Comment 1 for bug 1241513

Revision history for this message
Sebastian Lackner (slackner) wrote : Re: [Bug 1241513] [NEW] AppArmor breaks plugin installation

Hi,

unfortunately its not possible to use Pipelight when Apparmor is enabled
and configured too strict. Based on the way pipelight works it needs to
execute external programs (e.g. the installer script, the windows
silverlight plugin, ...) which is obviously blocked by your Apparmor
profile. Similar problems also occur when running SELinux.

The output shows that you Apparmor assumes Pipelight is just a regular
browser plugin, and thus isn't allowed to execute the required commands. Do
you have configured anything special, or is this the default configuration
for your Ubuntu distribution?

So far noone else experienced this issue, because probably most other
people have configured Apparmor less strict or completely disabled it. I'll
take a closer look at this problem later and will try to find out, which
exceptions are exactly necessary.

Sebastian

2013/10/18 Adam Porter <email address hidden>

> Public bug reported:
>
> I'm using Raring. AppArmor is breaking installation. How does it work
> for anyone in Ubuntu?
>
> [525586.920163] type=1400 audit(1382094229.267:57): apparmor="DENIED"
> operation="exec" parent=9596 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/hw-accel-default" pid=9633 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525586.927659] type=1400 audit(1382094229.271:58): apparmor="DENIED"
> operation="exec" parent=9596 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/install-dependency" pid=9634 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525656.004959] type=1400 audit(1382094298.352:59): apparmor="DENIED"
> operation="exec" parent=9713 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/hw-accel-default" pid=9717
> comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525656.008875] type=1400 audit(1382094298.356:60): apparmor="DENIED"
> operation="exec" parent=9713 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/install-dependency" pid=9718
> comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525656.017773] type=1400 audit(1382094298.364:61): apparmor="DENIED"
> operation="open" parent=9600 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/etc/issue" pid=9713 comm="plugin-containe" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=0
> [525719.962174] type=1400 audit(1382094362.309:62): apparmor="DENIED"
> operation="open" parent=9600 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/etc/issue" pid=9713 comm="plugin-containe" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=0
> [525847.269813] type=1400 audit(1382094489.615:63): apparmor="DENIED"
> operation="open" parent=9600 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/etc/issue" pid=9713 comm="plugin-containe" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=0
> [526597.501260] type=1400 audit(1382095239.850:64): apparmor="DENIED"
> operation="open" parent=11475
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/kde4/kdeglobals"
> pid=10559 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0
> [526598.624700] type=1400 audit(1382095240.970:65): apparmor="DENIED"
> operation="exec" parent=10559
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/hw-accel-default" pid=10580 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [526598.631912] type=1400 audit(1382095240.974:66): apparmor="DENIED"
> operation="exec" parent=10559
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/install-dependency" pid=10581 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [526774.061561] type=1400 audit(1382095416.408:67): apparmor="DENIED"
> operation="open" parent=26945
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/kde4/kdeglobals"
> pid=10840 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0
> [526986.976129] type=1400 audit(1382095629.323:68): apparmor="DENIED"
> operation="open" parent=26945
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/kde4/kdeglobals"
> pid=11291 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0
> [526987.585758] type=1400 audit(1382095629.931:69): apparmor="DENIED"
> operation="exec" parent=11291
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/hw-accel-default" pid=11312 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [526987.594351] type=1400 audit(1382095629.939:70): apparmor="DENIED"
> operation="exec" parent=11291
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/install-dependency" pid=11313 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
>
> ** Affects: pipelight
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> Pipelight.
> Matching subscriptions: pipelight
> https://bugs.launchpad.net/bugs/1241513
>
> Title:
> AppArmor breaks plugin installation
>
> Status in Pipelight:
> New
>
> Bug description:
> I'm using Raring. AppArmor is breaking installation. How does it
> work for anyone in Ubuntu?
>
> [525586.920163] type=1400 audit(1382094229.267:57): apparmor="DENIED"
> operation="exec" parent=9596 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/hw-accel-default" pid=9633 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525586.927659] type=1400 audit(1382094229.271:58): apparmor="DENIED"
> operation="exec" parent=9596 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/install-dependency" pid=9634 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525656.004959] type=1400 audit(1382094298.352:59): apparmor="DENIED"
> operation="exec" parent=9713 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/hw-accel-default" pid=9717
> comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525656.008875] type=1400 audit(1382094298.356:60): apparmor="DENIED"
> operation="exec" parent=9713 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/install-dependency" pid=9718
> comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525656.017773] type=1400 audit(1382094298.364:61): apparmor="DENIED"
> operation="open" parent=9600 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/etc/issue" pid=9713 comm="plugin-containe" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=0
> [525719.962174] type=1400 audit(1382094362.309:62): apparmor="DENIED"
> operation="open" parent=9600 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/etc/issue" pid=9713 comm="plugin-containe" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=0
> [525847.269813] type=1400 audit(1382094489.615:63): apparmor="DENIED"
> operation="open" parent=9600 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/etc/issue" pid=9713 comm="plugin-containe" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=0
> [526597.501260] type=1400 audit(1382095239.850:64): apparmor="DENIED"
> operation="open" parent=11475
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/kde4/kdeglobals"
> pid=10559 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0
> [526598.624700] type=1400 audit(1382095240.970:65): apparmor="DENIED"
> operation="exec" parent=10559
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/hw-accel-default" pid=10580 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [526598.631912] type=1400 audit(1382095240.974:66): apparmor="DENIED"
> operation="exec" parent=10559
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/install-dependency" pid=10581 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [526774.061561] type=1400 audit(1382095416.408:67): apparmor="DENIED"
> operation="open" parent=26945
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/kde4/kdeglobals"
> pid=10840 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0
> [526986.976129] type=1400 audit(1382095629.323:68): apparmor="DENIED"
> operation="open" parent=26945
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/kde4/kdeglobals"
> pid=11291 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0
> [526987.585758] type=1400 audit(1382095629.931:69): apparmor="DENIED"
> operation="exec" parent=11291
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/hw-accel-default" pid=11312 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [526987.594351] type=1400 audit(1382095629.939:70): apparmor="DENIED"
> operation="exec" parent=11291
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/install-dependency" pid=11313 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/pipelight/+bug/1241513/+subscriptions
>