Ubuntu
apparmor package

Firefox 12's launcher script is not allowed in abstractions/ubuntu-browsers

Bug #989184 reported by Simon Déziel
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Fix Released
Low
Unassigned
Natty
Fix Released
Low
Micah Gersten
Oneiric
Fix Released
Low
Micah Gersten

Bug Description

WORKAROUND: Change /usr/lib/firefox-*/firefox.sh PUx, in /etc/apparmor.d/abstractions/ubuntu-browsers to /usr/lib/firefox*/firefox.sh PUx,

TEST CASE: Launch Firefox from evince

------------------------------------

Since Firefox was updated to version 12, the launcher script is installed as "/usr/lib/firefox/firefox.sh" instead of the old name that included the version in it : "/usr/lib/firefox-11.0/firefox.sh".

$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

$ apt-cache policy apparmor
apparmor:
  Installed: 2.7.0~beta1+bzr1774-1ubuntu2
  Candidate: 2.7.0~beta1+bzr1774-1ubuntu2
  Version table:
 *** 2.7.0~beta1+bzr1774-1ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: BugDistroRelease: Ubuntu 11.10
Package: apparmor 2.7.0~beta1+bzr1774-1ubuntu2
ProcVersionSignature: Ubuntu 3.0.0-19.33-generic 3.0.27
Uname: Linux 3.0.0-19-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Thu Apr 26 15:43:20 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.0.0-19-generic root=/dev/mapper/crypt-root ro quiet splash vt.handoff=7SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apparmor.d.abstractions.aspell: [modified]
mtime.conffile..etc.apparmor.d.abstractions.aspell: 2012-01-18T13:58:44.963987

See original description
Revision history for this message
Simon Déziel (sdeziel) wrote :
Revision history for this message
Simon Déziel (sdeziel) wrote :
Revision history for this message
Micah Gersten (micahg) wrote :

This is fine in precise onwards as that line was change to:
  /usr/lib/firefox*/firefox*.sh Cx -> sanitized_helper,

Changed in apparmor (Ubuntu):
status: New → Invalid
Changed in apparmor (Ubuntu Oneiric):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Micah Gersten (micahg) wrote :

Thank you for reporting this to Ubuntu.
That patch doesn't work as we want to allow stuff like /usr/lib/firefox-trunk and /usr/lib/firefox-aurora. I'll do something similar to what's in precise

Changed in apparmor (Ubuntu Natty):
importance: Undecided → Low
status: New → Triaged
Changed in apparmor (Ubuntu Lucid):
status: New → Triaged
Changed in apparmor (Ubuntu Natty):
assignee: nobody → Micah Gersten (micahg)
Changed in apparmor (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Low
Revision history for this message
Simon Déziel (sdeziel) wrote :

According to http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/apparmor/precise/view/head:/profiles/apparmor.d/abstractions/ubuntu-browsers this is not affecting Precise. It looks like it affects all earlier releases, from Lucid to Oneiric.

Micah Gersten (micahg)
description: updated
Revision history for this message
Simon Déziel (sdeziel) wrote :

Micah, the patch would work since it only adds a rule and leave the firefox-* one. I do agree with you that firefox* is better though. Recent versions are using PUx while Lucid uses the subobtimal Ux. Would you mind to also use PUx on Lucid for people using a custom profile ?

Thanks

Revision history for this message
Micah Gersten (micahg) wrote :

Simon, yes, sorry, you are correct, I'd prefer to just keep it simple though and remove the dash.

This is what I currently have in lucid:
grep firefox /etc/apparmor.d/abstractions/ubuntu-browsers
  # this should cover all firefox browsers and versions (including shiretoko
  /usr/lib/firefox-*/firefox.sh PUx,
ii apparmor 2.5.1-0ubuntu0.10.04.2 User-space parser utility for AppArmor

tags: added: patch-refused
tags: added: needs-packaging
tags: removed: needs-packaging patch-refused
tags: added: lucid natty regression-update
Revision history for this message
Simon Déziel (sdeziel) wrote : Re: [Bug 989184] Re: Firefox 12's launcher script is not allowed in abstractions/ubuntu-browsers

On 12-04-26 04:29 PM, Micah Gersten wrote:
> This is what I currently have in lucid:
> grep firefox /etc/apparmor.d/abstractions/ubuntu-browsers
> # this should cover all firefox browsers and versions (including shiretoko
> /usr/lib/firefox-*/firefox.sh PUx,
> ii apparmor 2.5.1-0ubuntu0.10.04.2 User-space parser utility for AppArmor

Right, sorry for the confusion. I was looking at
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/lucid/apparmor/lucid/view/head:/profiles/apparmor.d/abstractions/ubuntu-browsers

I just confirmed on a Lucid system that it is effectively using PUx
which is perfect. Thanks again.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.4

---------------
apparmor (2.5.1-0ubuntu0.10.04.4) lucid-security; urgency=low

  * fix LP: #989184 - Firefox 12's launcher script is not allowed in
    abstractions/ubuntu-browsers; This was a regression from the firefox
    path changing to a non-versioned path in the Firefox 12 packaging
    - add debian/patches/0016-lp989184.patch
    - update debian/patches/series
  * fix LP: #990931 - Thunderbird is being blocked by apparmor from Firefox;
    This was a regression from the Thunderbird path changing to a non-versioned
    path in the Thunderbird 12 packaging
    - add debian/patches/0015-lp990931.patch
    - update debian/patches/series
 -- Micah Gersten <email address hidden> Wed, 30 May 2012 14:02:17 -0500

Changed in apparmor (Ubuntu Lucid):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6.1-0ubuntu3.1

---------------
apparmor (2.6.1-0ubuntu3.1) natty-security; urgency=low

  * fix LP: #989184 - Firefox 12's launcher script is not allowed in
    abstractions/ubuntu-browsers; This was a regression from the firefox
    path changing to a non-versioned path in the Firefox 12 packaging
    - add debian/patches/0016-lp989184.patch
    - update debian/patches/series
  * fix LP: #990931 - Thunderbird is being blocked by apparmor from Firefox;
    This was a regression from the Thunderbird path changing to a non-versioned
    path in the Thunderbird 12 packaging
    - add debian/patches/0015-lp990931.patch
    - update debian/patches/series
 -- Micah Gersten <email address hidden> Tue, 05 Jun 2012 01:54:14 -0500

Changed in apparmor (Ubuntu Natty):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.0~beta1+bzr1774-1ubuntu2.1

---------------
apparmor (2.7.0~beta1+bzr1774-1ubuntu2.1) oneiric-security; urgency=low

  * fix LP: #989184 - Firefox 12's launcher script is not allowed in
    abstractions/ubuntu-browsers; This was a regression from the firefox
    path changing to a non-versioned path in the Firefox 12 packaging
    - add debian/patches/0016-lp989184.patch
    - update debian/patches/series
  * fix LP: #990931 - Thunderbird is being blocked by apparmor from Firefox;
    This was a regression from the Thunderbird path changing to a non-versioned
    path in the Thunderbird 12 packaging
    - add debian/patches/0015-lp990931.patch
    - update debian/patches/series
 -- Micah Gersten <email address hidden> Tue, 05 Jun 2012 02:01:04 -0500

Changed in apparmor (Ubuntu Oneiric):
status: Triaged → Fix Released
Andre Rue (andre-rue)
Changed in apparmor (Ubuntu):
assignee: nobody → Andre Rue (andre-rue)
status: Invalid → Incomplete
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Allow to call /usr/lib/firefox/firefox.sh in abstractions/ubuntu-browsers" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Steve Langasek (vorlon)
Changed in apparmor (Ubuntu):
assignee: Andre Rue (andre-rue) → nobody
status: Incomplete → Invalid
Opoku Mensah Benjamin (kellis-omb2009)
Changed in apparmor (Ubuntu):
assignee: nobody → Opoku Mensah Benjamin (kellis-omb2009)
Micah Gersten (micahg)
Changed in apparmor (Ubuntu):
assignee: Opoku Mensah Benjamin (kellis-omb2009) → nobody
Robert Brindza (brindza)
Changed in apparmor (Ubuntu Lucid):
assignee: Micah Gersten (micahg) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.