Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 33

Thread: Need help || Apparmor Profiles

  1. #11
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Need help || Apparmor Profiles

    Well, next I advise you learn to "glob"

    All your /usr/share/icons ....

    can be replaced by a single line

    /usr/share/icons/** r,

    owner /home/*/ should be

    owner @{HOME}/

    keep reading.

    I have posted several profiles for your review , in each of the profiles I posted are rules for how I manage "owner @{HOME}/"
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  2. #12
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Ubuntu Gnome

    Re: Need help || Apparmor Profiles

    @Bodhi.Zazen

    Please see my edit

    Yes, FF is really too complicated to begin with.

    But I will keep on trying with another installation of FF (virtually?). Since I have started, dont wanna give up.

    But since I use FF everyday I was thinking to secure it by copying one of your profiles. But I see two complications,

    1> I am not using FF from the repos. I am using the precompiled version which is available for download at their site.

    2>I am using 5.0.1

    Have you written any profile which can be used with my FF installation ?

    All I wanna do is restrict FF's write permission to the /home/tux/Downloads folder. I learned that cant really restrict
    FF to just the Downloads folder coz it need to read other stuff within the home folder. Which seems to me as downside of apparmor. For in case FF is compromised it gets access to all my data.
    Ubuntu Mate 14.10
    free
    showing high ram usage ? Read this
    When people say "you've changed " there's a 95% chance that you just stopped acting the way they wanted you to.

  3. #13
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Need help || Apparmor Profiles

    I took a look at it last night and sort of ran into the same dead end you did.

    I wrote a profile using aa-genprof and never got to a point where I could confine firefox downloaded from mozilla and running from your home directory.

    I am not sure of the problem and suggest you file a bug report on launchpad against apparmor.

    You will need to decide which is more important, running firefox as you are or using firefox from the ubuntu repositories and using or modifying the default firefor apparmor profile.

    If you wish to learn to use apparmor, once again start with simpler applications, look at the apparmor sticky, and learn the syntax.

    I understand your frustration, but you are not exactly following my advice either. For example you are still using /home/* rather then the syntax I showed you and I can not see you looked at the profiles I showed you from my web site either. You are not using globbing and you have not incorporated any of the syntax I use for firefox and my home directory.

    So you essentially have two problems:

    1. You have not yet learned the basics of apparmor and you are tring to confine a complex, custom application.

    2. You are not following advice or examples.

    Good luck to you.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  4. #14
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Unhappy Re: Need help || Apparmor Profiles

    OK, here is the profile that is working for me. It may be more restrictive then you want

    profile name

    /etc/apparmor.d/home.your_user.firefox.firefox

    Code:
    # Last Modified: Sat Jul 30 23:26:18 2011
    #include <tunables/global>
    
    /home/your_user/firefox/firefox {
      #include <abstractions/base>
      #include <abstractions/gnome>
      #include <abstractions/kde>
      #include <abstractions/nameservice>
    
      /bin/dash ix,
      /bin/uname rix,
      /etc/fstab r,
      @{HOME}/ r,
      @{HOME}/.config/** rw,
      @{HOME}/.kde/** r,
      @{HOME}/.mozilla/firefox/** rwk,
      @{HOME}/Downloads/** rw,
      @{HOME}/.Private/** rw,
      /home/your_user/firefox/** mrwixkl,
    
      @{PROC}/** r,
    
      /usr/bin/basename rix,
      /usr/bin/dirname rix,
      /usr/bin/expr rix,
      /usr/bin/kde4-config rix,
      /usr/share/** r,
    
      /usr/lib/mozilla/plugins/** rmixk,
    
    }
    With that profile flash is working. If you have problems, see the links to other firefox profiles I gave you earlier.

    Note: .Private is needed with an encrypted home directory
    Last edited by bodhi.zazen; August 1st, 2011 at 05:41 AM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #15
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Ubuntu Gnome

    Re: Need help || Apparmor Profiles

    After copying that profile I am getting the following

    Code:
    $ sudo apparmor_parser -r /etc/apparmor.d/home.tux..firefox.firefox 
    failed user merge 0x814205 0x2204881
    profile /home/tux/.firefox/firefox: has merged rule /usr/bin/kde4-config with multiple x modifiers
    ERROR merging rules for profile /home/tux/.firefox/firefox, failed to load
    So, cant test the profile ay my end yet.
    Ubuntu Mate 14.10
    free
    showing high ram usage ? Read this
    When people say "you've changed " there's a 95% chance that you just stopped acting the way they wanted you to.

  6. #16
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Need help || Apparmor Profiles

    Delete that line " /usr/bin/kde4-config rix,"
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  7. #17
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Ubuntu Gnome

    Re: Need help || Apparmor Profiles

    Quote Originally Posted by bodhi.zazen View Post
    Delete that line " /usr/bin/kde4-config rix,"
    Deleted that line, FF starts, restrictions are working too. Awesome !!!

    But flash is not working atm. I added the following line from your profile you gave me.


    [CODE]#
    Code:
    # Last Modified: Sat Jul 30 23:26:18 2011
    #include <tunables/global>
    
    /home/tux/.firefox/firefox {
      #include <abstractions/base>
      #include <abstractions/fonts>
      #include <abstractions/gnome>
      #include <abstractions/kde>
      #include <abstractions/nameservice>
    
      /bin/dash ix,
      /bin/uname rix,
      /etc/fstab r,
      @{HOME}/ r,
      @{HOME}/.config/** rw,
      @{HOME}/.kde/** r,
      @{HOME}/.mozilla/firefox/** rwk,
      @{HOME}/Downloads/** rw,
      /home/tux/.firefox/** mrwixkl,
    
      @{PROC}/** r,
    
      /usr/bin/basename rix,
      /usr/bin/dirname rix,
      /usr/bin/expr rix,
      /usr/share/** r,
    
      /usr/lib/mozilla/plugins/** rmixk,
    
    # Flash
      owner @{HOME}/.adobe/ rw,
      owner @{HOME}/.adobe/** rw,
      owner @{HOME}/.macromedia/ rw,
      owner @{HOME}/.macromedia/** rw,
    
    # Allow flash to use video acceleration 
      /dev/nvidiactl rw, 
      /dev/nvidia0 rw,
    
    }
    Closed FF
    Added those lines
    Did
    Code:
     sudo apparmor_parser -r /etc/apparmor.d/home.tux..firefox.firefox
    Started FF but flash is still not working.

    Code:
    $ dir /dev |grep nvidia
    dsp         nvidia0         scd0     tty21    tty5   vcs1
    dvd         nvidiactl         sda     tty22    tty50  vcs2
    Last edited by linuxyogi; August 1st, 2011 at 09:23 PM.
    Ubuntu Mate 14.10
    free
    showing high ram usage ? Read this
    When people say "you've changed " there's a 95% chance that you just stopped acting the way they wanted you to.

  8. #18
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Need help || Apparmor Profiles

    What error message are you getting in the logs ?
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  9. #19
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Ubuntu Gnome

    Re: Need help || Apparmor Profiles

    Quote Originally Posted by bodhi.zazen View Post
    What error message are you getting in the logs ?
    Code:
    Aug  2 02:07:02 tux kernel: [ 2613.999497] type=1503 audit(1312231022.974:5857):  operation="open" pid=3249 parent=1 profile="/home/tux/.firefox/firefox" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/proc/"
    Aug  2 02:07:02 tux kernel: [ 2614.001084] type=1503 audit(1312231022.984:5858):  operation="open" pid=3217 parent=1 profile="/home/tux/.firefox/firefox" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/home/tux/.mozilla/plugins/"
    Ubuntu Mate 14.10
    free
    showing high ram usage ? Read this
    When people say "you've changed " there's a 95% chance that you just stopped acting the way they wanted you to.

  10. #20
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Need help || Apparmor Profiles

    The first you can ignore or if you wish add

    Code:
    @{PROC}/ r,
    The second can be covered by

    Code:
    @{HOME}/.mozilla/** rwk,
    or

    Code:
    @{HOME}/.mozilla/plugins/** rwk,
    Your next lesson is to look at those logs and understand where I got those rules from.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Page 2 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •