[apparmor] Firefox (DENIED for /proc/*/task/) and plugin-container segfault.
daniel curtis
sidetripping at gmail.com
Fri Jan 13 15:45:58 UTC 2017
Hi Seth
>> If you would please report back the success or failure of adding...
Okay, I'll add this rule (related to "@{PROC}/*/task/") to the Firefox
profile, restart AppArmor and see what will happen. But, there is one
problem - with rule provided by You. I mean:
owner @{PROC}/@{PID}/task/ r,
During profile reloading via apparmor_parser utility there is an error
message about: "Found reference to variable PID, but is never declared".
However, after add something like this, everything seems to work:
owner @{PROC}/[0-9]*/task/* r,
I think it's a matter of AppArmor version - 2.7.102-0ubuntu3.10. Can I use
the second rule? Anyway, there were no problems with reloading profile and
restarting AppArmor. Log files, such as '/var/log/kern.log' contains:
Jan 13 16:34:59 t4 kernel: [ 8602.170423] type=1400
audit(1484321699.382:46): apparmor="STATUS" operation="profile_replace"
name="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=3523 comm="apparmor_parser"
Jan 13 16:34:59 t4 kernel: [ 8602.170986] type=1400
audit(1484321699.382:47): apparmor="STATUS" operation="profile_replace"
name="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java" pid=3523
comm="apparmor_parser"
Jan 13 16:34:59 t4 kernel: [ 8602.171435] type=1400
audit(1484321699.382:48): apparmor="STATUS" operation="profile_replace"
name="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=3523
comm="apparmor_parser"
Jan 13 16:34:59 t4 kernel: [ 8602.171715] type=1400
audit(1484321699.382:49): apparmor="STATUS" operation="profile_replace"
name="/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper" pid=3523
comm="apparmor_parser"
It seems to be okay, right? So, I'll use the second rule (with
"@{PROC}/[0-9]*/task/*") and see the results. Seth, can I use this rule?
>> I'm sorry I overlooked your earlier mail on this denial.
No problem! ;- )
Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170113/e871f816/attachment.html>
More information about the AppArmor
mailing list