desktop-packages team mailing list archive

Thread
Date

[Bug 921042] Re: firefox apparmor profile prevents viewing contents of downloaded tarball

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Tue, 24 Jan 2012 16:29:19 -0000
Reply-to: Bug 921042 <921042@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Yeah, this is an unfortunate by-product of the sanitized_helper child
profile hack to work around the lack of proper environment filtering in
AppArmor. The read is denied because a read is all that is needed for
python to import code, so the sanitized_helper is protecting children
from inheriting a modified PYTHONPATH and executing arbitrary code.

The solution for this bug with the current AppArmor is to create system-
wide profiles for file-roller and gedit (so that these profiles are used
instead of the sanitized_helper). These profiles could be very open. You
could alternatively not use the ubuntu-browsers.d/multimedia abstraction
and redefine file-roller to not use sanitized_helper (but lose the
protection it affords).

The workaround for this bug is to download the tarball first and open it
via nautilus.

** Changed in: firefox (Ubuntu)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/921042

Title:
  firefox apparmor profile prevents viewing contents of downloaded
  tarball

Status in “firefox” package in Ubuntu:
  Won't Fix

Bug description:
  I'm getting the following error:

  [79737.945214] type=1400 audit(1327421358.123:45): apparmor="DENIED"
  operation="open" parent=1
  profile="/usr/lib/firefox-10.0/firefox{,*[^s][^h]}//sanitized_helper"
  name="/home/mdeslaur/.cache/.fr-dOJCoB/software-
  properties-0.80.6debian1/softwareproperties/ppa.py" pid=26577
  comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

  
  Steps to reproduce:

  1- Go here: http://packages.debian.org/source/experimental/software-properties
  2- Click on .tar.gz link at bottom of page
  3- Select "Open with" and the default: "Archive Manager"
  4- Double click on tar file
  5- Browse directory
  6- Double click on any .py file to look at the contents

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: firefox 10.0~b5+build1-0ubuntu1
  ProcVersionSignature: Ubuntu 3.2.0-10.17-generic 3.2.1
  Uname: Linux 3.2.0-10-generic x86_64
  AddonCompatCheckDisabled: False
  AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.24.
  ApportVersion: 1.91-0ubuntu1
  Architecture: amd64
  ArecordDevices:
   **** List of CAPTURE Hardware Devices ****
   card 0: Intel [HDA Intel], device 0: CONEXANT Analog [CONEXANT Analog]
     Subdevices: 1/1
     Subdevice #0: subdevice #0
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  mdeslaur   2502 F.... pulseaudio
   /dev/snd/pcmC0D0p:   mdeslaur   2502 F...m pulseaudio
  BuildID: 20120119221200
  Card0.Amixer.info:
   Card hw:0 'Intel'/'HDA Intel at 0xf2620000 irq 45'
     Mixer name	: 'Intel IbexPeak HDMI'
     Components	: 'HDA:14f15069,17aa218b,00100302 HDA:80862804,17aa21b5,00100000'
     Controls      : 13
     Simple ctrls  : 6
  Card29.Amixer.info:
   Card hw:29 'ThinkPadEC'/'ThinkPad Console Audio Control at EC reg 0x30, fw 6MHT45WW-1.20'
     Mixer name	: 'ThinkPad EC 6MHT45WW-1.20'
     Components	: ''
     Controls      : 1
     Simple ctrls  : 1
  Card29.Amixer.values:
   Simple mixer control 'Console',0
     Capabilities: pswitch pswitch-joined penum
     Playback channels: Mono
     Mono: Playback [on]
  Channel: beta
  Date: Tue Jan 24 11:13:47 2012
  ForcedLayersAccel: False
  IfupdownConfig:
   auto lo
   iface lo inet loopback
  InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Alpha amd64 (20110302)
  Profiles: Profile0 (Default) - LastVersion=10.0/20120119221200 (Running)
  RunningIncompatibleAddons: False
  SourcePackage: firefox
  UpgradeStatus: Upgraded to precise on 2012-01-03 (20 days ago)
  dmi.bios.date: 05/24/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 6MET86WW (1.46 )
  dmi.board.name: 4313CTO
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: dmi:bvnLENOVO:bvr6MET86WW(1.46):bd05/24/2011:svnLENOVO:pn4313CTO:pvrThinkPadT510:rvnLENOVO:rn4313CTO:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4313CTO
  dmi.product.version: ThinkPad T510
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/921042/+subscriptions

References

[Bug 921042] [NEW] firefox apparmor profile prevents viewing contents of downloaded tarball
From: Marc Deslauriers, 2012-01-24