← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #22810

[Bug 1376411] [NEW] Firefox profile resulting in ptrace read denials

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The firefox profile on utopic is resulting in denials like

[  351.414861] audit: type=1400 audit(1412190024.478:83):
apparmor="DENIED" operation="ptrace" profile="firefox" pid=4505
comm="firefox" requested_mask="read" denied_mask="read" peer="/usr/bin
/mediascanner-service-2.0"

[  351.414875] audit: type=1400 audit(1412190024.478:86):
apparmor="DENIED" operation="ptrace" profile="firefox" pid=4505
comm="firefox" requested_mask="read" denied_mask="read"
peer="unconfined"


This is most likely due to firefox scanning for information via /proc/<pid>/

which will result in a ptrace read permission request in the kernel

atm I have locally added the rule*
deny ptrace read peer=[^f][^i][^r][^e][^f][^o][^x],

*my local firefox profile is patched to be named
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} {

instead of the default of using the attachment path as a name

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1376411

Title:
  Firefox profile resulting in ptrace read denials

Status in “apparmor” package in Ubuntu:
  New

Bug description:
  The firefox profile on utopic is resulting in denials like

  [  351.414861] audit: type=1400 audit(1412190024.478:83):
  apparmor="DENIED" operation="ptrace" profile="firefox" pid=4505
  comm="firefox" requested_mask="read" denied_mask="read" peer="/usr/bin
  /mediascanner-service-2.0"

  [  351.414875] audit: type=1400 audit(1412190024.478:86):
  apparmor="DENIED" operation="ptrace" profile="firefox" pid=4505
  comm="firefox" requested_mask="read" denied_mask="read"
  peer="unconfined"

  
  This is most likely due to firefox scanning for information via /proc/<pid>/

  which will result in a ptrace read permission request in the kernel

  atm I have locally added the rule*
  deny ptrace read peer=[^f][^i][^r][^e][^f][^o][^x],

  *my local firefox profile is patched to be named
  profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} {

  instead of the default of using the attachment path as a name

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1376411/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next