[apparmor] [profile] Firefox: "DENIED", requested/denied_mask="r" for /proc/*/net/arp.
Christian Boltz
apparmor at cboltz.de
Fri Nov 25 20:03:19 UTC 2016
Hello,
Am Freitag, 25. November 2016, 13:48:31 CET schrieb daniel curtis:
> There is some problem with reloading Firefox profile and restarting
> AppArmor (e.g. via /etc/init.d/). It seems, that responsible is one
> rule:
>
> @{PROC}/@{pids}/net/arp r,
>
> This is a rule proposed by you. Here's what happens:
>
> [~]$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox
> Found reference to variable pids, but is never declared
In your other mail, you wrote that you have AppArmor 2.7 - that version
is much older than what I typically think of when answering mails ;-)
The error message indicates that @{pid} did not exist in 2.7 yet, so...
> That's happened, even with Firefox disabled etc. But, adding this
> rule:
>
> @{PROC}/[0-9]*/net/arp r,
>
> Everything seems to work OK.:
...
> I don't know why, I don't know the reasons. So, for now I've decided
> to leave the second rule and use the first one.
... that's the easiest thing you can do in 2.7.
If you prefer a slightly harder way, consider upgrading to 2.9.x or
(better) 2.10.x - or at least grab the @{pid} variable definition from
tunables/ in a later AppArmor version ;-)
Regards,
Christian Boltz
--
Sorry for the rant, I tried for a long time to find nice words but these
were the nicest I could find :-) [Stefan Seyfried in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161125/9992ef0d/attachment.pgp>
More information about the AppArmor
mailing list