firefox profile fails to load when java abstraction is enabled

Bug #945019 reported by Jonathan Davies
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Jamie Strandboge

Bug Description

Apparmor fails with the following after the latest upgrade on Precise:

apparmor (2.7.99-0ubuntu2) wird eingerichtet ...
Neue Version der Konfigurationsdatei /etc/apparmor.d/abstractions/fonts wird installiert ...
Neue Version der Konfigurationsdatei /etc/apparmor.d/abstractions/X wird installiert ...
Neue Version der Konfigurationsdatei /etc/apparmor.d/abstractions/ubuntu-browsers.d/java wird installiert ...
 * Starting AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile /usr/lib/firefox-11.0/firefox{,*[^s][^h]}, failed to load
                                                                                   [fail]
invoke-rc.d: initscript apparmor, action "start" failed.
 * Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile /usr/lib/firefox-11.0/firefox{,*[^s][^h]}, failed to load
                                                                                   [fail]
invoke-rc.d: initscript apparmor, action "reload" failed.

Jonathan Davies (jpds)
Changed in apparmor (Ubuntu):
status: New → Incomplete
status: Incomplete → Triaged
importance: Undecided → High
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → ubuntu-12.04-beta-2
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

If default-jre-headless is installed, the following line in /etc/apparmor.d/abstractions/ubuntu-browsers.d/java causes the parser to fail:
/usr/lib/jvm/java-6-openjdk*/jre/bin/java cx -> browser_openjdk,

Changing this to allows it to succeed:
/usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,

Interestingly, using:
/usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-6-openjdk-*/jre/bin/java cx -> browser_openjdk,

also fails, which is curious as the directories with default-jre-headless installed are:
$ ls -1 /usr/lib/jvm/
default-java
java-1.6.0-openjdk
java-1.6.0-openjdk-amd64
java-6-openjdk
java-6-openjdk-amd64
java-6-openjdk-common
java-7-openjdk-amd64

But without are:
$ ls -1 /usr/lib/jvm/
java-1.6.0-openjdk-amd64
java-6-openjdk-amd64
java-6-openjdk-common
java-7-openjdk-amd64

/usr/lib/jvm/java-6-openjdk-*/ should work out to the same directories as /usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,common,i386,powerpc}/, but the parser doesn't like it.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.99-0ubuntu3

---------------
apparmor (2.7.99-0ubuntu3) precise; urgency=low

  * debian/patches/0009-lp943161.patch: update to not fail when
    default-jre-headless is installed (LP: #945019)
 -- Jamie Strandboge <email address hidden> Fri, 02 Mar 2012 12:47:03 -0600

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
summary: - apparmor 2.7.99-0ubuntu2 fails after latest upgrade
+ firefox profile fails to load when default-jre-headless is installed
Revision history for this message
dino99 (9d9) wrote : Re: firefox profile fails to load when default-jre-headless is installed

default-jre-headless is not installed on my system (see bug #945022)

Revision history for this message
dino99 (9d9) wrote :

i'm using java6 (ferramroberto ppa) and openjdk is not installed at all, so this issue might have some other(s) source.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The default-jre-headless was a red herring (y testing apparently failed). However, why this works:
/usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,

but this does not:
/usr/lib/jvm/java-6-openjdk*/jre/bin/java cx -> browser_openjdk,

is still confusing.

summary: - firefox profile fails to load when default-jre-headless is installed
+ firefox profile fails to load when java abstraction is enabled
Revision history for this message
dino99 (9d9) wrote :

Thanks Jamie

will this new package land into builders queue ? (queue is empty & i does not see it)

Revision history for this message
dino99 (9d9) wrote :

Hopes that the apparmor new settings built in kernel 3.2.0-18-28 will not conflict (im already using it from pre-proposed ppa)

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

dino99, no it won't conflict with that kernel and it looks like it is already built: https://launchpad.net/ubuntu/+source/apparmor/2.7.99-0ubuntu3

Revision history for this message
dino99 (9d9) wrote :

Ok received it and the installation does not complaint :) Sorry for the previous comments, can be forgotten now.

Revision history for this message
John Johansen (jjohansen) wrote :

The reason a there is no conflict for
 1. /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
 2. /usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
but there is for
 3. /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
 4. /usr/lib/jvm/java-6-openjdk*/jre/bin/java cx -> browser_openjdk,

is that there is an intersection where both rules match
    /usr/lib/jvm/java-6-openjdk/jre/bin/java

while this should be allowed as they specify the same transition and permissions there appears to be a bug with the exec permissions tracking in the apparmor parser so that this intersection is being rejected as having conflicting x permissions.

Revision history for this message
Steve Beattie (sbeattie) wrote :

The issue is that

  /usr/lib/jvm/java-6-openjdk*/jre/bin/java

overlaps with the immediately following line

  /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm}

and they have different cx targets.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.