Ubuntu
apparmor package

Apparmor Firefox profile aa-notify DENIED messages. Which permissions are okay?

Asked by Devin

Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox?

Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile,

type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that?

Question #3: Do I need to change this to a bug report as suggested in the aa-notify messages' link to https://wiki.ubuntu.com/DebuggingApparmor?

Thank you.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu apparmor Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

Can you give the output of:

cat /etc/lsb-release; uname -a; apt-cache policy firefox

Thanks

Revision history for this message
Devin (8basepairs) said : 		#2

The output requested in comment #1 as follows,
"
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=11.10
DISTRIB_CODENAME=oneiric
DISTRIB_DESCRIPTION="Ubuntu 11.10"
Linux username 3.0.0-16-generic #29-Ubuntu SMP Tue Feb 14 12:49:42 UTC 2012 i686 athlon i386 GNU/Linux
firefox:
  Installed: 11.0+build1-0ubuntu0.11.10.1
  Candidate: 11.0+build1-0ubuntu0.11.10.1
  Version table:
 *** 11.0+build1-0ubuntu0.11.10.1 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main i386 Packages
        500 http://security.ubuntu.com/ubuntu/ oneiric-security/main i386 Packages
        100 /var/lib/dpkg/status
     7.0.1+build1+nobinonly-0ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
"

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#3

All I can suggest is report a bug.

If yuo make a new user and run it there, is it the same?

Revision history for this message
Devin (8basepairs) said : 		#4

Should I change the package this question is for to Ubuntu apparmor, instead of Ubuntu firefox as it is now?

Revision history for this message
Devin (8basepairs) said : 		#5

I just finished testing it with a different user. It still gives the deny rw message to /dev/nvidiactl upon starting Firefox. But, not the deny to /proc/FOLDER_NAME messages every minute, which may be related to the fact that I think I had to explicitly start the apparmor-notify daemon with "sudo aa-notify --poll" in order to get the message of denial to /dev/nvidiactl under the new user. I wonder if the open proc folder requests are for one of my add-ons? I will now change this to a bug and file it under the package apparmor for Ubuntu as it recommends to designate from the link in the messages (https://wiki.ubuntu.com/DebuggingApparmor). Thank you for your help so far.

Revision history for this message
A. Denton (aquina) said : 		#6

It can be safely assumed flash is obsolete by now and Firefox has a working AppArmor profile.

Can you help with this problem?

Provide an answer of your own, or ask Devin for more information if necessary.

To post a message you must log in.