[Bug 965718] [NEW] Denied to "/dev/zero/ m, " and "/dev/nvidiactl rw, "

Mon, 26 Mar 2012 14:31:01 -0700 

Public bug reported:

Every time I open firefox apparmor-notify displays a deny of "m" message
to "/dev/zero". I added the line "/dev/zero m," to my
/etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash
videos. Question #1: What security risks play a role when I allow "m"
(?) access to this folder for Firefox?

Now every time I start Firefox apparmor-notify displays a deny of “rw” (read 
and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web 
page I'm on after exactly every minute that look something like this, from my 
“/var/log/kern.log” LogFile,
“
type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
“
After every restart of Firefox the proc folder changes in the message logs. 
Question #2: Will these access denied messages go away if I again edit my 
/etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive 
line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. 
add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks 
for that?

Here are my specs,
"
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=11.10
DISTRIB_CODENAME=oneiric
DISTRIB_DESCRIPTION="Ubuntu 11.10"
Linux username 3.0.0-16-generic #29-Ubuntu SMP Tue Feb 14 12:49:42 UTC 2012 
i686 athlon i386 GNU/Linux
firefox:
  Installed: 11.0+build1-0ubuntu0.11.10.1
  Candidate: 11.0+build1-0ubuntu0.11.10.1
  Version table:
 *** 11.0+build1-0ubuntu0.11.10.1 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main i386 
Packages
        500 http://security.ubuntu.com/ubuntu/ oneiric-security/main i386 
Packages
        100 /var/lib/dpkg/status
     7.0.1+build1+nobinonly-0ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
"

Thank you.

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: aa-notify adobe apparmor firefox flash play proc video videos

** Description changed:

  Every time I open firefox apparmor-notify displays a deny of "m" message
  to "/dev/zero". I added the line "/dev/zero m," to my
  /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash
  videos. Question #1: What security risks play a role when I allow "m"
  (?) access to this folder for Firefox?
  
  Now every time I start Firefox apparmor-notify displays a deny of “rw” (read 
and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web 
page I'm on after exactly every minute that look something like this, from my 
“/var/log/kern.log” LogFile,
  “
  type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  “
  After every restart of Firefox the proc folder changes in the message logs. 
Question #2: Will these access denied messages go away if I again edit my 
/etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive 
line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. 
add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks 
for that?
  
- Question #3: Do I need to change this to a bug report as suggested in
- the aa-notify messages' link to
- https://wiki.ubuntu.com/DebuggingApparmor?
- 
  Thank you.

** Tags added: apparmor

** Description changed:

  Every time I open firefox apparmor-notify displays a deny of "m" message
  to "/dev/zero". I added the line "/dev/zero m," to my
  /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash
  videos. Question #1: What security risks play a role when I allow "m"
  (?) access to this folder for Firefox?
  
  Now every time I start Firefox apparmor-notify displays a deny of “rw” (read 
and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web 
page I'm on after exactly every minute that look something like this, from my 
“/var/log/kern.log” LogFile,
  “
  type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" 
parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" 
name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  “
  After every restart of Firefox the proc folder changes in the message logs. 
Question #2: Will these access denied messages go away if I again edit my 
/etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive 
line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. 
add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks 
for that?
  
+ Here are my specs,
+ "
+ DISTRIB_ID=Ubuntu
+ DISTRIB_RELEASE=11.10
+ DISTRIB_CODENAME=oneiric
+ DISTRIB_DESCRIPTION="Ubuntu 11.10"
+ Linux username 3.0.0-16-generic #29-Ubuntu SMP Tue Feb 14 12:49:42 UTC 2012 
i686 athlon i386 GNU/Linux
+ firefox:
+   Installed: 11.0+build1-0ubuntu0.11.10.1
+   Candidate: 11.0+build1-0ubuntu0.11.10.1
+   Version table:
+  *** 11.0+build1-0ubuntu0.11.10.1 0
+         500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main i386 
Packages
+         500 http://security.ubuntu.com/ubuntu/ oneiric-security/main i386 
Packages
+         100 /var/lib/dpkg/status
+      7.0.1+build1+nobinonly-0ubuntu2 0
+         500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
+ "
+ 
  Thank you.

** Tags added: aa-notify adobe firefox flash play proc video videos

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/965718

Title:
  Denied to "/dev/zero/ m," and "/dev/nvidiactl rw,"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/965718/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to