Apparmor 问题:Icedtea 插件冻结 Firefox(35.0.1)

Apparmor 问题:Icedtea 插件冻结 Firefox(35.0.1)

EDIT5:最后这可能是一个 Apparmor 问题。

/usr/lib/firefox/firefox{,*[^s][^h]}

确实处于抱怨模式,但是

/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper

处于强制模式。我不知道如何将它们切换为投诉。我在 /etc/apparmor.d/ 中拥有的唯一配置文件是 usr.bin.firefox(/usr/bin/firefox 显然是 /usr/lib/firefox/firefox.sh 的链接),我执行了 sudo aa-complain /etc/apparmor.d/usr.bin.firefox 有一个错误报告https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1293439标记为‘修复已发布’,但我似乎不喜欢这个修复:-)

一个解决方法是按照这里所述方法如何在 Ubuntu 14.04 上将 Firefox AppArmor 配置文件与 IcedTea Java 插件一起使用?,即彻底禁用 Firefox 配置文件:

sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox
sudo service apparmor reload

但正如原帖作者所说,这不是一个令人满意的解决方案...而且到现在为止,还没有人提出更好的解决方案...

以下是来自 Apparmor 的“拒绝”消息:

type=AVC msg=audit(1424428803.909:134): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-debug-to-appletviewer" pid=4513 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428803.909:135): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-to-appletviewer" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.046:136): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/usr/bin/logger" pid=4514 comm="java" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

type=AVC msg=audit(1424428804.395:137): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/proc/4477/cmdline" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.406:138): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.407:139): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.407:140): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.407:141): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.408:142): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4517 comm=64636F6E6620776F726B6572 family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"

type=AVC msg=audit(1424428804.408:143): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4517 comm=64636F6E6620776F726B6572 requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.408:144): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4517 comm=64636F6E6620776F726B6572 requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428804.880:145): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"

type=AVC msg=audit(1424428804.881:146): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"

type=AVC msg=audit(1424428804.929:147): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"

type=AVC msg=audit(1424428804.931:148): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"

type=AVC msg=audit(1424428805.106:149): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/proc/sys/net/ipv4/ip_local_port_range" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1424428805.106:150): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/proc/sys/net/ipv4/ip_local_port_range" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1424428805.929:151): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/home/franck/.mozilla/firefox/profiles.ini" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=AVC msg=audit(1424428805.930:152): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/usr/bin/logger" pid=4519 comm="java" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

type=AVC msg=audit(1424428805.981:153): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/usr/bin/logger" pid=4520 comm="java" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

=============================================================================

我需要使用 java 小程序来访问一些客户端 VPN 门户,并且我正在尝试在 Ubuntu 14.10 / Firefox 35.0.1 上使用 Icedtea 插件。

每当我尝试运行小程序时,Firefox 都会冻结一段时间。这可能会持续很长时间,我可能不得不关闭 Firefox。

这似乎发生在我尝试的每个小程序上,例如在这里找到的每个小程序http://icedtea.classpath.org/wiki/IcedTea-Web-Tests

我找不到任何带有日志的 .icedtea 目录。

从终端运行 Firefox 会给我一些信息:

java version "1.7.0_75"
OpenJDK Runtime Environment (IcedTea 2.5.4) (7u75-2.5.4-1~utopic1)
OpenJDK 64-Bit Server VM (build 24.75-b04, mixed mode)
java.io.FileNotFoundException: /run/user/1000/icedteaplugin-franck-2KgVYB/2434-icedteanp-plugin-to-appletviewer (Permission non accordée)
    at java.io.FileInputStream.open(Native Method)
    at java.io.FileInputStream.<init>(FileInputStream.java:146)
    at java.io.FileInputStream.<init>(FileInputStream.java:101)
    at sun.applet.PluginMain.connect(PluginMain.java:186)
    at sun.applet.PluginMain.main(PluginMain.java:148)
<snip>
Something very bad happened. I don't know what to do, so I am going to exit :(

###!!! [Parent][MessageChannel::Call] Error: Channel timeout: cannot send/recv

知道如何修复这个问题吗?

编辑:我确保对于 Firefox,apparmor 处于投诉模式,而不是强制模式。

EDIT2:使用“firefox -g”重新运行,但没有得到更多信息。这是运行小程序时的输出:

[New Thread 0x7ffd5a3fe700 (LWP 5254)]
java version "1.7.0_75"
OpenJDK Runtime Environment (IcedTea 2.5.4) (7u75-2.5.4-1~utopic1)
OpenJDK 64-Bit Server VM (build 24.75-b04, mixed mode)
java.io.FileNotFoundException: /run/user/1000/icedteaplugin-franck-s7zldV/5255-icedteanp-plugin-to-appletviewer (Permission non accordée)
    at java.io.FileInputStream.open(Native Method)
    at java.io.FileInputStream.<init>(FileInputStream.java:146)
    at java.io.FileInputStream.<init>(FileInputStream.java:101)
    at sun.applet.PluginMain.connect(PluginMain.java:186)
    at sun.applet.PluginMain.main(PluginMain.java:148)


(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
Unable to use Firefox's proxy settings. Using "DIRECT" as proxy type.
Something very bad happened. I don't know what to do, so I am going to exit :(

###!!! [Parent][MessageChannel::Call] Error: Channel timeout: cannot send/recv

以下是 ls 的输出:

~$ ls -l /run/user/1000/icedteaplugin-franck-s7zldV/5255-icedteanp-plugin-to-appletviewer
prw------- 1 franck franck 0 févr. 18 09:41 /run/user/1000/icedteaplugin-franck-s7zldV/5255-icedteanp-plugin-to-appletviewer

EDIT4:可能与此有关https://bugzilla.redhat.com/show_bug.cgi?id=976833

答案1

首先,将子配置文件置于投诉模式。您可以通过向配置文件添加 flags=(complain) 来手动执行此操作。

eg.
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java flags=(complain) {
   ...
}

完成后重新加载配置文件。

现在,首先您需要将规则添加到 /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk 以修复列出的拒绝。请注意,添加这些规则后可能会出现更多拒绝消息。此外,您还应检查 /var/log/syslog 中是否存在拒绝消息,因为 Ubuntu 已启用扩展 dbus 中介,其拒绝不会进入内核环形缓冲区。此外,应重新加载此配置文件以确保添加了新规则。

/usr/bin/logger Pix, # choose transition that makes sense for your profiles

/proc/sys/net/ipv4/ip_local_port_range r,
/proc/@{pid}/cmdline r,

owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner /run/user/1000/dconf/user rw,
owner /run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-to-appletviewer r,

unix peer=(addr=@/tmp/dbus-* label=unconfined),

答案2

您可以尝试在孩子的个人资料中添加以下规则..../browser_openjdk

owner /run/user/*/icedteaplugin-*/* r,
/usr/bin/logger Pix,
@{PROC}/@{pid}/cmdline r,
owner /run/user/*/dconf/user rw,
@{PROC}/sys/net/ipv4/ip_local_port_range r,
owner @{HOME}/.mozilla/firefox/profiles.ini r,
unix (send, receive, connect),

我对这些权限有点担心,我不知道 dconf 中存储的全部内容,但我不愿意将其提供给网络上的每个 Java 小程序。允许 Java 通过 Unix 域套接字连接到不受限制的进程也可能是一种逃避的途径。

谢谢

相关内容