desktop-packages team mailing list archive

Thread
Date

[Bug 1403050] Re: Firefox profile denied messages with google hangouts

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Fri, 24 Jul 2015 17:15:51 -0000
Reply-to: Bug 1403050 <1403050@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

In thinking about this, I don't think the firefox profile should be
changed but instead we should add something to
/etc/apparmor.d/abstractions/ubuntu-browsers.d/. In theory, we could add
policy to 'multimedia', but perhaps it makes sense to add a new
abstraction.

These appear to be the rules that are needed:
  /dev/video[0-9]* rw,
  /sys/devices/**/video4linux/** r,
  owner /run/shm/google-* rw,
  /opt/google/talkplugin/** r,
  owner @{HOME}/.config/google-googletalkplugin/ rw,
  owner @{HOME}/.config/google-googletalkplugin/** rwk,
  unix bind type=dgram addr=@google-nacl*,

** Package changed: firefox (Ubuntu) => apparmor (Ubuntu)

** Changed in: apparmor (Ubuntu)
       Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1403050

Title:
  Firefox profile denied messages with google hangouts

Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  Hi,

  I am using apparmor on trusty, with the firefox profile in enforce
  mode.

  I have just tried hangouts for the first time under the profile, and
  there are two DENIED:

  Dec 16 12:36:31 superstar kernel: [191033.672376] type=1400
  audit(1418733391.061:436): apparmor="DENIED" operation="open"
  profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/video0"
  pid=19492 comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r"
  fsuid=1000 ouid=0

  Which means that it thinks I have no webcam. I don't know if this should be allowed or not. I'd prefer to enable
  my webcam in a hangout, but I can see an argument for denying this to firefox.

  Dec 16 12:36:37 superstar kernel: [191039.824064] type=1400
  audit(1418733397.217:440): apparmor="DENIED" operation="mknod"
  profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/run/shm/google-
  nacl-shm--19492.3" pid=19492 comm="GoogleTalkPlugi" requested_mask="c"
  denied_mask="c" fsuid=1000 ouid=1000

  I assume this is something to do with NaCl. I haven't noticed anything
  that is broken by this.

  Thanks,

  James

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: apparmor 2.8.95~2430-0ubuntu5.1
  ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11
  Uname: Linux 3.13.0-43-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.6
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Tue Dec 16 12:58:32 2014
  ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.13.0-43-generic root=/dev/mapper/hostname--vg-root ro quiet splash vt.handoff=7
  SourcePackage: apparmor
  Syslog:
   
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1403050/+subscriptions