Results 1 to 10 of 33

Thread: Need help || Apparmor Profiles

Hybrid View

  1. #1
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Need help || Apparmor Profiles

    Hi,

    I am using FF ver 5.0.1 from here

    After reading http://ubuntuforums.org/showpost.php...00&postcount=4

    I did
    Code:
    sudo aa-logprof /path to firefox
    Allowed all when asked. But when I try to start FF in enforce mode I get


    Code:
    $ /home/tux/.firefox/firefox
    /home/tux/.firefox/firefox: 60: basename: Permission denied
    exec: 139: /home/tux/.firefox/run-mozilla.sh: Permission denied
    This is the profile

    Code:
    # Last Modified: Sat Jul 30 02:16:27 2011
    #include <tunables/global>
    
    /home/tux/.firefox/firefox flags=(complain) {
      #include <abstractions/apache2-common>
      #include <abstractions/base>
    
    
      deny owner "/home/tux/Desktop/‪Harsha Bhogle on the 1st Test Match between India and England, at Lord's‬‏ - YouTube.flv" w,
    
      /bin/dash ix,
      owner /home/*/.firefox/firefox r,
      owner /home/*/.mozilla/firefox/4w442atz.default/adblockplus/cache.js w,
      owner /home/*/.mozilla/firefox/4w442atz.default/adblockplus/patterns.ini w,
      owner /home/*/.mozilla/firefox/4w442atz.default/adblockplus/patterns.ini-temp rw,
      owner /home/*/.mozilla/firefox/4w442atz.default/places.sqlite-shm k,
      owner /home/*/.mozilla/firefox/4w442atz.default/prefs.js r,
      /proc/meminfo r,
      /usr/bin/dirname rix,
      /usr/share/fonts/** r,
      /usr/share/icons/Humanity/actions/16/document-save-as.svg r,
      /usr/share/icons/Humanity/actions/16/go-home.svg r,
      /usr/share/icons/Humanity/actions/16/go-next.svg r,
      /usr/share/icons/Humanity/actions/16/go-previous.svg r,
    What do I need to change ?
    Last edited by linuxyogi; July 29th, 2011 at 10:10 PM.
    Lubuntu 14.04
    Athlon 64X2 5600+ Ram: 2GB
    GeForce 6150SE nForce 430

  2. #2
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Need help || Apparmor Profiles

    Firefox is a big application to write a profile for.

    I see firefox is in complain mode. go ahead and use firefox for a bit, go to a few web sites, use flash, etc.

    Then close firefox and run aa-logprof

    Then put your profile into enforcing mode and try some more.

    Alternately you can look at another firefox profile as a template.

    See the apparmor sticky http://ubuntuforums.org/showthread.php?t=1008906

    And also:

    http://blog.bodhizazen.net/linux/app...ivoxy-profile/

    http://bodhizazen.net/aa-profiles/bo...sr.bin.firefox
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #3
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Need help || Apparmor Profiles

    @bodhi.zazen

    Hi,

    Code:
    $ sudo aa-logprof 
    [sudo] password for tux: 
    Reading log entries from /var/log/messages.
    Updating AppArmor profiles in /etc/apparmor.d.
    
    Profile:  /home/tux/.firefox/firefox
    Execute:  /usr/bin/basename
    Severity: unknown
    
    
    (I)nherit / (P)rofile / (C)hild / (N)ame / (U)nconfined / (X)ix / (D)eny / Abo(r)t / (F)inish
    ^ This appears at the begining of aa-logprof. Which option should I choose ? I tried both (P)rofile & (I)nherit.
    Last edited by linuxyogi; July 30th, 2011 at 01:41 AM.
    Lubuntu 14.04
    Athlon 64X2 5600+ Ram: 2GB
    GeForce 6150SE nForce 430

  4. #4
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Need help || Apparmor Profiles

    @Bodhi.Zazen

    I am atm using FF in complain mode. I am trying read those links, this I guess is going to take some time.

    In the mean time I have created a profile for Chromium browser & using it in enforce mode.

    http://dl.dropbox.com/u/30630174/aa%20profile

    Rules for files include <<<

    Code:
    r = read w = write l = link k = lock a = append

    This is the profile for Chromium

    Code:
    # Last Modified: Sat Jul 30 06:22:31 2011
    #include <tunables/global>
    
    /usr/bin/chromium-browser {
      #include <abstractions/base>
    
    
    
      /bin/dash ix,
      /bin/readlink rix,
      /etc/chromium-browser/default r,
      /etc/lsb-release r,
      /home/tux/ r,
      /proc/meminfo r,
      /usr/bin/chromium-browser r,
      /usr/lib/chromium-browser/chromium-browser px,
    
    }

    Now r=read & the the profile is in enforce mode, but I can still save file in /home/tux.

    Is apparmor suppose to not let that happen ?
    Lubuntu 14.04
    Athlon 64X2 5600+ Ram: 2GB
    GeForce 6150SE nForce 430

  5. #5
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Need help || Apparmor Profiles

    Quote Originally Posted by linuxyogi View Post
    @Bodhi.Zazen

    I am atm using FF in complain mode. I am trying read those links, this I guess is going to take some time.

    In the mean time I have created a profile for Chromium browser & using it in enforce mode.

    http://dl.dropbox.com/u/30630174/aa%20profile




    This is the profile for Chromium

    Code:
    # Last Modified: Sat Jul 30 06:22:31 2011
    #include <tunables/global>
    
    /usr/bin/chromium-browser {
      #include <abstractions/base>
    
    
    
      /bin/dash ix,
      /bin/readlink rix,
      /etc/chromium-browser/default r,
      /etc/lsb-release r,
      /home/tux/ r,
      /proc/meminfo r,
      /usr/bin/chromium-browser r,
      /usr/lib/chromium-browser/chromium-browser px,
    
    }

    Now r=read & the the profile is in enforce mode, but I can still save file in /home/tux.

    Is apparmor suppose to not let that happen ?
    As I indicated in my first post, browsers are complex and not the best place to start. I highly suggest you start with an easier program (like privoxy).

    Second, did you reload your apparmor profile for chromium ?

    What is the output of

    Code:
    aa-status
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #6
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Need help || Apparmor Profiles

    Quote Originally Posted by bodhi.zazen View Post
    As I indicated in my first post, browsers are complex and not the best place to start. I highly suggest you start with an easier program (like privoxy).

    Second, did you reload your apparmor profile for chromium

    What is the output of

    Code:
    aa-status

    Yes, I did
    Code:
    sudo apparmor_parser -r /etc/apparmor.d/usr.bin.chromium-browser
    also

    tried
    Code:
     sudo /etc/init.d/apparmor reload
    .


    Code:
    $ sudo aa-status
    [sudo] password for tux: 
    apparmor module is loaded.
    40 profiles are loaded.
    11 profiles are in enforce mode.
       /sbin/dhclient3
       /usr/bin/chromium-browser
       /usr/bin/evince
       /usr/bin/evince-previewer
       /usr/bin/evince-thumbnailer
       /usr/lib/NetworkManager/nm-dhcp-client.action
       /usr/lib/connman/scripts/dhclient-script
       /usr/lib/cups/backend/cups-pdf
       /usr/sbin/cupsd
       /usr/sbin/tcpdump
       /usr/share/gdm/guest-session/Xsession
    29 profiles are in complain mode.
       /bin/ping
       /home/tux/.firefox/firefox
       /home/tux/.firefox/firefox//null-25
       /home/tux/.firefox/firefox//null-25//null-26
       /home/tux/.firefox/firefox//null-25//null-27
       /home/tux/.firefox/firefox//null-25//null-28
       /home/tux/.firefox/firefox//null-25//null-29
       /sbin/klogd
       /sbin/syslog-ng
       /sbin/syslogd
       /usr/bin/basename
       /usr/bin/expr
       /usr/lib/chromium-browser/chromium-browser
       /usr/lib/dovecot/deliver
       /usr/lib/dovecot/dovecot-auth
       /usr/lib/dovecot/imap
       /usr/lib/dovecot/imap-login
       /usr/lib/dovecot/managesieve-login
       /usr/lib/dovecot/pop3
       /usr/lib/dovecot/pop3-login
       /usr/sbin/avahi-daemon
       /usr/sbin/dnsmasq
       /usr/sbin/dovecot
       /usr/sbin/identd
       /usr/sbin/mdnsd
       /usr/sbin/nmbd
       /usr/sbin/nscd
       /usr/sbin/smbd
       /usr/sbin/traceroute
    5 processes have profiles defined.
    2 processes are in enforce mode :
       /sbin/dhclient3 (1753) 
       /usr/sbin/cupsd (1097) 
    3 processes are in complain mode.
       /home/tux/.firefox/firefox//null-25//null-29 (1720) 
       /usr/sbin/avahi-daemon (814) 
       /usr/sbin/avahi-daemon (812) 
    0 processes are unconfined but have a profile defined.
    Lubuntu 14.04
    Athlon 64X2 5600+ Ram: 2GB
    GeForce 6150SE nForce 430

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •