[apparmor] [profile] Firefox: DENIED "m" access to /home/user/.nv folder.
Seth Arnold
seth.arnold at canonical.com
Fri Jan 27 20:37:38 UTC 2017
On Fri, Jan 27, 2017 at 05:18:07PM +0100, daniel curtis wrote:
> audit(1485533096.203:54): apparmor="DENIED" operation="exec" parent=3761
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/bin/lsb_release"
> pid=3762 comm="firefox" requested_mask="x" denied_mask="x" fsuid=1000
> ouid=0
> Firefox seems to work OK, but there is one thing, which makes me wonder:
> "fsuid=1000 ouid=0". Both values were always the same - 1000. Now, they are
> different. What is the reason? The question is simple: should I add another
> rule to the Firefox profile? For example:
>
> /usr/bin/lsb_release mrix,
Hi Daniel,
The fsuid=... reports what the process's "filesystem userid" is. Most of
the time this is the same as the process's "effective userid". A full
explanation of the user ids in a process is beyond my abilities (and
probably also beyond your interest :) -- but it's enough to know that most
of the time this means "the user that runs the process".
The ouid=... reports which user id owns the resource -- in this case the
/usr/bin/lsb_release executable.
In this case this means your user's firefox process is trying to run an
executable owned by root.
The Firefox profile I've got on my system uses a child profile for
lsb_release:
/usr/bin/lsb_release Cxr -> lsb_release,
profile lsb_release {
#include <abstractions/base>
#include <abstractions/python>
/usr/bin/lsb_release r,
/bin/dash ixr,
/usr/bin/dpkg-query ixr,
/usr/include/python2.[4567]/pyconfig.h r,
/etc/lsb-release r,
/etc/debian_version r,
/var/lib/dpkg/** r,
/usr/local/lib/python3.[0-4]/dist-packages/ r,
/usr/bin/ r,
/usr/bin/python3.[0-4] r,
# file_inherit
deny /tmp/gtalkplugin.log w,
}
You can use this as a starting point to yours if you wish. While there's
strictly nothing in here that Firefox shouldn't have, there's also nothing
in here that Firefox should have either.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170127/e75d463f/attachment.pgp>
More information about the AppArmor
mailing list