[apparmor] [profile] Firefox: "DENIED", requested/denied_mask="r" for /proc/*/net/arp.

Christian Boltz apparmor at cboltz.de
Fri Nov 25 20:03:19 UTC 2016


Hello,

Am Freitag, 25. November 2016, 13:48:31 CET schrieb daniel curtis:
> There is some problem with reloading Firefox profile and restarting
> AppArmor (e.g. via /etc/init.d/). It seems, that responsible is one
> rule:
> 
> @{PROC}/@{pids}/net/arp r,
> 
> This is a rule proposed by you. Here's what happens:
> 
> [~]$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox
> Found reference to variable pids, but is never declared

In your other mail, you wrote that you have AppArmor 2.7 - that version 
is much older than what I typically think of when answering mails ;-)

The error message indicates that @{pid} did not exist in 2.7 yet, so...

> That's happened, even with Firefox disabled etc. But, adding this
> rule:
> 
> @{PROC}/[0-9]*/net/arp r,
> 
> Everything seems to work OK.:
...
> I don't know why, I don't know the reasons. So, for now I've decided
> to leave the second rule and use the first one.

... that's the easiest thing you can do in 2.7.

If you prefer a slightly harder way, consider upgrading to 2.9.x or 
(better) 2.10.x - or at least grab the @{pid} variable definition from 
tunables/ in a later AppArmor version ;-)


Regards,

Christian Boltz
-- 
Sorry for the rant, I tried for a long time to find nice words but these
were the nicest I could find :-) [Stefan Seyfried in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161125/9992ef0d/attachment.pgp>


More information about the AppArmor mailing list