[apparmor] [profile] Firefox v58: '/.cache/fontconfig/', '/etc/ld.so.conf' and DENIED log entries.

daniel curtis sidetripping at gmail.com
Sun Jan 28 17:52:20 UTC 2018 

Hello.

A couple of days ago, Firefox has been updated to a new v58.0 version.
Since, then I started to notice many DENIED entries in a log files
such as '/var/log/syslog' etc. These entries, appears every few hours.
Here is how it looks like:

✗ apparmor="DENIED" operation="mknod"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/tester/.cache/fontconfig/c47772ajeje8b233ac2c16bc36d2hs2l-3el4u2.cache-6.TMP-JDtO1z"
pid=2231 comm=57656220436F6E74656E74 requested_mask="c"
denied_mask="c" fsuid=1000 ouid=1000

✗ apparmor="DENIED" operation="open"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/ld.so.conf"
pid=2424 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0

If it's about '/.cache/fontconfig/' - there are many more such entries
(about 20. since Firefox update). NOTE: according to the aa-decode(8)
command, 'comm=*' refers to "Web Content". However, there are only few
entries related to '/etc/ld.so.conf' (about 5.) I would like to ask
what should I do, because by default Firefox profile contain one rule,
which seems to be similar. It's (in "# noisy" section):

✓ deny /var/cache/fontconfig/ w,

As we can see, above log entries contains requested_mask="c"
denied_mask="c", right? So, rule should contain "w" permission. Am I
right? There is one more thing: all files in "fontconfig" folder have
".cache-6.TMP-" in their name. So, rules could looks this way:

✓ owner @{HOME}/.cache/fontconfig/ r,
✓ owner @{HOME}/.cache/fontconfig/* rw,

But, according to the Firefox rule (see above), maybe it's better to
deny these 'mknod' operations and use something like this:

✓ deny @{HOME}/.cache/fontconfig/ w,

✓ deny @{HOME}/.cache/fontconfig/ w,
✓ deny @{HOME}/.cache/fontconfig/* rw,

Which rule is better? What do you think? And the most important thing:
should it be allowed or denied? Firefox is working normally even with
those DENIED entries etc. And what about "ld.so.conf" file - a rule
should be added? If yes: allow or deny?

✓ /etc/ld.so.conf r,
✓ deny /etc/ld.so.conf r,

Should there be an "owner" prefix used if it's about a first rule? I'm
sorry for such a naive questions, but I don't know what to do with all
these log entries. Summing up: a new Firefox v58. works OK (without
rules related to DENIED entries), there is many more entries related
to "/.cache/fontconfig/" rather than "/etc/ld.so.conf" etc.

Release: 16.04.3 LTS
Linux: 4.4.0-112-generic
AppArmor: 2.10.95-0ubuntu2.7

Thanks, best regards.
.
.

More information about the AppArmor mailing list