apparmor log message on booting

I'm almost positive that this bug should be in the package apparmor and not firefox-3.5.

/etc/apparmor.d/disable/usr.bin.firefox-3.5 is provided by firefox-3.5. Thats why I filed the bug against firefox-3.5.

+1

If this affects how well Apparmor secures firefox(AKA the main webbrowser), I think it should have a very high priority!

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles

apparmor for firefox will be disabled by default in 9.10, but that's not what this bug is about.

This bug is about apparmor printing a message on boot even when the 'quiet' option is given, which is why I think this bug should be in apparmor.

"Matt Drake wrote:

apparmor for firefox will be disabled by default in 9.10, but that's not what this bug is about."

May I ask why?

Seph_VII,

The bug description says it all: "apparmor log message on booting". It is best not to mix up different issues in one bug report.

Feel free to open a wishlist bug against firefox-3.5 for Ubuntu 10.04, but as the developer of the profile I can tell you that enabling the profile by default is fraught with usability problems. While the current profile will likely work well for many people, it could easily break functionality. This would be a massive usability issue, in part because firefox appears 'broken', but also because there aren't GUI tools to easily adjust the profile when something is denied. People would then complain loudly and end up turning AppArmor off entirely. As such, the current strategy is to ship a default disabled profile for 9.10 (and quite probably other releases), see what bugs come up and reevaluate if it is feasible to have an enforcing profile by default. At this time, we simply do not have enough real world use on the profile to confidently turn it on be default.

Thanks for your interest!

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu22

---------------
apparmor (2.3.1+1403-0ubuntu22) karmic; urgency=low

  * Do not run AppArmor on the LiveCD, again (LP: #131976).
  * More aggressively stay quiet when booting in quiet mode (LP: #435285).

 -- Kees Cook <email address hidden> Wed, 23 Sep 2009 15:40:22 -0700

I am running:

dave@mercury:~$ dpkg -l | grep apparmor
ii apparmor 2.3.1+1403-0ubuntu22 User-space parser utility for AppArmor
ii apparmor-utils 2.3.1+1403-0ubuntu22 Utilities for controlling AppArmor
ii libapparmor-perl 2.3.1+1403-0ubuntu22 AppArmor library Perl bindings
ii libapparmor1 2.3.1+1403-0ubuntu22 changehat AppArmor library

And can confirm the bug still affects me:

This bug still affects me, I have the latest apparmor packages.
retry@retry-laptop:~$ dpkg -l | grep apparmor
ii apparmor 2.3.1+1403-0ubuntu22 User-space parser utility for AppArmor
ii apparmor-utils 2.3.1+1403-0ubuntu22 Utilities for controlling AppArmor
ii libapparmor-perl 2.3.1+1403-0ubuntu22 AppArmor library Perl bindings
ii libapparmor1 2.3.1+1403-0ubuntu22 changehat AppArmor library

Right, this bug still affects me (2.3.1+1403-0ubuntu22)

Ah-ha, yes. I think I've really tracked down this bug now. I think my system was booting too quickly before to see the message sneaking by. This is in VCS now, but may not make the beta release.

Kees Cook: What version of which package contains the fix? I still see it on my system...

I also have the problem, and the apparmor package is 2.3.1+1403-0ubuntu22

ii apparmor 2.3.1+1403-0ubuntu22 User-space parser utility for AppArmor
ii apparmor-utils 2.3.1+1403-0ubuntu22 Utilities for controlling AppArmor
ii libapparmor-perl 2.3.1+1403-0ubuntu22 AppArmor library Perl bindings
ii libapparmor1 2.3.1+1403-0ubuntu22 changehat AppArmor library

Please don't change the status from Fix Committed to Confirmed; Kees said the fix has been committed but won't show up in the repositories for a bit. There is only cause to worry when the status is Fix RELEASED, you have the package it was fixed in installed, and you are still experiencing the issue.

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu23

---------------
apparmor (2.3.1+1403-0ubuntu23) karmic; urgency=low

  [ Kees Cook ]
  * Really fix quiet mode in initramfs (LP: #435285).
  * Handle older kernel versions when loading profiles (LP: #429872):
    - parser/parser_{interface,main}.c: detect kernel version and downgrade.
    - debian/apparmor.functions, parser/parser_main.c: keep kernel features
      recorded in cache directory.
    - parser/parser_{interface,main}.c: add --skip-kernel-load for testing.
    - parser/tst/caching.*: add caching tests.
  [ Jamie Strandboge ]
  * abstractions/audio: add a few more files for pulseaudio

 -- Kees Cook <email address hidden> Fri, 25 Sep 2009 09:54:01 -0700

The latest apparmor (2.3.1+1403-0ubuntu23) release did not seem to fix this issue for me. Thanks.

Same issue also affects me, after upgrading to 9.10. AppArmor is version 2.3.1+1403-0ubuntu27.1. The exact text on booting is "Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox-3.5". I get the same text when I perform a force-reload. Also, but probably not related (maybe related to #401109), I get the message "Warning: found usr.sbin.ntpd in /etc/apparmor.d/force-complain, forcing complain mode".

Hum, still seeing the "Skipped: /etc/apparmor.d/disable/usr.bin.firefox-3.6.3" message here at boot time.
Running Linux 2.6.32-22-generic #36-Ubuntu Lucid 10.04

AppArmor version is 2.5.0ubuntu3

Regards,

Here's how I solved this problem:

Originally firefox profile is not loaded:

sudo /etc/init.d/apparmor restart [OK]
 * Reloading AppArmor profiles Skipping profile in / etc / apparmor.d / disable: usr.bin.firefox

sudo / etc / init.d / apparmor status

/usr /sbin/tcpdump (enforce)
/usr/sbin/mysqld (enforce)
/usr/sbin/cupsd (enforce)
/usr/ lib/cups/backend/cups-pdf (enforce)
/usr/bin/evince-thumbnailer (enforce)
/usr/bin/evince-previewer (enforce)
/usr/bin/evince (enforce)
/usr/lib/connman/scripts/dhclient-script (enforce)
/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
/sbin/dhclient3 (enforce)
/usr/share/gdm/guest-session/Xsession (enforce)

It was found symlinks (usr.bin.firefox-3.5) which refers to a nonexistent file:

ls-al / etc / apparmor.d / disable

lrwxrwxrwx 1 root root 31 2010-07-23 23:57 usr.bin.firefox -> /etc/apparmor.d/usr.bin.firefox
lrwxrwxrwx 1 root root 35 2010-03-18 01:06 usr.bin.firefox-3.5 -> /etc/apparmor.d/usr.bin.firefox-3.5

I checked the listing of files in the directory /etc/apparmor.d/

ls-al /etc/apparmor.d/

drwxr-xr-x 2 root root 4096 2010-03-18 01:30 abstractions
drwxr-xr-x 2 root root 4096 2010-09-24 07:54 cache
drwxr-xr-x 2 root root 4096 2010-07-23 23:57 disable
drwxr-xr-x 2 root root 4096 2009-10-09 01:52 force-complain
-Rw-r - r - 1 root root 967 2009-10-15 14:51 gdm-guest-session
-Rw-r - r - 1 root root 1944 2009-10-09 01:51 sbin.dhclient3
drwxr-xr-x 2 root root 4096 2010-03-18 01:30 tunables
-Rw-r - r - 1 root root 2052 2009-11-11 11:03 usr.bin.evince
-Rw-r - r - 1 root root 8656 2010-09-15 23:01 usr.bin.firefox
-Rw-r - r - 1 root root 4866 2009-10-20 12:50 usr.bin.firefox-3.5.dpkg-old
-Rw-r - r - 1 root root 4050 2009-10-15 22:21 usr.sbin.cupsd
-Rw-r - r - 1 root root 788 2010-06-07 22:57 usr.sbin.mysqld
-Rw-r - r - 1 root root 708 2009-08-14 03:36 usr.sbin.tcpdump

and re-assigned symlinks usr.bin.firefox-3.5 to /etc/apparmor.d/usr.bin.firefox, and accordingly removed symlinks usr.bin.firefox

Restarted apparmor and saw no problems:

sudo /etc/init.d/apparmor restart
 * Reloading AppArmor profiles [OK]

Profiles firefox booted without problems:

sudo /etc/init.d/ apparmor status
/usr/sbin/tcpdump (enforce)
/usr/sbin/mysqld (enforce)
/usr/sbin/cupsd (enforce)
/usr/lib/cups/backend/cups-pdf (enforce)
/usr/lib/firefox-3.6.10/firefox- * bin (enforce)
/usr/lib/firefox-3.6.10/firefox- * bin / / firefox_openjdk (enforce)
/usr/lib/firefox-3.6.10/firefox- * bin / / firefox_java (enforce)
/usr/bin/evince-thumbnailer (enforce)
/usr/bin/evince-previewer (enforce)
/usr/bin/evince (enforce)
/usr/lib/connman/scripts/dhclient-script (enforce)
/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
/sbin/dhclient3 (enforce)
/usr/share/gdm/guest-session/Xsession (enforce)

Cheers,
Linux System Administrator