Results 1 to 10 of 11

Thread: How to test that Apparmor is working?

Hybrid View

  1. #1
    Join Date
    Apr 2008
    Beans
    135

    [SOLVED] How to test that Apparmor is working?

    So I activated the Firefox profile:

    Code:
    sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
    and restarted Firefox (even rebooted), but it doesn't seem to be working. When I open Firefox I am able to perform a "Save Page As" in locations I shouldn't be able to, like my Desktop or Pictures folder.

    The following command says the Firefox process is in enforce mode:

    Code:
    sudo apparmor_status
    Of the following lines, the only directory which is "rw" is /Downloads, why am I still able to write to other places?

    Code:
      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
      owner @{HOME}/ r,
      owner @{HOME}/Public/ r,
      owner @{HOME}/Public/* r,
      owner @{HOME}/Downloads/ r,
      owner @{HOME}/Downloads/* rw,
    OS: Ubuntu 10.10

    Can someone with an active Firefox profile do this simple test for me? Click File -> Save As and try to save somewhere the Apparmor profile shouldn't let you, and let me know the results.
    Last edited by DodgeV83; October 10th, 2010 at 11:26 PM. Reason: Solved

  2. #2
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How to test that Apparmor is working?

    I think someone else recently posted about the same issue on 10.10. Not sure what the deal is. A bug perhaps?
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  3. #3
    Join Date
    Apr 2008
    Beans
    135

    Re: How to test that Apparmor is working?

    Quote Originally Posted by rookcifer View Post
    I think someone else recently posted about the same issue on 10.10. Not sure what the deal is. A bug perhaps?
    I think that was me :-/

    After installing Apparmor-notify, I can see in realtime that Apparmor is activated and working with my firefox install, but I can still "save-as" to random folders in my /home

    Now I just need someone with 10.04 install and Apparmor installed to tell me if this is new behavior or not

  4. #4
    Join Date
    Mar 2010
    Beans
    8,254
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: How to test that Apparmor is working?

    The default AppArmor profile for Firefox is quite permissive.

    You may want to consider trying the profile kindly provided by bodhi.zazen and see if that suits your needs better:
    http://bodhizazen.net/aa-profiles/bodhizazen/

    Also, read the AppArmor sticky to understand how to put the profile in complain mode for troubleshooting purposes.

    Hope this helps.

  5. #5
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How to test that Apparmor is working?

    Quote Originally Posted by Rubi1200 View Post
    The default AppArmor profile for Firefox is quite permissive.

    You may want to consider trying the profile kindly provided by bodhi.zazen and see if that suits your needs better:
    http://bodhizazen.net/aa-profiles/bodhizazen/

    Also, read the AppArmor sticky to understand how to put the profile in complain mode for troubleshooting purposes.

    Hope this helps.
    Yeah, but his profile apparently does not allow writing to a directory he is writing to. So something is wrong somewhere, and I doubt it's the profile.

    OP, can you post the entire Maverick 10.10 Firefox profile here so that we can be sure the profile really does allow what you claim it shouldn't?
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  6. #6
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: How to test that Apparmor is working?

    I do not know why the default firefox profile allows you to write to files in you home directory, you should:

    1. Report this as a bug.

    2. Customize the profile to disallow this behaviour. You can use my 10.04 profile if you wish or I will try to look at the 10.10 profiles over the next few days.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •