[apparmor] [profile] Firefox: "DENIED", requested/denied_mask="r" for /proc/*/net/arp.
daniel curtis
sidetripping at gmail.com
Mon Nov 7 20:59:19 UTC 2016
Hi,
Today, I've noticed some "strange" entries in some log files, such as:
/var/log/kern.log and /var/log/kern.log. Both files contains AppArmor
entries related to the Firefox. One of them is known and refers to
"/dev/nvidiactl" (requested and denied_mask = "rw"). Some time ago I wanted
to add the corresponding rule, but... Firefox runs normally etc.
Second one entry I saw for the first time; log entry concerns, for example,
"/proc/3304/net/arp" and so on. Here is an example:
Nov 7 16:46:31 test4 kernel: [ 6844.676855] type=1400
audit(1478533591.904:55): apparmor="DENIED" operation="open" parent=3123
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/proc/3304/net/arp"
pid=3334 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
The remaining entries in the log (about 5., 6.,) are pretty the same. They
differ in case of "/proc/*/net/arp" and "pid=*". requested_mask and
denied_mask are always "r". The same thing with "fsuid" and "ouid" values.
More info: today I created a new profile (via `firefox -P` command), use
Firefox for some time and then remove this new profile. So, it can be the
reason for such entries in log files. I've never seen something like this
before.
I'm using 12.04 LTS release and a new Firefox 49.0.2 with a default
AppArmor profile used after system installation (via "aa-enforce" command.)
No changes were made etc., except one line added during creating
'plugin-container' profile. But I'm not using Flash for a couple of months,
so this rule was also removed.
Cheers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161107/f1382e2c/attachment.html>
More information about the AppArmor
mailing list