Results 1 to 7 of 7

Thread: Need help with AppArmor Firefox profile

  1. #1
    Join Date
    Apr 2009
    Beans
    235
    Distro
    Xubuntu 14.04 Trusty Tahr

    Need help with AppArmor Firefox profile

    I'm in the process of learning all I can about AppArmor but in the meantime I need help with an issue with the default usr.bin.firefox profile that came with my Xubuntu 12.04 distribution. I'm posting it here with line numbers:
    Code:
         1    # vim:syntax=apparmor
         2    # Author: Jamie Strandboge <jamie@canonical.com>
         3    
         4    # Declare an apparmor variable to help with overrides
         5    @{MOZ_LIBDIR}=/usr/lib/firefox
         6    
         7    #include <tunables/global>
         8    
         9    # We want to confine the binaries that match:
        10    #  /usr/lib/firefox/firefox
        11    #  /usr/lib/firefox/firefox
        12    # but not:
        13    #  /usr/lib/firefox/firefox.sh
        14    /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) {
        15      #include <abstractions/audio>
        16      #include <abstractions/cups-client>
        17      #include <abstractions/dbus-session>
        18      #include <abstractions/gnome>
        19      #include <abstractions/nameservice>
        20      #include <abstractions/p11-kit>
        21    
        22      # Addons
        23      #include <abstractions/ubuntu-browsers.d/firefox>
        24    
        25      # for networking
        26      network inet stream,
        27      network inet6 stream,
        28      @{PROC}/[0-9]*/net/if_inet6 r,
        29      @{PROC}/[0-9]*/net/ipv6_route r,
        30      @{PROC}/[0-9]*/net/dev r,
        31      @{PROC}/[0-9]*/net/wireless r,
        32    
        33      # should maybe be in abstractions
        34      /etc/ r,
        35      /etc/mime.types r,
        36      /etc/mailcap r,
        37      /etc/xdg/*buntu/applications/defaults.list    r, # for all derivatives
        38      /usr/share/xubuntu/applications/defaults.list r,
        39      owner @{HOME}/.local/share/applications/defaults.list r,
        40      owner @{HOME}/.local/share/applications/mimeapps.list r,
        41      owner @{HOME}/.local/share/applications/mimeinfo.cache r,
        42      owner /tmp/** m,
        43      owner /var/tmp/** m,
        44      /tmp/.X[0-9]*-lock r,
        45    
        46      /etc/timezone r,
        47      /etc/wildmidi/wildmidi.cfg r,
        48    
        49      # firefox specific
        50      /etc/firefox*/ r,
        51      /etc/firefox*/** r,
        52      /etc/xul-ext/** r,
        53      /etc/xulrunner-2.0*/ r,
        54      /etc/xulrunner-2.0*/** r,
        55      /etc/gre.d/ r,
        56      /etc/gre.d/* r,
        57    
        58      # noisy
        59      deny @{MOZ_LIBDIR}/** w,
        60      deny /usr/lib/firefox-addons/** w,
        61      deny /usr/lib/xulrunner-addons/** w,
        62      deny /usr/lib/xulrunner-*/components/*.tmp w,
        63      deny /.suspended r,
        64      deny /boot/initrd.img* r,
        65      deny /boot/vmlinuz* r,
        66      deny /var/cache/fontconfig/ w,
        67      deny @{HOME}/.local/share/recently-used.xbel r,
        68    
        69      # TODO: investigate
        70      deny /usr/bin/gconftool-2 x,
        71    
        72      # These are needed when a new user starts firefox and firefox.sh is used
        73      @{MOZ_LIBDIR}/** ixr,
        74      /usr/bin/basename ixr,
        75      /usr/bin/dirname ixr,
        76      /usr/bin/pwd ixr,
        77      /sbin/killall5 ixr,
        78      /bin/which ixr,
        79      /usr/bin/tr ixr,
        80      @{PROC}/ r,
        81      @{PROC}/[0-9]*/cmdline r,
        82      @{PROC}/[0-9]*/mountinfo r,
        83      @{PROC}/[0-9]*/stat r,
        84      owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
        85      @{PROC}/[0-9]*/status r,
        86      @{PROC}/filesystems r,
        87      owner @{HOME}/.thumbnails/*/*.png r,
        88    
        89      /etc/mtab r,
        90      /etc/fstab r,
        91    
        92      # Needed for the crash reporter
        93      owner @{PROC}/[0-9]*/environ r,
        94      owner @{PROC}/[0-9]*/auxv r,
        95      /etc/lsb-release r,
        96      /usr/bin/expr ix,
        97      /sys/devices/system/cpu/ r,
        98      /sys/devices/system/cpu/** r,
        99    
       100      # about:memory
       101      owner @{PROC}/[0-9]*/statm r,
       102      owner @{PROC}/[0-9]*/smaps r,
       103    
       104      # Needed for container to work in xul builds
       105      /usr/lib/xulrunner-*/plugin-container ixr,
       106    
       107      # allow access to documentation and other files the user may want to look
       108      # at in /usr and /opt
       109      /usr/ r,
       110      /usr/** r,
       111      /opt/ r,
       112      /opt/** r,
       113    
       114      # so browsing directories works
       115      / r,
       116      /**/ r,
       117    
       118      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
       119      owner @{HOME}/ r,
       120      owner @{HOME}/Public/ r,
       121      owner @{HOME}/Public/* r,
       122      owner @{HOME}/Downloads/ r,
       123      owner @{HOME}/Downloads/* rw,
       124    
       125      # per-user firefox configuration
       126      owner @{HOME}/.{firefox,mozilla}/ rw,
       127      owner @{HOME}/.{firefox,mozilla}/** rw,
       128      owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
       129      owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
       130      owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
       131      owner @{HOME}/.config/ibus/bus/ w,
       132      owner @{HOME}/.gnome2/firefox*-bin-* rw,
       133    
       134      #
       135      # Extensions
       136      # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
       137      # Allow 'x' for downloaded extensions, but inherit policy for safety
       138      owner @{HOME}/.mozilla/**/extensions/** mixr,
       139    
       140      deny @{MOZ_LIBDIR}/update.test w,
       141      deny /usr/lib/mozilla/extensions/**/ w,
       142      deny /usr/lib/xulrunner-addons/extensions/**/ w,
       143      deny /usr/share/mozilla/extensions/**/ w,
       144      deny /usr/share/mozilla/ w,
       145    
       146      # Miscellaneous (to be abstracted)
       147      # Ideally these would use a child profile. They are all ELF executables
       148      # so running with 'Ux', while not ideal, is ok because we will at least
       149      # benefit from glibc's secure execute.
       150      /usr/bin/mkfifo Uxr,  # investigate
       151      /bin/ps Uxr,
       152      /bin/uname Uxr,
       153    
       154      # Site-specific additions and overrides. See local/README for details.
       155      #include <local/usr.bin.firefox>
       156    }
    This profile does not allow the Parole media player to play a .MOV file directly from Firefox. Instead it suggests that the file be first downloaded. But I noticed that the file is stored in /tmp regardless. So I thought that maybe commenting out lines 42 and 44 may solve the problem, but I'm a n00b and don't want to screw anything up. So I'm asking for suggestions on how I can modify this profile, or maybe even install a new firefox profile so that Parole is able to play directly from the browser.

  2. #2
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Need help with AppArmor Firefox profile

    Quote Originally Posted by donsy View Post
    I'm in the process of learning all I can about AppArmor but in the meantime I need help with an issue with the default usr.bin.firefox profile that came with my Xubuntu 12.04 distribution. I'm posting it here with line numbers:
    Code:
         1    # vim:syntax=apparmor
         2    # Author: Jamie Strandboge <jamie@canonical.com>
         3    
         4    # Declare an apparmor variable to help with overrides
         5    @{MOZ_LIBDIR}=/usr/lib/firefox
         6    
         7    #include <tunables/global>
         8    
         9    # We want to confine the binaries that match:
        10    #  /usr/lib/firefox/firefox
        11    #  /usr/lib/firefox/firefox
        12    # but not:
        13    #  /usr/lib/firefox/firefox.sh
        14    /usr/lib/firefox/firefox{,*[^s][^h]} flags=(complain) {
        15      #include <abstractions/audio>
        16      #include <abstractions/cups-client>
        17      #include <abstractions/dbus-session>
        18      #include <abstractions/gnome>
        19      #include <abstractions/nameservice>
        20      #include <abstractions/p11-kit>
        21    
        22      # Addons
        23      #include <abstractions/ubuntu-browsers.d/firefox>
        24    
        25      # for networking
        26      network inet stream,
        27      network inet6 stream,
        28      @{PROC}/[0-9]*/net/if_inet6 r,
        29      @{PROC}/[0-9]*/net/ipv6_route r,
        30      @{PROC}/[0-9]*/net/dev r,
        31      @{PROC}/[0-9]*/net/wireless r,
        32    
        33      # should maybe be in abstractions
        34      /etc/ r,
        35      /etc/mime.types r,
        36      /etc/mailcap r,
        37      /etc/xdg/*buntu/applications/defaults.list    r, # for all derivatives
        38      /usr/share/xubuntu/applications/defaults.list r,
        39      owner @{HOME}/.local/share/applications/defaults.list r,
        40      owner @{HOME}/.local/share/applications/mimeapps.list r,
        41      owner @{HOME}/.local/share/applications/mimeinfo.cache r,
        42      owner /tmp/** m,
        43      owner /var/tmp/** m,
        44      /tmp/.X[0-9]*-lock r,
        45    
        46      /etc/timezone r,
        47      /etc/wildmidi/wildmidi.cfg r,
        48    
        49      # firefox specific
        50      /etc/firefox*/ r,
        51      /etc/firefox*/** r,
        52      /etc/xul-ext/** r,
        53      /etc/xulrunner-2.0*/ r,
        54      /etc/xulrunner-2.0*/** r,
        55      /etc/gre.d/ r,
        56      /etc/gre.d/* r,
        57    
        58      # noisy
        59      deny @{MOZ_LIBDIR}/** w,
        60      deny /usr/lib/firefox-addons/** w,
        61      deny /usr/lib/xulrunner-addons/** w,
        62      deny /usr/lib/xulrunner-*/components/*.tmp w,
        63      deny /.suspended r,
        64      deny /boot/initrd.img* r,
        65      deny /boot/vmlinuz* r,
        66      deny /var/cache/fontconfig/ w,
        67      deny @{HOME}/.local/share/recently-used.xbel r,
        68    
        69      # TODO: investigate
        70      deny /usr/bin/gconftool-2 x,
        71    
        72      # These are needed when a new user starts firefox and firefox.sh is used
        73      @{MOZ_LIBDIR}/** ixr,
        74      /usr/bin/basename ixr,
        75      /usr/bin/dirname ixr,
        76      /usr/bin/pwd ixr,
        77      /sbin/killall5 ixr,
        78      /bin/which ixr,
        79      /usr/bin/tr ixr,
        80      @{PROC}/ r,
        81      @{PROC}/[0-9]*/cmdline r,
        82      @{PROC}/[0-9]*/mountinfo r,
        83      @{PROC}/[0-9]*/stat r,
        84      owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
        85      @{PROC}/[0-9]*/status r,
        86      @{PROC}/filesystems r,
        87      owner @{HOME}/.thumbnails/*/*.png r,
        88    
        89      /etc/mtab r,
        90      /etc/fstab r,
        91    
        92      # Needed for the crash reporter
        93      owner @{PROC}/[0-9]*/environ r,
        94      owner @{PROC}/[0-9]*/auxv r,
        95      /etc/lsb-release r,
        96      /usr/bin/expr ix,
        97      /sys/devices/system/cpu/ r,
        98      /sys/devices/system/cpu/** r,
        99    
       100      # about:memory
       101      owner @{PROC}/[0-9]*/statm r,
       102      owner @{PROC}/[0-9]*/smaps r,
       103    
       104      # Needed for container to work in xul builds
       105      /usr/lib/xulrunner-*/plugin-container ixr,
       106    
       107      # allow access to documentation and other files the user may want to look
       108      # at in /usr and /opt
       109      /usr/ r,
       110      /usr/** r,
       111      /opt/ r,
       112      /opt/** r,
       113    
       114      # so browsing directories works
       115      / r,
       116      /**/ r,
       117    
       118      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
       119      owner @{HOME}/ r,
       120      owner @{HOME}/Public/ r,
       121      owner @{HOME}/Public/* r,
       122      owner @{HOME}/Downloads/ r,
       123      owner @{HOME}/Downloads/* rw,
       124    
       125      # per-user firefox configuration
       126      owner @{HOME}/.{firefox,mozilla}/ rw,
       127      owner @{HOME}/.{firefox,mozilla}/** rw,
       128      owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
       129      owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
       130      owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
       131      owner @{HOME}/.config/ibus/bus/ w,
       132      owner @{HOME}/.gnome2/firefox*-bin-* rw,
       133    
       134      #
       135      # Extensions
       136      # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
       137      # Allow 'x' for downloaded extensions, but inherit policy for safety
       138      owner @{HOME}/.mozilla/**/extensions/** mixr,
       139    
       140      deny @{MOZ_LIBDIR}/update.test w,
       141      deny /usr/lib/mozilla/extensions/**/ w,
       142      deny /usr/lib/xulrunner-addons/extensions/**/ w,
       143      deny /usr/share/mozilla/extensions/**/ w,
       144      deny /usr/share/mozilla/ w,
       145    
       146      # Miscellaneous (to be abstracted)
       147      # Ideally these would use a child profile. They are all ELF executables
       148      # so running with 'Ux', while not ideal, is ok because we will at least
       149      # benefit from glibc's secure execute.
       150      /usr/bin/mkfifo Uxr,  # investigate
       151      /bin/ps Uxr,
       152      /bin/uname Uxr,
       153    
       154      # Site-specific additions and overrides. See local/README for details.
       155      #include <local/usr.bin.firefox>
       156    }
    This profile does not allow the Parole media player to play a .MOV file directly from Firefox. Instead it suggests that the file be first downloaded. But I noticed that the file is stored in /tmp regardless. So I thought that maybe commenting out lines 42 and 44 may solve the problem, but I'm a n00b and don't want to screw anything up. So I'm asking for suggestions on how I can modify this profile, or maybe even install a new firefox profile so that Parole is able to play directly from the browser.
    I think you need a QuickTime plugin (if any) for Firefox and Parole Media Player if the player can play via browser instead of changing the default Firefox Apparmor profile file.

    Samiux

  3. #3
    Join Date
    Apr 2009
    Beans
    235
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Need help with AppArmor Firefox profile

    Quote Originally Posted by samiux View Post
    I think you need a QuickTime plugin (if any) for Firefox and Parole Media Player if the player can play via browser instead of changing the default Firefox Apparmor profile file.

    Samiux
    I forgot to mention in my original post that after I disabled the firefox profile it works just fine from the browser. This would indicate to me that no extra plugin is required.

  4. #4
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Need help with AppArmor Firefox profile

    Quote Originally Posted by donsy View Post
    I forgot to mention in my original post that after I disabled the firefox profile it works just fine from the browser. This would indicate to me that no extra plugin is required.
    If it is related to /tmp, the line 42 should be looking like this :

    Code:
    owner /tmp/** rwk,
    Samiux

  5. #5
    Join Date
    Apr 2009
    Beans
    235
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Need help with AppArmor Firefox profile

    Quote Originally Posted by samiux View Post
    If it is related to /tmp, the line 42 should be looking like this :

    Code:
    owner /tmp/** rwk,
    Samiux
    Thanks. It worked!

  6. #6
    Join Date
    Apr 2009
    Beans
    235
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Need help with AppArmor Firefox profile

    Update:

    It really DIDN'T work. I failed to put usr.bin.firefox in enforce mode. But this apparently did work:
    Between lines 79 and 80 I added
    Code:
    /usr/bin/parole ixr,
    Would appreciate advice on if this presents a security vulnerability or not. Thanks.

  7. #7
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Need help with AppArmor Firefox profile

    Quote Originally Posted by donsy View Post
    Update:

    It really DIDN'T work. I failed to put usr.bin.firefox in enforce mode. But this apparently did work:
    Between lines 79 and 80 I added
    Code:
    /usr/bin/parole ixr,
    Would appreciate advice on if this presents a security vulnerability or not. Thanks.
    No.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •