Problema do Apparmor: o plugin Icedtea congela o firefox (35.0.1)

Navegue suas respostas
2

EDIT5: finalmente é provavelmente um problema do Apparmor. 

/usr/lib/firefox/firefox{,*[^s][^h]}

está de fato no modo de reclamação, mas 

/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper

estão em modo de imposição. Eu não sei como trocá-los para reclamar. O único perfil que tenho em /etc/apparmor.d/ é usr.bin.firefox (com / usr / bin / firefox aparentemente sendo um link para /usr/lib/firefox/firefox.sh), e eu fiz sudo aa- reclamar /etc/apparmor.d/usr.bin.firefox Há um relatório de bug link marcado como 'correção liberada', mas eu não parece apreciar a correção: -)

Uma solução foi seguir o método declarado aqui Como usar o perfil do Firefox AppArmor com o plugin IcedTea Java no Ubuntu 14.04? , ou seja, desabilitar completamente o perfil do firefox: 

sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox
sudo service apparmor reload

Mas, como afirmado pelo OP, esta não é uma solução satisfatória ... E até agora, ninguém propôs uma solução melhor ...

Aqui estão as mensagens DENIED do Apparmor: 

type=AVC msg=audit(1424428803.909:134): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-debug-to-appletviewer" pid=4513 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428803.909:135): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-to-appletviewer" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.046:136): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/usr/bin/logger" pid=4514 comm="java" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

type=AVC msg=audit(1424428804.395:137): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/proc/4477/cmdline" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.406:138): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.407:139): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.407:140): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.407:141): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.408:142): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4517 comm=64636F6E6620776F726B6572 family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"

type=AVC msg=audit(1424428804.408:143): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4517 comm=64636F6E6620776F726B6572 requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.408:144): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4517 comm=64636F6E6620776F726B6572 requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.880:145): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"

type=AVC msg=audit(1424428804.881:146): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"

type=AVC msg=audit(1424428804.929:147): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"

type=AVC msg=audit(1424428804.931:148): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"

type=AVC msg=audit(1424428805.106:149): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/proc/sys/net/ipv4/ip_local_port_range" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1424428805.106:150): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/proc/sys/net/ipv4/ip_local_port_range" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1424428805.929:151): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/home/franck/.mozilla/firefox/profiles.ini" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428805.930:152): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/usr/bin/logger" pid=4519 comm="java" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

type=AVC msg=audit(1424428805.981:153): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/usr/bin/logger" pid=4520 comm="java" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

=============================================== ==============================

Eu preciso usar applets java para acessar alguns portais VPN de clientes, e estou tentando usar o plugin Icedtea no Ubuntu 14.10 / Firefox 35.0.1.

Sempre que eu tento executar um applet, o Firefox irá congelar por algum tempo. Pode demorar, e talvez precise matar o Firefox.

Isso parece acontecer com todos os aplicativos que eu tento, por exemplo, com todos os applets encontrados aqui link .

Não consigo encontrar nenhum diretório .icedtea com registros.

A execução do Firefox no terminal fornece algumas informações: 

java version "1.7.0_75"
OpenJDK Runtime Environment (IcedTea 2.5.4) (7u75-2.5.4-1~utopic1)
OpenJDK 64-Bit Server VM (build 24.75-b04, mixed mode)
java.io.FileNotFoundException: /run/user/1000/icedteaplugin-franck-2KgVYB/2434-icedteanp-plugin-to-appletviewer (Permission non accordée)
    at java.io.FileInputStream.open(Native Method)
    at java.io.FileInputStream.<init>(FileInputStream.java:146)
    at java.io.FileInputStream.<init>(FileInputStream.java:101)
    at sun.applet.PluginMain.connect(PluginMain.java:186)
    at sun.applet.PluginMain.main(PluginMain.java:148)
<snip>
Something very bad happened. I don't know what to do, so I am going to exit :(

###!!! [Parent][MessageChannel::Call] Error: Channel timeout: cannot send/recv

Alguma ideia de como corrigir isso?

EDIT: Assegurei-me de que o apparmor está no modo de reclamação, não obrigatório, para o Firefox.

EDIT2: execute novamente o 'firefox -g', mas não obteve muito mais informações. Aqui está a saída ao executar o applet: 

[New Thread 0x7ffd5a3fe700 (LWP 5254)]
java version "1.7.0_75"
OpenJDK Runtime Environment (IcedTea 2.5.4) (7u75-2.5.4-1~utopic1)
OpenJDK 64-Bit Server VM (build 24.75-b04, mixed mode)
java.io.FileNotFoundException: /run/user/1000/icedteaplugin-franck-s7zldV/5255-icedteanp-plugin-to-appletviewer (Permission non accordée)
    at java.io.FileInputStream.open(Native Method)
    at java.io.FileInputStream.<init>(FileInputStream.java:146)
    at java.io.FileInputStream.<init>(FileInputStream.java:101)
    at sun.applet.PluginMain.connect(PluginMain.java:186)
    at sun.applet.PluginMain.main(PluginMain.java:148)


(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
Unable to use Firefox's proxy settings. Using "DIRECT" as proxy type.
Something very bad happened. I don't know what to do, so I am going to exit :(

###!!! [Parent][MessageChannel::Call] Error: Channel timeout: cannot send/recv

E aqui está a saída de um ls: 

~$ ls -l /run/user/1000/icedteaplugin-franck-s7zldV/5255-icedteanp-plugin-to-appletviewer
prw------- 1 franck franck 0 févr. 18 09:41 /run/user/1000/icedteaplugin-franck-s7zldV/5255-icedteanp-plugin-to-appletviewer

EDIT4: pode estar relacionado a este link

    
por alci 17.02.2015 / 19:39

2 respostas

2

Primeiro, colocar os subperfis no modo de reclamação. Você pode fazer isso manualmente adicionando flags = (reclamar) ao perfil. 

eg.
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java flags=(complain) {
   ...
}

Quando isso for feito, recarregue o perfil.

Agora, na primeira passagem das regras, você precisará adicionar /usr/lib/firefox/firefox {, * [^ s] [^ h]} // browser_openjdk para corrigir as negações listadas. Por favor, note que pode haver mais mensagens negadas após estas serem adicionadas. Além disso, você deve checar / var / log / syslog por mensagens negadas, porque o Ubuntu ativou a mediação do dbus estendido e suas negações não vão para o buffer de anel do kernel. Além disso, esse perfil deve ser recarregado para garantir que as novas regras sejam adicionadas. 

/usr/bin/logger Pix, # choose transition that makes sense for your profiles

/proc/sys/net/ipv4/ip_local_port_range r,
/proc/@{pid}/cmdline r,

owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner /run/user/1000/dconf/user rw,
owner /run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-to-appletviewer r,

unix peer=(addr=@/tmp/dbus-* label=unconfined),
    
por John Johansen 26.02.2015 / 23:24
1

Você pode adicionar as seguintes regras ao seu perfil ..../browser_openjdk : 

owner /run/user/*/icedteaplugin-*/* r,
/usr/bin/logger Pix,
@{PROC}/@{pid}/cmdline r,
owner /run/user/*/dconf/user rw,
@{PROC}/sys/net/ipv4/ip_local_port_range r,
owner @{HOME}/.mozilla/firefox/profiles.ini r,
unix (send, receive, connect),

Eu ficaria um pouco preocupado com esses privilégios, eu não sei a totalidade do que está armazenado no dconf, mas eu estaria relutante em dar a cada applet Java na web. Permitir que o Java se conecte a processos não confinados por meio de soquetes de domínio Unix também pode ser uma maneira de escapar.

Obrigado

    
por sarnold 26.02.2015 / 20:26
Fazendo o Ubuntu um servidor WINS? Como editar o menu popup unit?