[apparmor] [profile] Firefox 50: unavailable websites and many DENIED "/run/shm/org.chromium.*" log entries.

daniel curtis sidetripping at gmail.com
Fri Nov 25 12:22:30 UTC 2016 

Hi Simon

Thanks for an answer. I would like to ask if AppArmor version:
2.7.102-0ubuntu3.10 is sufficient for entries mentioned/added by you to the
"local/usr.bin.firefox" file? I'm asking because of e.g.:

dbus receive
        bus=session
        path=/org/gtk/Private/RemoteVolumeMonitor
        interface=org.gtk.Private.RemoteVolumeMonitor
        member={VolumeAdded,VolumeRemoved},

I just don't know if this AppArmor version will accept them etc. (If I
remember correctly similar rules, wasn't accepted in the AppArmor profiles,
which I've created some time ago.)

If not, should I leave two rules mentioned by me in my previous message?* I
mean rules for: "/dev/nvidiactl" and "/run/shm/org.chromium.*". Are they
secure enough? I just wonder if I should add an 'owner' (just as it's in
your, local include for firefox), so it would look like:

- /dev/shm/org.chromium.* rw,
+ owner /dev/shm/org.chromium.* rw,

It's more secure? And what about "/dev/nvidiactl"? I've never had any
problems with Firefox without a rule related to this one. Of course, it
appears sometimes in a log files etc., but... there is no problem.

Definitely, all this things is related with Firefox's e10s - so many DENIED
"/dev/shm/org.chromium.*" messages, badly displayed websites and so on).

There is one more thing: should I add this rule to a Firefox profile too -
of course if AppArmor will not accept "dbus receive" etc.? (There is a lots
of *.log files in this directory and this is a rule mentioned by You in
"local/usr.bin.firefox" file):

deny @{HOME}/.local/share/gvfs-metadata/* r,

apparmor_status(8) command, still shows two entries related with Firefox.
Before this situation there was just one entry.

What is yours opinions? Thanks.

Best regards.
_____________
* https://lists.ubuntu.com/archives/apparmor/2016-November/010274.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161125/b1b8ab78/attachment.html>

More information about the AppArmor mailing list