Results 1 to 7 of 7

Thread: Once again: Apparmor and Firefox default profile - few questions.

  1. #1
    Join Date
    Mar 2012
    Beans
    142

    Once again: Apparmor and Firefox default profile - few questions.

    Hello, I have a few questions about Firefox and default profile for AppArmor. First: should I create additional profiles for usr.lib.firefox.firefox.sh and usr.lib.firefox.firefox? It seems to be important, because Firefox calls /usr/lib/firefox/firefox.sh before it starts. Second: I can still save files in every folder in user home directories[1] without any message. I am using default profile, which is available with Ubuntu. Could someone told me if everything is okay and , simply, everything is working[2]? Entries from /var/log/syslog file are correct? I'm still unconvinced.

    I apologize for the topic and questions, but I wonder for example, why I can still save files in user directories or what about creating profile for usr.lib.firefox.firefox.sh etc.

    [1]
    Code:
    # I added this entry:
    deny @{HOME}/ w,
    [2]
    Code:
    # sudo apparmor_status |grep firefox
    (these profiles are in enforce mode.) 
    /usr/lib/firefox/firefox{,*[^s][^h]}
    /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
    /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
    /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper
    
    # /var/log/syslog file contains something like this:
    Oct 12 13:17:57 testing kernel: [  453.674896] type=1400 audit(1350040677.264:38): 
    apparmor="DENIED" operation="open" parent=2844 
    profile="/usr/lib/firefox/firefox{,*[^s][^h]}" 
    name="/dev/nvidiactl" pid=2846 comm="firefox" 
    requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0

  2. #2
    Join Date
    Mar 2011
    Beans
    665

    Re: Once again: Apparmor and Firefox default profile - few questions.

    The Firefox profile is screwed up because the abstractions are so convoluted. That's why you can still write to there.

    I suggest you file a bug because I see this question pop up very often on this forum and others. The Firefox profile could very likely be easily tweaked by removing the unnecessary abstractions and instead adding variable rules for libraries (*/*.so rm,).

    I don't think you need to create a profile for the .sh file. Not sure.

  3. #3
    Join Date
    Mar 2012
    Beans
    142

    Re: Once again: Apparmor and Firefox default profile - few questions.

    Hi Hungry Man. You mean a bug about saving files in every user directory, right? Do You think, that it can be classified as a bug? Do You know anything about messages from /var/log/syslog file - they are correct? Thank You and sorry for these stupid questions.
    Last edited by kleenex; October 12th, 2012 at 06:04 PM.

  4. #4
    Join Date
    Mar 2011
    Beans
    665

    Re: Once again: Apparmor and Firefox default profile - few questions.

    Yes, this constitutes a bug. The profile is providing unnecessary rights. The abstractions are used too much.

    The questions aren't stupid though, like I said they come up often because these issues happen a lot.

    It looks like, from that profile, the .sh file won't open. Set the profile to complain first so it doesn't break outright.

  5. #5
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Once again: Apparmor and Firefox default profile - few questions.

    Quote Originally Posted by kleenex View Post
    Hi Hungry Man. You mean a bug about saving files in every user directory, right? Do You think, that it can be classified as a bug? Do You know anything about messages from /var/log/syslog file - they are correct? Thank You and sorry for these stupid questions.
    The problem is the user-files abstraction allowing writing to anywhere in /home.

    The best bet is just to use the profile I made. You can find it here.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  6. #6
    Join Date
    Mar 2012
    Beans
    142

    Re: Once again: Apparmor and Firefox default profile - few questions.

    Hi rookcifer. I see you have created profiles also for usr.lib.firefox.sh and usr.lib.firefox. Do you think, that I also should do it?I am asking You, because I am not using gnome-mplayer or totem-plugin. Anyway, thank You for the link and really GREAT post!

    Hungry Man - okay, if I find some free time I report this bug.
    Last edited by kleenex; October 12th, 2012 at 09:48 PM.

  7. #7
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Once again: Apparmor and Firefox default profile - few questions.

    Quote Originally Posted by kleenex View Post
    Hi rookcifer. I see you have created profiles also for usr.lib.firefox.sh and usr.lib.firefox. Do you think, that I also should do it?I am asking You, because I am not using gnome-mplayer or totem-plugin. Anyway, thank You for the link and really GREAT post!

    Hungry Man - okay, if I find some free time I report this bug.
    You can still use my profiles for Firefox even if not using totem or gnome-mplayer.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •