Ubuntu
firefox-3.5 package

Printing from flash doesn't find printers due to strict apparmor rules

Bug #466228 reported by Jean-Louis Dupond
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Low
Jamie Strandboge
firefox (Ubuntu)
Invalid
Low
Unassigned
firefox-3.5 (Ubuntu)
Invalid
Low
Unassigned

Bug Description

Binary package hint: firefox-3.5

When trying to print from Flash (i'm using the 64bit plug-in from labs.adobe).

It doesn't show any printer, so you can't print.
Getting the following errors in dmesg.

[ 778.561355] type=1503 audit(1256977548.312:27): operation="exec" pid=4014 parent=4013 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/lpstat"
[ 778.568200] type=1503 audit(1256977548.324:28): operation="exec" pid=4016 parent=4015 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/lpstat"

When I disable apparmor, it just works without problems.

Dunno if this problem is reproducible in the flashplayer-installer?

Adding
  # flashplugin
  /usr/bin/lpstat ix,
to the apparmor rules fixes it!

Tags: apparmor
Revision history for this message
Micah Gersten (micahg) wrote :

Thank you for reporting this to Ubuntu. Does this occur when printing not in Flash? We don't support the 64 bit version of Flash at present.

Changed in firefox-3.5 (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Jean-Louis Dupond (dupondje) wrote :

It doesn't occur when I'm not printing from Flash.
Seems it only doesn't find printers because of that rule in Flash.

I also know 64bit flash isn't supported.
But I don't know if same problem happens on 32bit flash. Somebody with 32bit flash should check this out.

Also there seems to be alot of people using 64bit flash.
Would be nice if printing worked without problems just by adding that 1 line?

Jamie Strandboge (jdstrand)
tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I have flashplugin-installer installed, and this works fine without the above rule. How (and where) did you install your the plugin?

Changed in firefox-3.5 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jean-Louis Dupond (dupondje) wrote :

I'm using the 64bit Flash Plugin from adobe website.
I placed it in /home/<user>/.mozilla/firefox/plugins (or simular ;))

Maby the flashplugin-installer includes a apparmor rules file?

Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu):
status: Incomplete → Triaged
Micah Gersten (micahg)
summary: - Printing from flash doesn't find printers do to to strict apparmor rules
+ Printing from flash doesn't find printers due to to strict apparmor
+ rules
summary: - Printing from flash doesn't find printers due to to strict apparmor
- rules
+ Printing from flash doesn't find printers due to strict apparmor rules
Revision history for this message
Jean-Louis Dupond (dupondje) wrote :

This is still an issue with 32bit flash plugin:

ii flashplugin-installer 10.1.82.76ubuntu2 Adobe Flash Player plugin installer

[ 6032.271165] type=1400 audit(1284316978.362:25): apparmor="DENIED" operation="exec" parent=3136 profile="/usr/lib/firefox-3.6.9/firefox-*bin" name="/usr/bin/lpstat" pid=3137 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Revision history for this message
Micah Gersten (micahg) wrote :

Adding a firefox task since the reporter is now on 10.10, but karmic/lucid are still affected.

Changed in firefox (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This can be fixed in the ubuntu-browsers.d/multimedia abstraction on maverick.

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
status: New → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

People can workaround this by adding the following to /etc/apparmor.d/usr.bin.firefox on Karmic and Lucid and /etc/apparmor.d/local/usr.bin.firefox on Maverick:
  /usr/bin/lpstat PUxr,
  /usr/bin/lpr PUxr,

Changed in firefox-3.5 (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6~devel+bzr1601-0ubuntu1

---------------
apparmor (2.6~devel+bzr1601-0ubuntu1) natty; urgency=low

  * Merge with upstream bzr revision 1601 to gain parser speed
    improvements and man page fixes. Closes the following bugs:
    - LP: #349049: document audit, deny and owner rule qualifiers
    - LP: #466228: ubuntu-browsers.d/multimedia: allow flash printing
    - LP: #644983: add ubuntu-browsers.d/ubuntu-integration-xul
    - LP: #692216: use aa_change_hat() instead of change_hat()
    - LP: #692217: add aa_change_profile.pod manpage
  * debian/control: explicitly depend on gettext module.
  * ship apparmor vim syntax file (LP: #646800):
    - debian/vim-apparmor.yaml: vim addon definition file.
    - debian/apparmor-utils.install: add apparmor.vim and vim-apparmor.yaml.
  * debian/libapparmor1.manpages: ship aa_change_profile manpage.
 -- Kees Cook <email address hidden> Mon, 20 Dec 2010 14:37:38 -0800

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Invalidating firefox task as this is fixed in natty's apparmor.

Changed in firefox (Ubuntu):
status: Triaged → Invalid
Changed in firefox-3.5 (Ubuntu):
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.