[apparmor] [profile] Firefox 50: unavailable websites and many DENIED "/run/shm/org.chromium.*" log entries.

[daniel curtis]

Hi

Today I've had a problem with a Firefox ver 50.0. (Yesterday everything was
okay). None of the website was loaded, even when www address was entered by
me - nothing was displayed. Some of the websites, for example, duckduck.go
were... black. There was so many (about 50 and more) entries in the log
files, such as /var/log/kern.log:

Nov 24 13:06:36 t4 kernel: [  778.637504] type=1400
audit(1479989196.846:1735): apparmor="DENIED" operation="mknod" parent=3733
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/run/shm/org.chromium.4wF9YL" pid=3764 comm=57656220436F6E74656E74
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Nov 24 13:01:20 t4 kernel: [  461.898790] type=1400
audit(1479988880.106:1697): apparmor="DENIED" operation="open" parent=3336
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/nvidiactl"
pid=3363 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000
ouid=0

Everything seems to work OK in a new Firefox profile (created via `firefox
-P` command). But browser started normally - not with a new profile -
doesn't work and apparmor_status(8) command shows two entry related to a
Firefox:

/usr/lib/firefox/firefox{,*[^s][^h]} (3336)
/usr/lib/firefox/firefox{,*[^s][^h]} (1144)

I decided to add two rules to the profile - restart AppArmor via
/etc/init.d/ - which seems to solve this problem:

/dev/nvidiactl rw,
/run/shm/org.chromium.* rw,

Can you confirm if these rules are OK - I mean security etc. Can I leave
them, or I should do it another way? What is yours opinions on this?
Honestly, "/run/shm/org.chromium.*" entries I always saw only with a new
Firefox profile - never with a "standard" browsing.

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161124/f5ca44c5/attachment.html>