Hi
I noticed some DENIED messages related to the Firefox 53. on 16.04.2 LTS
Release. Generally, there are AppArmor messages on every day. I would like
to ask a question about rules, which I need to add etc. Honestly, I'm a
little surprised, that there is so many DENIED actions. Here are these
problems:
1) May 1 15:53:06 t1 kernel: [11060.718892] audit: type=1400
audit(1493646786.545:126): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=8703 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Q: what rule should I add to the Firefox profile to to solve this issue? I
have no idea, because I've never saw such entries etc.
2) May 1 14:56:42 t1 kernel: [ 7676.715087] audit: type=1107
audit(1493643402.545:125): pid=1010 uid=106 auid=4294967295 ses=4294967295
msg='apparmor="DENIED" operation="dbus_method_call" bus="system"
path="/org/freedesktop/UPower" interface="org.freedesktop.UPower"
member="EnumerateDevices" mask="send" name="org.freedesktop.UPower"
pid=2819 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1810
peer_label="unconfined"
Q: according to others dbus-related rules, I created something like this -
my question is: can I add this one, is it OK? (Can it be added to "#include
<abstractions/dbus-accessibility-strict>" section?)
dbus (send)
bus=session -- or "system", (see; log bus="system")
peer=(name=org.freedesktop.UPower),
3) May 1 19:27:11 t1 kernel: [ 805.803139] audit: type=1400
audit(1493659631.472:57): apparmor="DENIED" operation="open"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release"
name="/usr/share/distro-info/debian.csv" pid=2236 comm="lsb_release"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 1 19:27:11 t1 kernel: [ 805.803379] audit: type=1400
audit(1493659631.472:58): apparmor="DENIED" operation="open"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release"
name="/etc/default/apport" pid=2236 comm="lsb_release" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
May 1 19:27:11 t1 kernel: [ 805.926544] audit: type=1400
audit(1493659631.596:59): apparmor="DENIED" operation="open"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release"
name="/etc/apt/apt.conf.d/" pid=2236 comm="lsb_release" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
Q: as we can see, these entries are related to the "lsb_release" child
profile and I added these three rules right there. Are they OK? (There was
a problem with python version; I've changed one rule:
"/usr/bin/python3.[0-4] r," to this: "/usr/bin/python3.[0-5] r,")
/usr/share/distro-info/*.csv r,
/etc/default/apport r,
/etc/apt/apt.conf.d/ r,
/etc/apt/apt.conf.d/* r, - needed or not?
4) May 2 17:16:41 t1 dbus[1805]: apparmor="DENIED"
operation="dbus_method_call" bus="session"
path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker"
member="ListMountableInfo" mask="send" name=":1.11" pid=2226
label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1926
peer_label="unconfined"
Q: just as above rule, see; point 2. Can I add something like this one, is
it OK?
dbus (send)
bus=session
peer=(name=org.gtk.vfs.MountTracker),
5) May 2 17:36:47 t1 kernel: [ 547.527906] audit: type=1400
audit(1493739407.662:57): apparmor="DENIED" operation="exec"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/usr/bin/speech-dispatcher" pid=2077 comm=7370656563686420696E6974
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Q: is this rule OK to add? "/usr/bin/speech-dispatcher mrix,"
That's all for now. I have no idea why Firefox is complaining for such many
things and it happen almost every day.
Thanks, best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
