Bug #633369 “apparmor profile denials with latest sun-java6” : Bugs : firefox package : Ubuntu

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-09-08:

#1

firefox-java.diff Edit (624 bytes, text/plain)

Changed in firefox (Ubuntu):
status:	New → Triaged
Changed in firefox (Ubuntu Maverick):
status:	Triaged → Invalid
Changed in firefox (Ubuntu Lucid):
status:	New → Triaged
Changed in firefox (Ubuntu Karmic):
status:	New → Triaged
Changed in apparmor (Ubuntu Karmic):
status:	New → Invalid
Changed in apparmor (Ubuntu Maverick):
status:	New → Triaged
assignee:	nobody → Jamie Strandboge (jdstrand)
importance:	Undecided → Medium
Changed in apparmor (Ubuntu Lucid):
status:	New → Invalid
Changed in apparmor (Ubuntu Maverick):
milestone:	none → ubuntu-10.10

Jamie Strandboge (jdstrand) on 2010-09-08

Changed in apparmor (Ubuntu Maverick):
status:	Triaged → Fix Committed

Jamie Strandboge (jdstrand) on 2010-09-08

Changed in firefox (Ubuntu Lucid):
assignee:	nobody → Jamie Strandboge (jdstrand)
status:	Triaged → Fix Committed
Changed in firefox (Ubuntu Karmic):
assignee:	nobody → Jamie Strandboge (jdstrand)
status:	Triaged → In Progress
status:	In Progress → Fix Committed
importance:	Undecided → Medium
Changed in firefox (Ubuntu Lucid):
importance:	Undecided → Medium

Jamie Strandboge (jdstrand) on 2010-09-11

Changed in apparmor (Ubuntu Maverick):
status:	Fix Committed → Fix Released

Revision history for this message

Colin Watson (cjwatson) wrote on 2010-09-16:

#2

firefox (3.6.10+build1+nobinonly-0ubuntu1) maverick; urgency=low

* New upstream release v3.6.10 (FIREFOX_3_6_10_BUILD1)

  [ Chris Coulson <email address hidden> ]
  * Fix "ISO C++ forbids braced-groups within expressions" error on
    GCC < 4.4 (which is also a warning on GCC >= 4.4)
    - update debian/patches/bz591331_att469858_breakpad_allow_ptrace.patch
  * Blacklist plugin-container in Apport
    - update debian/apport/blacklist
  * Fix LP: #637434 - components.list is not installed
    - update debian/firefox.install
  * De-fuzz patches
    - update debian/patches/mozilla-kde.patch

  [ Jamie Strandboge <email address hidden> ]
  * adjust apparmor profile for non-maverick dailies for latest sun-java6
    plugin (LP: #633369)
  * ignore writes to /var/cache/fontconfig for 10.10

-- Chris Coulson <email address hidden> Wed, 15 Sep 2010 17:50:08 +0100

Changed in firefox (Ubuntu Maverick):
status:	Invalid → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-09-16:

#3

This bug was fixed in the package firefox - 3.6.10+build1+nobinonly-0ubuntu0.10.04.1

---------------
firefox (3.6.10+build1+nobinonly-0ubuntu0.10.04.1) lucid-security; urgency=low

* New usptream release v3.6.10 (FIREFOX_3_6_10_BUILD1)

[ Jamie Strandboge <email address hidden> ]
* adjust apparmor profile for latest sun-java6 plugin (LP: #633369)

  [ Chris Coulson <email address hidden> ]
  * Fix LP: #637434 - components.list is not installed
    - update debian/firefox.install
  * De-fuzz patches
    - update debian/patches/mozilla-kde.patch
  * Make sure we actually blacklist firefox and plugin-container in Apport
    - add debian/apport/blacklist
    - update debian/rules
-- Chris Coulson <email address hidden> Wed, 15 Sep 2010 18:46:13 +0100

Changed in firefox (Ubuntu Lucid):
status:	Fix Committed → Fix Released

Jamie Strandboge (jdstrand) on 2010-09-17

Changed in firefox (Ubuntu Karmic):
status:	Fix Committed → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2010-12-03: Please test proposed package

#4

Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags:

added: verification-needed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-12-14:

#5

Lucid affected, but fixed in firefox package. Maverick fixed in ubuntu-browsers.d/java which is not part of this update. Upgrading to 2.5.1-0ubuntu0.10.04.1 in lucid-proposed showed no regressions.

tags:

added: verification-done
removed: verification-needed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-12-15:

#6

Download full text (10.1 KiB)

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

---------------
apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    release):
    - don't ship aa-update-browser and its man page (requires
      0004-ubuntu-abstractions-updates.patch)
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
    0002-add-chromium-browser.patch
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put ...

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

---------------
apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

* Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    release):
    - don't ship aa-update-browser and its man page (requires
      0004-ubuntu-abstractions-updates.patch)
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
    0002-add-chromium-browser.patch
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

* New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put apache2 profiles into the -profiles package without
    aa-logprof bailing out. Patch by Marc Deslauriers.
    (LP: #539441)
  * debian/patches/0009-sensible-browser-pix.patch: use Pix with
    sensible-browser
  * debian/patches/0010-ubuntu-buildd.patch: skip parser caching test if
    the AppArmor securityfs introspection directory is not mounted, as
    is the case on Ubuntu buildds.

apparmor (2.5.1~rc1-0ubuntu2) maverick; urgency=low

* abstractions/ubuntu-email: adjustment for ever-changing thunderbird path
    (LP: #648900)

apparmor (2.5.1~rc1-0ubuntu1) maverick; urgency=low

[ Jamie Strandboge ]
  * New upstream RC release (revision 1413). In addition to getting the tools
    to work with the maverick kernel, this update fixes:
    - LP: #619521
    - LP: #633369
    - LP: #626451
    - LP: #581525
    - LP: #623467 (link and unlink still need to be addressed)
  * Dropped the following patches, included upstream:
    - 0002-lp615177.patch
    - 0004-ubuntu-pux.patch
    - 0006-kde4-config-pux.patch
    - 0007-lp605835.patch
    - 0012-lp625041.patch
    - 0013-lp623586.patch
  * Update the following patches:
    - rename 0010-fix-release.patch as 0001-fix-release.patch since this will
      likely always need to be here
    - rename 0005-add-chromium-browser.patch as
      0002-add-chromium-browser.patch
    - rename 0001-local-includes.patch as 0003-local-includes.patch and update
      to use r1493 (from trunk) of local/README file. This can be dropped in
      2.6.
    - collect the ubuntu abstractions updates pulled from trunk into
      0004-ubuntu-abstractions-updates.patch. This can be dropped in 2.6.
    - rename 0008-lp601583.patch as 0005-lp601583.patch. This can be dropped
      in 2.5.1 final.
  * fix up some lintian warnings:
    - debian/control:
      + don't use 'Section' in apparmor-notify, since it is the same as the
        source
      + updates Standards-Version to 3.9.1
      + add ${misc:Depends} to libapparmor-dev and apparmor-notify
    - add debian/source/format
    - debian/libapache2-mod-apparmor.postrm: use #DEBHELPER#
    - debian/libapache2-mod-apparmor.preinst: use #DEBHELPER#
    - add debian/watch
  * debian/notify/notify.conf: set show_notifications="yes" by default
  * debian/patches/0006-network-interface-enumeration.patch: allow network
    interface enumeration. This can be dropped in 2.5.1 final.
  * debian/patches/0007-gnome-updates.patch: update for font/icon/mime
    locations in current gnome. This can be dropped in 2.5.1 final.

[ Kees Cook ]
  * debian/apparmor.init: rename "stop" to "teardown", drop caches on
    "stop" and warn about the dangers of "teardown".

apparmor (2.5.1~pre1393-0ubuntu6) maverick; urgency=low

* debian/profiles/chromium-browser: updated to have the proper path to
    local/
  * debian/patches/0011-lp514356+573344+593413.patch: browser abstraction
    updates for /net, kmozillahelper and gnome-appearance-properties
    (LP: #593413, LP: #514356, LP: #573344)
  * debian/patches/0012-lp625041.patch: add sensible-browser (LP: #625041)
  * debian/patches/0013-lp623586.patch: allow access to ghostscript fonts when
    not using defoma (LP: #623586)

apparmor (2.5.1~pre1393-0ubuntu5) maverick; urgency=low

* debian/patches/0007-lp605835.patch: allow ca-certificates in ssl_certs
    abstraction (LP: #605835)
  * debian/patches/0008-lp601583.patch: adjust X abstraction for newer gdm
    (LP: #601583)
  * debian/patches/0009-lp565753.patch: add ubuntu-feed-readers abstraction
    and have ubuntu-browsers.d/multimedia use it (LP: #565753)
  * debian/apparmor.config: don't try to read in the existing value from
    /etc/apparmor.d/tunables/home.d/ubuntu, but instead always use what is
    in debconf. (LP: #561694)
  * add aa-update-browser for giving a programmatic way to update browser
    profiles to use browser abstractions
    - add debian/aa-update-browser
    - add debian/aa-update-browser.8
    - debian/rules: install aa-update-browser*
  * debian/patches/0003-ubuntu-browsers-d.patch: updated to generalize java
    child profile names
  * debian/patches/0010-fix-release.patch: update common/Make.rules to use
    lsb_release

apparmor (2.5.1~pre1393-0ubuntu4) maverick; urgency=low

* debian/patches/0001-local-includes.patch: updated to adjust local/README
    to have upstream clarifications
  * debian/patches/0003-ubuntu-browsers-d.patch: add ubuntu-browsers.d/*
    abstractions
  * debian/patches/0004-ubuntu-pux.patch: use 'PUx' instead of 'Ux' in
    abstractions/ubuntu-*
  * add chromium-browser profile. All this can be removed once
    chromium-browser ships its own profile:
    - debian/patches/0005-add-chromium-browser.patch: add preliminary
      profiles/apparmor.d/usr.bin.chromium-browser
    - debian/profiles/chromium-browser: added for use with ubuntu-browsers.d
    - debian/rules: ship debian/profiles/chromium-browser in apparmor-profiles
  * don't make /etc/apparmor.d/local/* from apparmor-profiles conffiles
    - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
    - debian/rules: use dh_apparmor instead of shipping the files as conffiles
    - debian/apparmor-profiles.postinst: move DEBHELPER before initscript
      reload
    - debian/apparmor-profiles.postrm: added to remove chromium-browser config
      file
  * debian/patches/0006-kde4-config-pux.patch: remove kde4-config from kde
    abstraction and add it to kde ubuntu-browsers abstraction

apparmor (2.5.1~pre1393-0ubuntu3) maverick; urgency=low

* debian/patches/0002-lp615177.patch: 'owner' match in commit 1406 too
    strict for /tmp/ and /var/tmp/ (LP: #615177)

apparmor (2.5.1~pre1393-0ubuntu2) maverick; urgency=low

* debian/rules: move local/usr.lib.apache2.mpm-prefork.apache2 to
    libapache2-mod-apparmor

apparmor (2.5.1~pre1393-0ubuntu1) maverick; urgency=low

* Update to upstream bzr revision 1393 from lp:apparmor/2.5.
    * add dbus-session abstraction (LP: #566207)
    * require owner in user-tmp abstraction (LP: #578922)
    * don't use uninitialized $opt_s (LP: #582075)
    * allow thunderbird 3 in abstractions/ubuntu-email (LP: #590462)
    * allow gmplayer in abstractions/ubuntu-media-players (LP: #591421)
  * debian/control: updated branches.
  * debian/patches/0001-local-includes.patch: backported patch from trunk to
    allow local administrators to customize their profiles without modifying
    a shipped profile
  * debian/rules:
    - don't pass RELEASE to libapparmor's 'make install' as it breaks the
      build and isn't used by the Makfile anyway
    - install apparmor.d/local/README in apparmor, not apparmor-profiles
    - don't install apparmor.d/local/usr.sbin.ntpd
  * Drop the following patches already included upstream:
    - 0001-lp538561.patch
    - 0002-aalogprof-warnings.patch
    - 0003-fix-memleaks.patch
    - 0004-lp549557.patch
    - 0005-lp538661.patch
    - 0006-lp611248.patch

apparmor (2.5-0ubuntu4) maverick; urgency=low

* debian/patches/0006-lp611248.patch: allow access to gdk-pixbuf loaders
    LP: #611248
 -- Jamie Strandboge <jamie@ubuntu.com>   Tue, 02 Nov 2010 13:33:15 -0500

Changed in apparmor (Ubuntu Lucid):
status:	Invalid → Fix Released

Ubuntu
firefox package

apparmor profile denials with latest sun-java6

Bug Description

Related branches

Other bug subscribers

Patches

Remote bug watches

	Status	Importance	Assigned to	Milestone
apparmor (Ubuntu)	Fix Released	Medium	Jamie Strandboge	Ubuntu ubuntu-10.10
Karmic	Invalid	Undecided	Unassigned
Lucid	Fix Released	Undecided	Unassigned
Maverick	Fix Released	Medium	Jamie Strandboge	Ubuntu ubuntu-10.10
firefox (Ubuntu)	Fix Released	Undecided	Unassigned
Karmic	Fix Released	Medium	Jamie Strandboge
Lucid	Fix Released	Medium	Jamie Strandboge
Maverick	Fix Released	Undecided	Unassigned

Ubuntufirefox package

apparmor profile denials with latest sun-java6

Bug Description

Related branches

Other bug subscribers

Patches

Remote bug watches

Ubuntu
firefox package