Results 1 to 5 of 5

Thread: Write allowed even APPARMOR forced in Firefox

Hybrid View

  1. #1
    Join Date
    Feb 2009
    Beans
    107

    Write allowed even APPARMOR forced in Firefox

    Hello,

    I use Ubuntu 10.10 with encrypted home. I'm new with apparmor.


    My firefox-3.6.13 is now in enforce mode - with standard profile.
    With this profile it should have write access only to:
    owner @{HOME}/Downloads/* rw,

    but I can save files (with standard downloadmanager of firefox) e.g. in $HOME itself and I can't find any other rule, which could allow that. I have thing, that ecryptfs workaround just affects the eCryptFS "part of things" and limitations of normal filenames/paths (in mounted ecryptfs) are still possible.

    ----------------------------------------------------------------------------------------
    So ... why can firefox write elsewhere as in to ${HOME}/Downloads ?
    ----------------------------------------------------------------------------------------

    BTW: I get also this in kern.log (but not by saving a file as wrote above) :

    Feb 27 05:49:30 duron650 kernel: [ 2284.886631] type=1400 audit(1298782170.190:48): apparmor="DENIED" operation="open" parent=1782 profile="/usr/lib/firefox-3.6.13/firefox-*bin" name="/home/.ecryptfs/hugo/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWY1tHLaOszg1UQTPB2f1Zq7Xu 0xztwk9hVX6-OCUaSGk2nU5ADkJx.rdk--/ECRYPTFS_FNEK_ENCRYPTED.FWY1tHLaOszg1UQTPB2f1Zq7Xu 0xztwk9hVXFlmP1qlJBZ2eq7XFiWljUE--" pid=2209 comm="firefox-bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

    ?? why do firefox try to write to it and why do it fail even with #13 workaround?

    Feb 27 06:03:23 duron650 kernel: [ 3118.231818] type=1400 audit(1298783003.534:49): apparmor="DENIED" operation="open" parent=1782 profile="/usr/lib/firefox-3.6.13/firefox-*bin" name="/tmp/.X0-lock" pid=2304 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

    ?? Why try firefox to access X lock ?

    Thanks for help

    --kapetr

  2. #2
    Join Date
    Feb 2009
    Beans
    107

    Re: Write allowed even APPARMOR forced in Firefox

    So ... I have to sorry me - partially.

    The write to all under $HOME is allowed by /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files: owner @{HOME}/** w

    But ... in /etc/apparmor.d/usr.bin.firefox is AFTER including the above this:
    # Default profile allows downloads to ~/Downloads and uploads from ~/Public
    owner @{HOME}/ r,
    owner @{HOME}/Public/ r,
    owner @{HOME}/Public/* r,
    owner @{HOME}/Downloads/ r,
    owner @{HOME}/Downloads/* rw,
    Should this not again set access limits to the affected files/dirs ?
    If not (?!) - how to disable it and then allow how I want ?

    Maybe with audit deny @{HOME}/** mrwkl ?
    But this construction is not described in man apparmor.d.
    So ... how works redefining of rules in apparmors config files ?

    --kapetr

  3. #3
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Write allowed even APPARMOR forced in Firefox

    Quote Originally Posted by kapetr View Post
    Maybe with audit deny @{HOME}/** mrwkl ?
    No, you don't want to do that as it will only make it so that Firefox cannot access anything in /home at all. Instead you will want to edit:

    Code:
    /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files
    You will want to comment out a line like so:

    Code:
    @{HOME}/ r,
    @{HOME}/** r,
    #owner @{HOME}/** w,
    owner @{HOME}/Desktop/** r,
    Notice the hash. This will comment out the line that allows Firefox to write to any /home location.

    Now your rules will be set by what is in the Firefox profile itself. This means writing will only be allowed to ~/Downloads and ~/Desktop (or whatever other locations you specify in the Firefox profile itself).
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  4. #4
    Join Date
    Feb 2009
    Beans
    107

    Re: Write allowed even APPARMOR forced in Firefox

    Hello,

    this would be a possible solution, thank you.

    But back to my question: how to change previously set rule (e.g. with #include) ? Should new (nearest to the end of processing) rule replace the previous ? Or just add more restriction - not make them softer ? Or ... ?

    e.g.
    owner @{HOME}/ rw,
    owner @{HOME}/ r,

    The result should be just "r", don't?
    If not, then I have thing about the construct

    audit deny @{HOME}/** mrwkl

    followed by new definition of rule - but due missing manual. I actually don't know, what is would make - so I better do not try it.

    Any ideas ?

    --kapetr

  5. #5
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Write allowed even APPARMOR forced in Firefox

    There's no simple solution really. If you deny write access to /home as I suggested earlier you will see that Firefox might not run properly since it needs to write to various files within /home (particularly .mozilla).

    I suppose the best way to go about it would be to do as I said earlier, but then watch your logs for any errors. If the logs show Firefox needs to write to some files within /home, you can change the firefox profile itself to allow that.

    All of these abstractions can be pretty confusing at times, I admit. If you really wanted to simplify things, you could create your profile from scratch and not use any abstractions, but that is a PITA and takes a lot of time.

    P.S. I am not really sure I am understanding your question. Your English has me a bit confused as to what exactly it is you're asking. I hope I helped anyway, though.
    Last edited by rookcifer; March 3rd, 2011 at 07:38 PM.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •