[apparmor] [profile] Firefox: "org.freedesktop.UPower", "org.gtk.vfs.MountTracker", "lsb_release" child profile and other DENIED entries.

Seth Arnold seth.arnold at canonical.com
Fri May 5 02:13:54 UTC 2017 

Hello Daniel,

On Tue, May 02, 2017 at 06:05:13PM +0200, daniel curtis wrote:
> 1) May 1 15:53:06 t1 kernel: [11060.718892] audit: type=1400
> audit(1493646786.545:126): apparmor="DENIED" operation="ptrace"
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=8703 comm="firefox"
> requested_mask="trace" denied_mask="trace"
> peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
> 
> Q: what rule should I add to the Firefox profile to to solve this issue? I
> have no idea, because I've never saw such entries etc.

You could use the following rule to allow firefox to trace itself:

ptrace (trace) peer=@{profile_name},

I don't see any errors of this sort for my Firefox however, so I'm curious
why yours would need it. But, this rule is relatively harmless as it
doesn't allow crossing profiles, just processes.

> 2) May 1 14:56:42 t1 kernel: [ 7676.715087] audit: type=1107
> audit(1493643402.545:125): pid=1010 uid=106 auid=4294967295 ses=4294967295
> msg='apparmor="DENIED" operation="dbus_method_call"  bus="system"
> path="/org/freedesktop/UPower" interface="org.freedesktop.UPower"
> member="EnumerateDevices" mask="send" name="org.freedesktop.UPower"
> pid=2819 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1810
> peer_label="unconfined"
> 
> Q: according to others dbus-related rules, I created something like this -
> my question is: can I add this one, is it OK? (Can it be added to "#include
> <abstractions/dbus-accessibility-strict>" section?)
> 
> dbus (send)
>      bus=session    -- or "system", (see; log bus="system")
>      peer=(name=org.freedesktop.UPower),


This shouldn't go in the abstractions/dbus-accessibility-strict file --
that file should be specific to the accessibility bus. It should use
bus="system", since that's the bus that was used for the request.

I'd suggest adding this to only the firefox profile until something else
asks for it.

> Q: as we can see, these entries are related to the "lsb_release" child
> profile and I added these three rules right there. Are they OK? (There was
> a problem with python version; I've changed one rule:
> "/usr/bin/python3.[0-4] r," to this: "/usr/bin/python3.[0-5] r,")

You might also want to adjust this line, though it didn't appear to be
necessary on mine:

/usr/local/lib/python3.[0-5]/dist-packages/ r,

> /usr/share/distro-info/*.csv r,
> /etc/default/apport r,
> /etc/apt/apt.conf.d/ r,
> /etc/apt/apt.conf.d/* r,    - needed or not?

None of the apt.conf.d/* files were read on my system, but if they're
requested it would be fine to add, I think.

> 4) May 2 17:16:41 t1 dbus[1805]: apparmor="DENIED"
> operation="dbus_method_call"  bus="session"
> path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker"
> member="ListMountableInfo" mask="send" name=":1.11" pid=2226
> label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1926
> peer_label="unconfined"
> 
> Q: just as above rule, see; point 2. Can I add something like this one, is
> it OK?
> 
> dbus (send)
>        bus=session
>        peer=(name=org.gtk.vfs.MountTracker),
> 

I don't know what this provides for Firefox. Maybe it's useful for a file
dialog box somewhere? I think the 'name' in your proposed policy snippet
probably wouldn't work though, it probably needs to be 'interface'. (The
'name' in the error message is ":1.11", which is randomly generated and
assigned.)

> 5) May 2 17:36:47 t1 kernel: [  547.527906] audit: type=1400
> audit(1493739407.662:57): apparmor="DENIED" operation="exec"
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/bin/speech-dispatcher" pid=2077 comm=7370656563686420696E6974
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> 
> Q: is this rule OK to add? "/usr/bin/speech-dispatcher mrix,"

I don't know the design of this program. I expect Px would probably be
better, and then write a profile for it. (That's based on the manpage's
description of it as a daemon.)

> That's all for now. I have no idea why Firefox is complaining for such many
> things and it happen almost every day.

It's because people like me are too complacent and don't pay enough
attention to our logs. :) Sorry.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170504/c2dc438f/attachment.pgp>

More information about the AppArmor mailing list