Originally Posted by
jbrown96
No this is poor programming on the part of Mozilla or Adobe. I'll break down this error message because I think that it will help people understand Apparmor.
Apparmor is designed to enforce properties on programs, or more correctly on filenames. When you load an Apparmor profile for app X, what you are saying is that the Apparmor service (daemon) should monitor, and potentially restrict, the actions of X. Let's step back for a minute. It's important to recognize that Apparmor doesn't treat X like "Firefox"; instead, X is far more specific and is a location on the file system (i.e. /usr/bin/firefox).
An Apparmor profile deals with a source file(s) and the access that it/they are allowed with other files.
Firefox, ahh /usr/bin/firefox, is trying to read from the (special) file /dev/zero, which is an everlasting supply of the character "0". (Try running "cat /dev/zero". Use Ctrl+c to cancel after you get the picture). However, in the profile for /usr/bin/firefox, there is no rule allowing Firefox to read from /dev/zero.
Now that you have some understanding of the problem. Let's run through the error message for some Apparmor and general Linux information.
This is just the header for a syslog message. We get the date, the hostname of you computer: "bill-desktop," the source of the message: the kernel, and some sequence number from the kernel.
This is just basic information, so you or anyone/anything reading the logs can tell the time, source, and location of the message.
We get the kernel's type of error: 1503. This code is specific for Apparmor. It could've said "type=Apparmor," same thing. We have also been given the Apparmor audit number for this message. Apparmor probably keeps these errors stored elsewhere in more detail. This is like a Dewey decimal code on a library book; you get a summary of the book and the number, then find the full book.
Now we're in the meat of the message. When an application needs memory (RAM), it has to request it from the kernel. There are quite a few ways to do this, but the two primary methods are: malloc and mmap. (These aren't really equal comparisons, but they will work). Malloc is more a method that programs use to get additional memory. Let's say I have a program that will simply print your name. When you enter your name, you can think of that memory as being request from the kernel in a "malloc" operation. On the other hand, let's say my program will play an MP3 file stored on the hard drive. I need to read that file in and play it through the speakers. Getting the memory to store that file as it's being read is an "mmap" operation.
The offending operation was an attempt by a process to "mmap," or read, a file to which it doesn't have access.
Now we get to figure out exactly who did. A PID (Process ID) is a unique number given to every application currently running on your system. The first process is called "init" and is #1; it is the "parent" of all others, which is the second part. Every program was started by another one. We could take this all the way down to the power switch-->BIOS-->GRUB, but that's not germane. Init is the first process and is #1. There's all kinds of things that init starts. All the various services and such on your computer; there's hundreds of programs that execute when the computer boots. Each one of the has a "parent": the program that initiated it. When I log into my system, I have a Bash shell running, which has it's own PID (let's say #1268). If I run a program (let's say emacs), it gets an unused PID (let's say #1344). This instance of emacs also knows its parent. It's a really great way to track how processes run. If I know the PID and PPID (Parent Process ID) of a program that's causing a problem, then I can go to the grandparent, greatgrandparent, etc. until I find the source.
These two pieces of information help us determine exactly which program performed the illegal action.
This tells us which profile prohibited the operation. The firefox profile.
This is technical information about mmap from earlier. The mask "m" means the application tried to invoke the mmap(2) system call (type "man 2 mmap" to read about it). Process 1600 requested "m" access and was denied "m" access. The colons are there to separate other permissions that were not needed.
This tells information about the user running firefox (fsuid). The first regular user id (UID) on an Ubuntu system is 1000. Knowing the hostname and that user 1000 ran this, I'd say your name is Bill. the OUID is the owner of the firefox file. All normally installed programs on Linux are owned by root (UID 0) and users are given read-only access to provide security.
User 1000 was running a program owned by root.
Finally we see the file that Firefox was trying to read. It's wants a bunch of zeros.
Why would Firefox want to mmap, or read, an endless source of zeros? A web browser is constantly downloading data from the internet while you are using it. All of that requires memory. Firefox needs more memory for some operation. It's typical to request large chunks of memory at once because it's a relatively slow operation. Firefox is requesting that part of /dev/zero (that's all zeros) be read into Firefox's memory. Obviously, Firefox has no need for a whole bunch of zeros, but it works out perfectly for network situations. While this chunk of memory could be used for all kinds of things (text, icons, downloaded files, graphics, etc.), let's saw it's an MP3 that you are downloading. Firefox needs some amount of memory to store that file while it's being downloading from the internet and before it's written to disk. This is typically far, far less than the size of the file (It's not like you need to dedicate 700MB of RAM to download a Linux iso); however, there is some memory needed.
Long story short: you need to add something (I don't know Apparmor profiles) to your Firefox Apparmor profile to allow it access to /dev/zero. There isn't a security risk associated with it. What could an attacker do reading an infinite supply of zeros? And there's no way to write to it (you can but it doesn't do anything).
Adv Reply
Bookmarks