According to https://bugs.launchpad.net/ubuntu/+s...29/comments/15 it should appear in 14.04 eventually.
bean stalker
According to https://bugs.launchpad.net/ubuntu/+s...29/comments/15 it should appear in 14.04 eventually.
May the Ubuntu Be With You!
Okay. Then he must have said 14.04 then. Actually I went to that channel thinking everybody must be making profiles all day there in the holy city of apparmor.
But unfortunately the only one who answered was not using 14.04 so it was quite frustrating.
Last edited by linuxyogi; September 8th, 2014 at 01:46 PM.
Lubuntu 20.04
Ubuntu Member
Here's one that is more restrictive but has some rough edges. I'm not proficient with apparmor or firefox. The profile seems to work well enough to do downloads and I tested it with HTML5 videos on Youtube.
Unfortunately it still allows read access to much of the system. There's not much that can be done about that, I think. But most of the user directories, except for ~/Downloads, are blocked.Code:#include <tunables/global> /usr/lib/firefox/firefox { #include <abstractions/base> #include <abstractions/lightdm> #include <abstractions/nameservice> #include <abstractions/user-tmp> network inet stream, network inet6 stream, owner @{HOME}/.Xauthority r, owner @{HOME}/.cache/ rw, owner @{HOME}/.cache/mozilla/{,firefox/} rw, owner @{HOME}/.cache/mozilla/firefox/** rw, owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k, owner @{HOME}/.mozilla/ rw, owner @{HOME}/.mozilla/** rw, owner @{HOME}/.mozilla/**/*.{db,parentlock,sqlite}* k, owner @{HOME}/.local/share/unity-webapps/ rw, owner @{HOME}/.local/share/unity-webapps/* rw, owner @{HOME}/.local/share/unity-webapps/availableapps-v2.db rwk, owner @{HOME}/.config/dconf/user r, owner @{HOME}/.config/user-dirs.dirs r, owner @{HOME}/.dbus/ rw, owner @{HOME}/.dbus/session-bus/ rw, owner @{HOME}/.dbus/session-bus/* rwl, owner @{HOME}/.gconf/ r, owner @{HOME}/.config/gtk-3.0/ r, owner @{HOME}/.config/gtk-3.0/bookmarks r, owner @{HOME}/Downloads/ rw, owner @{HOME}/Downloads/** rw, @{PROC}/*/fd/ r, @{PROC}/*/mountinfo r, @{PROC}/[0-9]*/net/dev r, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/wireless r, @{PROC}/net/ipv6_route r, @{PROC}/net/route r, @{PROC}/sys/kernel/random/uuid r, }
It might be that two profiles are needed, one slightly looser for the initialization of Firefox and its add-ons. Then another more restrictive one with more read-only options for regular use. This one should work even when starting a fresh Firefox profile.
May the Ubuntu Be With You!
I did
Code:cd /etc/apparmor.dCode:sudo aa-enforce usr.bin.firefoxThen tried browsing my home folder with FF, all files and folders are accessible.Code:sudo /etc/init.d apparmor reload
Code:$ sudo aa-status apparmor module is loaded. 16 profiles are loaded. 16 profiles are in enforce mode. /sbin/dhclient /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/firefox/firefox /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/sbin/cupsd /usr/sbin/ntpd /usr/sbin/tcpdump 0 profiles are in complain mode. 4 processes have profiles defined. 3 processes are in enforce mode. /sbin/dhclient (1023) /usr/sbin/cupsd (907) /usr/sbin/ntpd (1405) 0 processes are in complain mode. 1 processes are unconfined but have a profile defined. /usr/lib/firefox/firefox (1427)
Code:$ sudo aa-enforce usr.bin.firefox /usr/bin/firefox Setting /etc/apparmor.d/usr.bin.firefox to enforce mode. Profile for /usr/lib/firefox/firefox.sh not found, skipping
Lubuntu 20.04
Ubuntu Member
I'm pretty sure you also have to quit and re-run Firefox after applying the changes to apparmor. That's what I have been doing to test the profile.
May the Ubuntu Be With You!
I did that earlier after enforcing the profile but for some reason it didn't work. This time I closed FF then disabled the profile then enforced it again, reloaded apparmor and now it works.Originally Posted by Lars Noodén
/boot is completely blocked. Only ~/Download has rw. That's awesome !
But how did you manage to create this profile coz aa-genprof is broken in 14.04.
Thanks a lot !
Lubuntu 20.04
Ubuntu Member
Yes, aa-genprof is broken.
I started by stripping down the one I made for transmission, removing the pieces that were obviously transmission-specific, and then set apparmor to enforce.
I had an extra window up with tail -f /var/log/syslog | grep -P 'DENIED.*name="[^"]*"' running in it, to collect and highlight the errors. Then in another window, I had a line in bash to remove the firefox profile directories, reload the apparmor profile and then launch firefox. Each time I ran the browser, I addressed the first new error that popped up in syslog. Repeat dozens of times.
If you look at the profile, there are still some other directories writeable but mostly it is strapped down. If you look at the errors in syslog, there are a few still, but they don't seem to affect the performance and would open more directories for writing. So I left them unaddressed.
The big breakthrough was finding web pages that pointed to /usr/lib/firefox/firefox. Maybe that's not right but it gives the appearance of working.
Adv Reply
Bookmarks