile for Lucid
        and later
  * update AppArmor profile to transition to a java child profile rather
    than Ux. This has the added benefit of restricting java a bit more than
    before. This is needed since the java plugins are expecting certain
    environment variables to be present, which get scrubbed with Ux. 'cx'
    doesn't remove these from the environment but allows for better profiling
    over 'ux'. Thanks to John Johansen for discussion and idea. (LP: #484148)

  [ Alexander Sack <email address hidden> ]
  * fix LP: #518422 - Firefox does not start with certain addons installed;
    don't normalize paths for xpti.dat
    - add debian/patches/lp518422.patch
    - update debian/series

  [ Micah Gersten <email address hidden> ]
  * Bump minimum system NSS to 3.12.6 after upstream landing of (bmo: 545755)
    aka Update Mozilla stable branches to NSS 3.12.6 and minimal support for
    RFC 5746
    - update debian/rules
  * Really fix FTBFS for sparc; Add configure flag to correct variable
    - update debian/rules
-- Micah Gersten <email address hidden> Wed, 24 Mar 2010 01:17:46 -0500

This bug was fixed in the package firefox - 3.6.2+nobinonly-0ubuntu1

---------------
firefox (3.6.2+nobinonly-0ubuntu1) lucid; urgency=low

* New upstream release v3.6.2 (FIREFOX_3_6_2_RELEASE)

[ Felix Geyer <debfx-pkg@fobos.de> ]
  * Rebase mozilla-kde.patch for 3.6.2
    - update debian/patches/mozilla-kde.patch

[ Jamie Strandboge <jamie@ubuntu.com > ]
  * AppArmor profile cleanup for Lucid users:
    - remove sys_ptrace now that the kernel DTRT (LP: #498317)
    - don't use @{PROC}/[0-9]*/mounts or /etc/gnome/defaults.list (part of
      gnome abstraction now)
    - don't use @{PROC}/[0-9]*/maps (part of base abstraction)
    - don't use /etc/sound (part of audio abstraction)
    - use 'owner' for Desktop and all dot files and directories in @{HOME}
    - use ubuntu-bittorrent-clients abstraction
    - use ubuntu-media-players abstraction
    - allow access to xubuntu default app list (LP: #500231)
    - add ark and xarchiver for KDE and XFCE archive managers
    - add thunar for XFCE
    - add editors supported by It's All Text, thanks to James Troup
      (LP: #507711)
    - allow RealPlayer plugin and access to /usr/local/lib (LP: #501822)
    - allow Ux for scim and scim-bridge
    - allow ix for gst-plugin-scanner
  * ship different AppArmor profiles for different releases:
    - move usr.bin.firefox.apparmor.in to usr.bin.firefox.apparmor.9.10
    - add usr.bin.firefox.apparmor.10.04
    - debian/rules: ship AppArmor profile based on release:
      + add DISTRIB, DISTRIB_VERSION_MAJOR and DISTRIB_VERSION_MINOR
      + ship 9.10 profile for Karmic and under and 10.04 profile for Lucid
        and later
  * update AppArmor profile to transition to a java child profile rather
    than Ux. This has the added benefit of restricting java a bit more than
    before. This is needed since the java plugins are expecting certain
    environment variables to be present, which get scrubbed with Ux. 'cx'
    doesn't remove these from the environment but allows for better profiling
    over 'ux'. Thanks to John Johansen for discussion and idea. (LP: #484148)

[ Alexander Sack <asac@ubuntu.com> ]
  * fix LP: #518422 - Firefox does not start with certain addons installed;
    don't normalize paths for xpti.dat
    - add debian/patches/lp518422.patch
    - update debian/series

[ Micah Gersten <micahg@ubuntu.com> ]
  * Bump minimum system NSS to 3.12.6 after upstream landing of (bmo: 545755)
    aka Update Mozilla stable branches to NSS 3.12.6 and minimal support for
    RFC 5746
    - update debian/rules
  * Really fix FTBFS for sparc; Add configure flag to correct variable
    - update debian/rules
 -- Micah Gersten <micahg@ubuntu.com>   Wed, 24 Mar 2010 01:17:46 -0500

Changed in firefox (Ubuntu Lucid):
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.