[apparmor] [profile] Firefox v58: '/.cache/fontconfig/', '/etc/ld.so.conf' and DENIED log entries.
Simon McVittie
smcv at collabora.com
Mon Jan 29 12:31:45 UTC 2018
On Sun, 28 Jan 2018 at 17:52:20 +0000, daniel curtis wrote:
> ✗ apparmor="DENIED" operation="mknod"
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/home/tester/.cache/fontconfig/c47772ajeje8b233ac2c16bc36d2hs2l-3el4u2.cache-6.TMP-JDtO1z"
> pid=2231 comm=57656220436F6E74656E74 requested_mask="c"
> denied_mask="c" fsuid=1000 ouid=1000
The general question to ask yourself about AppArmor denials is: is this
something that the application in question should legitimately be
doing? In this case: Is it OK that a web browser that renders fonts can
write to the fontconfig cache? (Probably yes.)
> ✗ apparmor="DENIED" operation="open"
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/ld.so.conf"
> pid=2424 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0
Similarly: Is it OK that a web browser that loads libraries reads the
cache that tells it what libraries are available? (Almost certainly yes.)
> by default Firefox profile contain one rule,
> which seems to be similar. It's (in "# noisy" section):
>
> ✓ deny /var/cache/fontconfig/ w,
This is different because it's system-wide, not in the user's home
directory. It seems valid to say that Firefox, running as a user,
probably shouldn't be writing to /var/cache. (I don't know why the
fontconfig library does this: that's a question for people who know
about fontconfig, not for people who know about AppArmor.)
> Should there be an "owner" prefix used if it's about a first rule?
Ask yourself whether the files being read/written are owned by the same
user as the process. (~/.cache: they'd better be, because nobody else
should be writing to your home directory, so probably use an owner prefix;
/etc: no, root owns files in /etc, so don't use an owner prefix.)
Regards,
smcv
More information about the AppArmor
mailing list