Ubuntu
firefox-3.5 package

Apparmor blocks access to /media in Firefox

Bug #433362 reported by michael37
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
firefox-3.5 (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: apparmor

Something new in Karmir 9.10 Alpha 6 (compared to Jaunty): Firefox cannot write to ntfs-3g mounted partitions. It's blocked via apparmor. The apparmor configurat ion is out-of-the-box.

Saving to ext3 root partition works fine.

dmesg:

[ 3346.905820 ] type=1503 audit(1253232521.807:114): operation="open" pid=12481 parent=1 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/media/OS/Downloads/new"

Related branches

lp:~jdstrand/firefox/firefox-433362+433128
Alexander Sack (community): Approve
Diff: 73 lines
2 files modified
debian/changelog (+5/-2)
debian/usr.bin.firefox.apparmor.in (+15/-4)
lp:firefox/3.5
lp:ubuntu/karmic/firefox-3.5
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. The use of AppArmor with firefox is optional and not the default. It is not clear whether is explicitly enabled AppArmor for firefox. Did you?

That said, can you add the following to /etc/apparmor.d/usr.bin.firefox-3.5:
  owner /media/** rw,

and then reload the profile with 'sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox-3.5' and report back if it fixes the problem for you?

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Confirmed
summary: - Apparmor blocks Firefox from ntfs partitions out-of-the-box
+ Apparmor blocks access to /media in Firefox
Jamie Strandboge (jdstrand)
affects: apparmor (Ubuntu) → firefox-3.5 (Ubuntu)
Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
michael37 (misha37) wrote :

You mentioned that apparmor is not enabled for firefox by default. However, I have not enabled it manually (I am sure about that). My old logs while I was running Jaunty do not contain similar messages, so the change likely happened when I upgraded Jaunty to Karmic Alpha.

Revision history for this message
michael37 (misha37) wrote :

Details:

$ dpkg -S /etc/apparmor.d/usr.bin.firefox-3.5
firefox-3.5: /etc/apparmor.d/usr.bin.firefox-3.5

$ dpkg -l firefox-3.5
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii firefox-3.5 3.5.3+build1+n safe and easy web browser from Mozilla

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

What is the output of this command:
$ ln -s /etc/apparmor.d/disable/usr.bin.firefox-3.5

Were you using firefox-3.5 in Jaunty?

Revision history for this message
michael37 (misha37) wrote :

I have, yes, from mozilla-security ppa.

/etc/apparmor.d/disable/ is empty.

/etc/apparmor.d/usr.bin.firefox-3.5 is distributed in the firefox-3.5 package, http://packages.ubuntu.com/karmic/amd64/firefox-3.5/filelist

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Ok, that explains why the profile was enabled on upgrade (you had a higher version than is checked for in preinst.

If you wish to disable the profile, feel free to perform:
$ sudo ln -s /etc/apparmor.d/usr.bin.firefox-3.5 /etc/apparmor.d/disable/usr.bin.firefox-3.5

Revision history for this message
michael37 (misha37) wrote :

Makes sense, thanks for the workaround. Given that Jaunty provides firefox-3.5 in universe/security, I'd think that many Jaunty users would be using FF 3.5 -- esp considering that Windows version of FF 3.5 was available since early July.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The upgrade from Jaunty and having the profile enabled bug is bug #436221.

Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox-3.5 - 3.5.3+build1+nobinonly-0ubuntu4

---------------
firefox-3.5 (3.5.3+build1+nobinonly-0ubuntu4) karmic; urgency=low

  [ Fabien Tassin <email address hidden> ]
  * Bump requirement for system sqlite to >= 3.6.16 (bmo 508104)
    - update debian/rules

  [ Alexander Sack <email address hidden> ]
  * fix LP: #423610 - daily build failures after landing of mozilla-nss.pc droppage
    (bug 422829); we drop our previously used nspr pkgconfig patch and fix
    configure.in to not require in-source nspr if libxul-sdk is used
    - delete debian/patches/nspr_flags_by_pkg_config_hack.patch
    - add debian/patches/bzXXX_libxul_sdk_nspr.patch
    - update debian/patches/series
  * now that we always use libxul-sdk for getting the nspr flags we
    can use --without-system-nspr and --without-system-nss all the time
    - update debian/rules
  * rework localized search engine patch to use ChromeRegistry locale
    information rather than a char pref; also change plugin dir order to allow
    locale specific searchplugins to overlay the ones shipped in
    "searchplugins/common"
    - add debian/patches/bz515232_att399338_distro_locale_searchplugins.patch
    - update debian/patches/series
  * adjust packaging to support localized searchplugins
    + ship default searchplugins in /usr/lib/firefox-addons/searchplugins/en-US/
      and link that directory to $(DEBIAN_FF3_DIR)/distribution/searchplugins instead
      of the main firefox APP_DIR
      - update debian/rules
    + set default searchplugin locale pref to en-US - which is used as a
      fallback if no matching searchplugins/LOCALE directory exists for the
      current locale directory
      - update debian/firefox.js
    + do not install upstream searchplugins through debhelper file and
      install "debsearch" to the new distribution/.../en-US location
      - update debian/firefox-3.0.install
    + ship "common" searchplugins link that points to the old default
      searchplugins location '/usr/lib/firefox-addons/searchplugins/
      - update debian/rules

  [ Jamie Strandboge <email address hidden> ]
  * fix bugs surrounding apparmor profile
    + allow ixr access to gnash (LP: #429061)
    + allow ixr access to pulseaudio (LP: #432702)
    + allow access to plugins directory (LP: #428071)
    + allow access to mounted media (LP: #433362)
    + allow access to abstractions/ubuntu-console-email,
      abstractions/ubuntu-email and abstractions/ubuntu-gnome-terminal
      for mailto:. Add commented section for using xterm and konsole
      - update debian/usr.bin.firefox-3.5
    + allow access to extensions directory (LP: #433128)
    + allow 'k' access to @{HOME}/.mozilla/**/*.sqlite* (LP: #449286)
    + allow Ux access to apport-bug (LP: #449423)
    + allow access to /etc/mplayerplug-in.conf (LP: #439484)

 -- Alexander Sack <email address hidden> Thu, 15 Oct 2009 02:30:48 +0200

Changed in firefox-3.5 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.