Re: Share your AppArmor Profiles
Quote:
Originally Posted by
teddks
Doesn't work with rix. I suppose I could write a profile for gnome-open, but pidgin's profile is just not good enough. I would need to give pidgin permissions for xdg-open, /etc/orbitrc, and dash, among other things.
As for the link: It seems that making a hard link to a symbolic link just causes it to resolve the symbolic link. Would making a script that called firefox with profile arguments work?
Not a script with apparmor profile arguments ...
You can write a script that calls firefox (with irx) and restrict firefox.
And yes, go ahead and call gnome-open with irx, and any other binary it needs (like xdg-open, /etc/orbitrc, and dash) They will all be called, but restricted.
IMO this is better then Ux, which will call the same xdg-open, /etc/orbitrc, and dash (via gnome-open) but in the case of Ux they will run unrestricted, essentially "breaking out" of your apparmor profile.
With apparmor calling these things is not a problem so long as you use irx and they are what you consider "normal functioning" of firefox.
Re: Share your AppArmor Profiles
Quote:
Originally Posted by
bodhi.zazen
Not a script with apparmor profile arguments ...
You can write a script that calls firefox (with irx) and restrict firefox.
And yes, go ahead and call gnome-open with irx, and any other binary it needs (like xdg-open, /etc/orbitrc, and dash) They will all be called, but restricted.
IMO this is better then Ux, which will call the same xdg-open, /etc/orbitrc, and dash (via gnome-open) but in the case of Ux they will run unrestricted, essentially "breaking out" of your apparmor profile.
With apparmor calling these things is not a problem so long as you use irx and they are what you consider "normal functioning" of firefox.
You're confusing two questions. I have two firefox profiles I use for different purposes. I want different apparmor profiles on them. I was asking if I made a script that called /usr/bin/firefox and provided it with the arguments to access one of those two profiles, would it work. I suppose it would, as firefox would just inherit the other script's profile. Would that override a profile for Firefox, is the question...
As to the other thread of discussion, I don't think ix is better than Ux here, because I have to give Pidgin rights to whatever I want gnome-open to do. gnome-open will eventually call firefox on my system, and if it inherits everything down to that, then I'll be running firefox with Pidgin's limitations. That doesn't seem like a smart policy -- I actually _want_ gnome-open to break out of my Pidgin profile, because it doesn't belong there. I should write a profile for gnome-open, though.
On a side note, does anyone have a profile for Evolution or Totem?
Re: Share your AppArmor Profiles
Quote:
Originally Posted by
teddks
You're confusing two questions. I have two firefox profiles I use for different purposes. I want different apparmor profiles on them. I was asking if I made a script that called /usr/bin/firefox and provided it with the arguments to access one of those two profiles, would it work. I suppose it would, as firefox would just inherit the other script's profile. Would that override a profile for Firefox, is the question...
As to the other thread of discussion, I don't think ix is better than Ux here, because I have to give Pidgin rights to whatever I want gnome-open to do. gnome-open will eventually call firefox on my system, and if it inherits everything down to that, then I'll be running firefox with Pidgin's limitations. That doesn't seem like a smart policy -- I actually _want_ gnome-open to break out of my Pidgin profile, because it doesn't belong there. I should write a profile for gnome-open, though.
On a side note, does anyone have a profile for Evolution or Totem?
Firefox doesn't choose the profile it runs with, no application can do that. The profiles are enforced by Apparmor and only Apparmor, if you want to change the profile used when Firefox is to be run, then you need to address the script to remove one profile and add another through Apparmor, which requires root privileges.
For gnome-open, yes, writing a separate profile for it would be better.
About Evolution or Totem, I'll see if I can rustle up profiles for them when I have time:).
A note about Apparmor, it enforces profiles using paths, so if you linked a path to the firefox executable, then the profile that was made for the old path will most likely apply since the real path is still the same.
Re: Share your AppArmor Profiles
Quote:
Originally Posted by
PmDematagoda
Firefox doesn't choose the profile it runs with, no application can do that. The profiles are enforced by Apparmor and only Apparmor, if you want to change the profile used when Firefox is to be run, then you need to address the script to remove one profile and add another through Apparmor, which requires root privileges.
For gnome-open, yes, writing a separate profile for it would be better.
About Evolution or Totem, I'll see if I can rustle up profiles for them when I have time:).
A note about Apparmor, it enforces profiles using paths, so if you linked a path to the firefox executable, then the profile that was made for the old path will most likely apply since the real path is still the same.
Firefox profile, not Apparmor profile. :)
Re: Share your AppArmor Profiles
I'm not using AppArmor yet, but I was looking into it. I wanted to know if anyone had a Transmission profile that they were willing to share. Maybe if I had AppArmor running with a profile I might start using Transmission.
Re: Share your AppArmor Profiles
Quote:
Originally Posted by
teddks
Firefox profile, not Apparmor profile. :)
Uhm, I think I just lost you. :)
Could you please explain your situation again please?
Re: Share your AppArmor Profiles
Quote:
Originally Posted by
PmDematagoda
Uhm, I think I just lost you. :)
Could you please explain your situation again please?
Firefox supports profiles. I have one for normal browsing and one for anonymous browsing. I would like to have one AppArmor profile per Firefox profile, as the two different Firefox profiles have different security needs.
Re: Share your AppArmor Profiles
hello.
what do they do with /etc/passwd?
what is the difference between r:: and ::r in log?
Re: Share your AppArmor Profiles
/etc/passwd is often read to get the username associated with a user ID. When you run ls -l in the Terminal, for example, the owner and group of the file is stored as a number, like 1000. The ls program will go to /etc/passwd and basically ask "what is the username for user ID 1000".
r:: means that read permissions for user were requested, while ::r means that read permissions for "other" (not user or group) were requested. If you saw :r: instead, it would mean that read permissions for group were requested.
Re: Share your AppArmor Profiles
Quote:
Originally Posted by
teddks
Firefox supports profiles. I have one for normal browsing and one for anonymous browsing. I would like to have one AppArmor profile per Firefox profile, as the two different Firefox profiles have different security needs.
Firefox accepts the -P option, which specifies a name of a profile to use. If given, Firefox will load that profile.
Code:
firefox -P <profile name>