AppArmor Support Thread

[q.dinar]

yes, replacing has helped. thank you.
now i see this:

Feb 4 15:26:23 linux2009 kernel: [ 617.777856] type=1503 audit(1233750383.067:156): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7602 profile="/usr/lib/firefox-3.0.5/firefox.sh"

should i allow it? how does it use it?

and i want to say about a feature of apparmor: its permissions are other way than linux's. when new user is added and firefox first started by it, it requested w permission for .mozilla in home directory. i added it and it works. w permission for home directory is not needed.

[q.dinar]

man iptables:

--cmd-owner name
Matches if the packet was created by a process with the given command name. (this option is present only if iptables was compiled under a kernel supporting this feature)

this has not worked. in ubuntu 8.10 . i think because iptables is not compiled so.
i tried this command:
sudo iptables -I OUTPUT 2 -p tcp -m owner --uid-owner 1234 --cmd-owner virtualbox --dport 80 -j ACCEPT

[jgoguen]

this has not worked. in ubuntu 8.10 . i think because iptables is not compiled so.
i tried this command:
sudo iptables -I OUTPUT 2 -p tcp -m owner --uid-owner 1234 --cmd-owner virtualbox --dport 80 -j ACCEPT

That's unfortunate. Indeed it doesn't work. I've updated my post above to reflect this

[jgoguen]

yes, replacing has helped. thank you.
now i see this:

Feb 4 15:26:23 linux2009 kernel: [ 617.777856] type=1503 audit(1233750383.067:156): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7602 profile="/usr/lib/firefox-3.0.5/firefox.sh"

should i allow it? how does it use it?

I'm not sure how that's used. I don't allow it and I haven't run into problems, but I also haven't seen Firefox asking for that program. What were you doing when you saw that? Do you have any steps that allow you to consistently make Firefox ask for /sbin/killall5?

and i want to say about a feature of apparmor: its permissions are other way than linux's. when new user is added and firefox first started by it, it requested w permission for .mozilla in home directory. i added it and it works. w permission for home directory is not needed.

Quite right, Linux and AppArmor use two different sets of permissions. The permissions applied are the least common permissions between the two. So if a file has Linux permissions for read, write, and execute, but the AppArmor profile permissions allow read and execute, you won't be able to write to the file under that profile no matter how hard you try.

[q.dinar]

i am quite sad. .

you should rename and modify and reload /etc/apparmor.d/usr.lib.firefox-3.0.5.firefox.sh when firefox has upgraded to 3.0.6 !

2009-12-22: this can be solved , at least in apparmor of ubuntu 9.10 : there is preinstalled but turned off firefox profile, profile's file name is not important, it is "usr.bin.firefox-3.5" , but in it:
...
#include <tunables/global>

/usr/lib/firefox-3.5.*/firefox {
#include <abstractions/audio>
...
and that works with all versions, i think.

[jgoguen]

Yes, you will need to change the file name and the paths in the file to match the new paths. The same would also apply to anything else installed with version information in the path name, like XUL Runner (/usr/lib/xulrunner-1.9/).

AppArmor is definitely not a "set and forget" security system. In fact, any system which claims to be such a thing should be viewed suspiciously. When upgrades are done, or new packages installed, current rules may need to be revised or removed, or new rules may need to be added.

[q.dinar]

even when i have just started firefox, and only one blank tab(page) was on the start, it asked for killall5. when i opened new blank tab(page) it asked for it 4 times - but programs usually ask for things several times if not succeeded on first time. i allowed it but now again have denied it, so i see it now in syslog.

"Quite right, Linux and AppArmor use two different sets of permissions. The permissions applied are the least common permissions between the two. ..."
but i wanted to say about other feature: to create new "a" directory in "b" directory in linux "write" permission to "b" directory should be. in apparmor rules "write" permission to non-existing yet "a" itself is enough.

i see that when i switch to firefox from other program with clicking to tab on task bar or with alt+tab it asks for killall5 2 times.

[q.dinar]

Code:

Feb 16 10:53:31 linux2009 kernel: [  382.914441] type=1505 audit(1234770811.273:665): operation="profile_replace" name="/usr/bin/xchat" name2="default" pid=7453
Feb 16 10:53:43 linux2009 kernel: [  395.513632] type=1502 audit(1234770823.873:666): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/sbin/killall5" pid=7460 profile="/usr/bin/xchat"
Feb 16 10:53:43 linux2009 kernel: [  395.514803] type=1504 audit(1234770823.873:667): operation="exec" info="set profile" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [  395.514830] type=1502 audit(1234770823.873:668): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [  395.520025] type=1502 audit(1234770823.877:669): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [  395.521749] type=1502 audit(1234770823.881:670): operation="file_permission" requested_mask="::r" denied_mask="::r" fsuid=1000 name="/sbin/killall5" pid=7460 profile="null-complain-profile"
Feb 16 10:53:43 linux2009 kernel: [  395.525482] type=1502 audit(1234770823.885:671): operation="inode_permission" requested_mask="::x" denied_mask="::x" fsuid=1000 name="/lib/ld-2.8.90.so" pid=7460 profile="null-complain-profile"

also xchat has asked for killall5.
what is null-complain-profile ?

[q.dinar]

does firefox use killall5? • mozillaZine Forums

[q.dinar]

now i have tested with renaming .mozilla . it asks for killall5 with newly created profile. but just now other user has used firefox, but in that time it has not asked for killall5!