[apparmor] [profile] Firefox: "org.mozilla.firefox.*" and "dbus_bind" -- DENIED.

daniel curtis sidetripping at gmail.com
Wed Mar 28 16:54:56 UTC 2018 

Hello.

A couple of weeks ago, Firefox has been updated to a new v59.0.1
version. (Yesterday, there was another update to v59.0.2 version). It
seems, that both updates are responsible for a new "DENIED" entries
related to the "dbus" event etc. Anyway, the first mentioned update
was pretty simple to "solve". I mean a proper rule. I have to notice,
that these "DENIED" entries appeared after every first Firefox
lauch/start.

● apparmor="DENIED" operation="dbus_method_call"  bus="session"
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus"
member="RequestName" mask="send" name="org.freedesktop.DBus" pid=1817
label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_label="unconfined"

According to the above entry, I've decided to add such rule:

dbus (send)
       bus=session
       path=/org/freedesktop/{DBus,dbus}
       interface=org.freedesktop.DBus
       member=RequestName
       peer=(label=unconfined),

Everything went smooth -- parsing profile etc. No new "DENIED" entry
related to "RequestName" and so on. A few days later a new Firefox was
available. As always, new "DENIED" entry with every first Firefox
launch. However, this time I'm a little confused, because log entry
is... short. I'm seeing something like this one for the very first
time.

● apparmor="DENIED" operation="dbus_bind"  bus="session"
name="org.mozilla.firefox.ATFjHSFqwZ__" mask="bind" pid=2913
label="/usr/lib/firefox/firefox{,*[^s][^h]}"

OK. It looks simple, right? If it's about "name" and last part
(upper/lower case letters), it's always the same. I already saw about
3., 4. such entries. A rule, that I want to add is:

dbus (bind)
       bus=session
       path=/org/mozilla/firefox.*
       peer=(label=@{profile_name}),

But I have a question: how "path" should looks like in this case? As
we can see it's "org.mozilla.firefox.ATFjHSFqwZ__" right? So, should I
use above method or something like this: "path=/org/mozilla/firefox/*"
The difference is: "firefox.*" and "firefox/*"

What do you think? And what about "peer"? Is it okay and do I used the
right value? And the first rule above with 'RequestName'? I'm sorry
for such a naive questions, but I really don't know what to do. With
every next Firefox release, there are some new "DENIED" entries.
Never-ending story... :- )

Thanks, best regards and happy Easter!

More information about the AppArmor mailing list