TEST CASE:
1. sudo aa-enforce /usr/bin/firefox on a derivative that uses exo
2. download a file
3. in the downloads window, right click on the download and click open
Note: this is important for xubuntu, mythubuntu, and ubuntustudio which all use exo-utils in their default install
With enforce on:
Sep 16 10:16:58 defiant kernel: [53172.876586] type=1400 audit(1316186218.365:44): apparmor="DENIED" operation="exec" parent=9476 profile="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}" name="/usr/bin/exo-open" pid=9477 comm="firefox-trunk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
with complain on:
Sep 16 10:19:58 defiant kernel: [53352.603163] type=1400 audit(1316186398.096:48): apparmor="ALLOWED" operation="exec" parent=9696 profile="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}" name="/usr/bin/exo-open" pid=9697 comm="firefox-trunk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}//null-1b"
Sep 16 10:19:58 defiant kernel: [53352.692550] type=1400 audit(1316186398.186:49): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}//null-1b" name="/etc/ld.so.cache" pid=9697 comm="exo-open" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 16 10:19:58 defiant kernel: [53352.692564] type=1400 audit(1316186398.186:50): apparmor="ALLOWED" operation="getattr" parent=1 profile="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}//null-1b" name="/etc/ld.so.cache" pid=9697 comm="exo-open" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 16 10:19:58 defiant kernel: [53352.692623] type=1400 audit(1316186398.186:51): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}//null-1b" name="/usr/lib/libexo-1.so.0.0.0" pid=9697 comm="exo-open" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 16 10:19:58 defiant kernel: [53352.692645] type=1400 audit(1316186398.186:52): apparmor="ALLOWED" operation="getattr" parent=1 profile="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}//null-1b" name="/usr/lib/libexo-1.so.0.0.0" pid=9697 comm="exo-open" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 16 10:19:58 defiant kernel: [53352.692660] type=1400 audit(1316186398.186:53): apparmor="ALLOWED" operation="file_mmap" parent=1 profile="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}//null-1b" name="/usr/lib/libexo-1.so.0.0.0" pid=9697 comm="exo-open" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
Sep 16 10:19:58 defiant kernel: [53352.705596] type=1400 audit(1316186398.196:54): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}//null-1b" name="/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.6" pid=9697 comm="exo-open" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 16 10:19:58 defiant kernel: [53352.705617] type=1400 audit(1316186398.196:55): apparmor="ALLOWED" operation="getattr" parent=1 profile="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}//null-1b" name="/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.6" pid=9697 comm="exo-open" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 16 10:19:58 defiant kernel: [53352.705631] type=1400 audit(1316186398.196:56): apparmor="ALLOWED" operation="file_mmap" parent=1 profile="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}//null-1b" name="/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.6" pid=9697 comm="exo-open" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
Sep 16 10:19:58 defiant kernel: [53352.705693] type=1400 audit(1316186398.196:57): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/firefox-trunk-9.0a1/firefox{,*[^s][^h]}//null-1b" name="/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.2990.0" pid=9697 comm="exo-open" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
This bug was fixed in the package apparmor - 2.7.0-0ubuntu1
---------------
apparmor (2.7.0-0ubuntu1) precise; urgency=low
* New upstream release. Fixes the following: generation. patch logprof- log-search- order.patch introspection- tests.patch debian- integration- to-lighttpd. patch to 0002 patches/ 0003-commits- through- r1882.patch: several bug, patches/ 0004-lp887992. patch: cups-client abstraction should allow /.cups/ client. conf and @{HOME} /.cups/ lpoptions patches/ 0001-add- chromium- browser. patch for deeper patches/ 0005-lp884748. patch: allow kate as text editor in the patches/ 0006-lp870992. patch: abstractions/fonts should allow access patches/ 0007-lp860856. patch: allow read access to sitecustomize.py patches/ 0008-lp852062. patch: update binaries for transmission patches/ 0009-lp851977. patch: allow ixr access to exo-open for patches/ 0010-lp890894. patch: allow access to Thunar as well as patches/ 0011-lp817956. patch: update usr.sbin.sshd example profile patches/ 0012-lp458922. patch: update dovecot deliver profile to patches/ 0013-lp769148. patch: allow avahi to do dbus introspection patches/ 0014-lp904548. patch: fix typo for multiarch line for gconv patches/ 0015-lp712584. patch: Nvidia users need access to patches/ 0016-lp562831. patch: allow fireclam plugin to work patches/ 0017-lp662906. patch: allow software-center in the ubuntu patches/ 0018-deny- home-pki- so.patch: update private-files patches/ 0019-lp899963. patch: add audacity to the media-players abstraction (LP: #899963) patches/ 0020-lp912754a. patch,0021- lp912754b. patch: add p11-kit patches/ 0022-workaround -lp851986. patch: instead of using Ux
- LP: #794974
- LP: #815883
- LP: #840973
* Drop the following patches, included upstream:
- af_names-
- 0004-adjust-
- 0005-lp826914.patch
- 0006-lp838275.patch
- 0007-fix-
* Rename 0003-add-
* debian/
documentation and performance fixes on our road to AppArmor 2.8
(LP: #840734, LP: #905412)
* debian/
owner read of @{HOME}
(LP: #887992)
* update debian/
directories of /sys/devices/pci (LP: #885833)
* debian/
browsers abstraction (LP: #884748)
* debian/
to ~/.fonts.conf.d (LP: #870992)
* debian/
in the python abstraction, which is needed for apport hooks to work in
python applications (LP: #860856)
* debian/
clients (LP: #852062)
* debian/
Xubuntu and friends (LP: #851977)
* debian/
thunar in ubuntu-integration abstraction (LP: #890894)
* debian/
(LP: #817956)
* debian/
access various .conf files for dovecot (LP: #458922)
* debian/
(LP: #769148)
* debian/
(LP: #904548)
* debian/
/dev/nvidia* files for various plugins to work right. Since these are all
focused around multimedia, add the acceses to the multimedia abstraction.
(LP: #712584)
* debian/
(LP: #562831)
* debian/
integration browser abstraction (LP: #662906)
* debian/
abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847)
* debian/
ubuntu-
* debian/
abstraction and add it to the authentication abstraction (LP: #912754)
* debian/
in the ubuntu and launchpad abstractions, use a helper child profile.
This will help work around the lack of en...