Need help || Apparmor Profiles
Hi,
I am using FF ver 5.0.1 from here
After reading http://ubuntuforums.org/showpost.php...00&postcount=4
I did
Code:
sudo aa-logprof /path to firefox
Allowed all when asked. But when I try to start FF in enforce mode I get
Code:
$ /home/tux/.firefox/firefox
/home/tux/.firefox/firefox: 60: basename: Permission denied
exec: 139: /home/tux/.firefox/run-mozilla.sh: Permission denied
This is the profile
Code:
# Last Modified: Sat Jul 30 02:16:27 2011
#include <tunables/global>
/home/tux/.firefox/firefox flags=(complain) {
#include <abstractions/apache2-common>
#include <abstractions/base>
deny owner "/home/tux/Desktop/Harsha Bhogle on the 1st Test Match between India and England, at Lord's - YouTube.flv" w,
/bin/dash ix,
owner /home/*/.firefox/firefox r,
owner /home/*/.mozilla/firefox/4w442atz.default/adblockplus/cache.js w,
owner /home/*/.mozilla/firefox/4w442atz.default/adblockplus/patterns.ini w,
owner /home/*/.mozilla/firefox/4w442atz.default/adblockplus/patterns.ini-temp rw,
owner /home/*/.mozilla/firefox/4w442atz.default/places.sqlite-shm k,
owner /home/*/.mozilla/firefox/4w442atz.default/prefs.js r,
/proc/meminfo r,
/usr/bin/dirname rix,
/usr/share/fonts/** r,
/usr/share/icons/Humanity/actions/16/document-save-as.svg r,
/usr/share/icons/Humanity/actions/16/go-home.svg r,
/usr/share/icons/Humanity/actions/16/go-next.svg r,
/usr/share/icons/Humanity/actions/16/go-previous.svg r,
What do I need to change ?
Re: Need help || Apparmor Profiles
Firefox is a big application to write a profile for.
I see firefox is in complain mode. go ahead and use firefox for a bit, go to a few web sites, use flash, etc.
Then close firefox and run aa-logprof
Then put your profile into enforcing mode and try some more.
Alternately you can look at another firefox profile as a template.
See the apparmor sticky http://ubuntuforums.org/showthread.php?t=1008906
And also:
http://blog.bodhizazen.net/linux/app...ivoxy-profile/
http://bodhizazen.net/aa-profiles/bo...sr.bin.firefox
Re: Need help || Apparmor Profiles
@bodhi.zazen
Hi,
Code:
$ sudo aa-logprof
[sudo] password for tux:
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /home/tux/.firefox/firefox
Execute: /usr/bin/basename
Severity: unknown
(I)nherit / (P)rofile / (C)hild / (N)ame / (U)nconfined / (X)ix / (D)eny / Abo(r)t / (F)inish
^ This appears at the begining of aa-logprof. Which option should I choose ? I tried both (P)rofile & (I)nherit.
Re: Need help || Apparmor Profiles
@Bodhi.Zazen
I am atm using FF in complain mode. I am trying read those links, this I guess is going to take some time.
In the mean time I have created a profile for Chromium browser & using it in enforce mode.
http://dl.dropbox.com/u/30630174/aa%20profile
Quote:
Rules for files include <<<
Code:
r = read w = write l = link k = lock a = append
This is the profile for Chromium
Code:
# Last Modified: Sat Jul 30 06:22:31 2011
#include <tunables/global>
/usr/bin/chromium-browser {
#include <abstractions/base>
/bin/dash ix,
/bin/readlink rix,
/etc/chromium-browser/default r,
/etc/lsb-release r,
/home/tux/ r,
/proc/meminfo r,
/usr/bin/chromium-browser r,
/usr/lib/chromium-browser/chromium-browser px,
}
Now r=read & the the profile is in enforce mode, but I can still save file in /home/tux.
Is apparmor suppose to not let that happen ?
Re: Need help || Apparmor Profiles
Quote:
Originally Posted by
linuxyogi
@Bodhi.Zazen
I am atm using FF in complain mode. I am trying read those links, this I guess is going to take some time.
In the mean time I have created a profile for Chromium browser & using it in enforce mode.
http://dl.dropbox.com/u/30630174/aa%20profile
This is the profile for Chromium
Code:
# Last Modified: Sat Jul 30 06:22:31 2011
#include <tunables/global>
/usr/bin/chromium-browser {
#include <abstractions/base>
/bin/dash ix,
/bin/readlink rix,
/etc/chromium-browser/default r,
/etc/lsb-release r,
/home/tux/ r,
/proc/meminfo r,
/usr/bin/chromium-browser r,
/usr/lib/chromium-browser/chromium-browser px,
}
Now r=read
& the the profile is in enforce mode, but I can still save file in /home/tux.
Is apparmor suppose to not let that happen ?
As I indicated in my first post, browsers are complex and not the best place to start. I highly suggest you start with an easier program (like privoxy).
Second, did you reload your apparmor profile for chromium ?
What is the output of
Re: Need help || Apparmor Profiles
Quote:
Originally Posted by
bodhi.zazen
As I indicated in my first post, browsers are complex and not the best place to start. I highly suggest you start with an easier program (like privoxy).
Second, did you reload your apparmor profile for chromium
What is the output of
Yes, I did
Code:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.chromium-browser
also
tried
Code:
sudo /etc/init.d/apparmor reload
.
Code:
$ sudo aa-status
[sudo] password for tux:
apparmor module is loaded.
40 profiles are loaded.
11 profiles are in enforce mode.
/sbin/dhclient3
/usr/bin/chromium-browser
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-thumbnailer
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/sbin/cupsd
/usr/sbin/tcpdump
/usr/share/gdm/guest-session/Xsession
29 profiles are in complain mode.
/bin/ping
/home/tux/.firefox/firefox
/home/tux/.firefox/firefox//null-25
/home/tux/.firefox/firefox//null-25//null-26
/home/tux/.firefox/firefox//null-25//null-27
/home/tux/.firefox/firefox//null-25//null-28
/home/tux/.firefox/firefox//null-25//null-29
/sbin/klogd
/sbin/syslog-ng
/sbin/syslogd
/usr/bin/basename
/usr/bin/expr
/usr/lib/chromium-browser/chromium-browser
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/smbd
/usr/sbin/traceroute
5 processes have profiles defined.
2 processes are in enforce mode :
/sbin/dhclient3 (1753)
/usr/sbin/cupsd (1097)
3 processes are in complain mode.
/home/tux/.firefox/firefox//null-25//null-29 (1720)
/usr/sbin/avahi-daemon (814)
/usr/sbin/avahi-daemon (812)
0 processes are unconfined but have a profile defined.
Re: Need help || Apparmor Profiles
I do not see chromium on the list, although I see the chromium profile listed as being in enforce mode.
At any rate, for what it is worth, here is the profile I used for chromium in Ubuntu 10.04
http://bodhizazen.net/aa-profiles/bo...romium-browser
Re: Need help || Apparmor Profiles
Quote:
Originally Posted by
bodhi.zazen
I do not see chromium on the list, although I see the chromium profile listed as being in enforce mode.
What do you think went wrong ? I actually tried aa-enforce multiple times but same thing.
Quote:
Originally Posted by
bodhi.zazen
Thanks. I will try that once this problem is solved.
Re: Need help || Apparmor Profiles
I think the profile needs to be pointed at the lib and not the binary.
usr.lib.chromium-browser.chromium-browser
But my recollection is chromium was tricky as it uses a sandbox.
Re: Need help || Apparmor Profiles
Finally FF starts when only when 1/2 profiles is in enforce mode, namely the "home.tux..firefox.firefox" but when I FF fails to start when "home.tux..firefox.run-mozilla.sh " is in enforce mode.
Code:
$apparmor module is loaded.
110 profiles are loaded.
13 profiles are in enforce mode.
/home/tux/.firefox/firefox
/home/tux/.firefox/run-mozilla.sh
/sbin/dhclient3
/usr/bin/chromium-browser
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-thumbnailer
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/sbin/cupsd
/usr/sbin/tcpdump
/usr/share/gdm/guest-session/Xsession
97 profiles are in complain mode.
/bin/ping
/home/tux/.firefox/run-mozilla.sh//null-64
/home/tux/.firefox/run-mozilla.sh//null-65
/home/tux/.firefox/run-mozilla.sh//null-66
/home/tux/.firefox/run-mozilla.sh//null-66//null-67
/home/tux/.firefox/run-mozilla.sh//null-66//null-68
/home/tux/.firefox/run-mozilla.sh//null-66//null-69
/home/tux/.firefox/run-mozilla.sh//null-66//null-6a
/home/tux/.firefox/run-mozilla.sh//null-66//null-6b
/home/tux/.firefox/run-mozilla.sh//null-66//null-6c
/home/tux/.firefox/run-mozilla.sh//null-66//null-6d
/home/tux/.firefox/run-mozilla.sh//null-66//null-6e
/home/tux/.firefox/run-mozilla.sh//null-66//null-6f
/home/tux/.firefox/run-mozilla.sh//null-66//null-70
/home/tux/.firefox/run-mozilla.sh//null-66//null-71
/home/tux/.firefox/run-mozilla.sh//null-66//null-72
/home/tux/.firefox/run-mozilla.sh//null-66//null-73
/home/tux/.firefox/run-mozilla.sh//null-66//null-74
/home/tux/.firefox/run-mozilla.sh//null-66//null-75
/home/tux/.firefox/run-mozilla.sh//null-66//null-76
/home/tux/.firefox/run-mozilla.sh//null-66//null-77
/home/tux/.firefox/run-mozilla.sh//null-66//null-78
/home/tux/.firefox/run-mozilla.sh//null-66//null-79
/home/tux/.firefox/run-mozilla.sh//null-66//null-7a
/home/tux/.firefox/run-mozilla.sh//null-66//null-7b
/home/tux/.firefox/run-mozilla.sh//null-66//null-7c
/home/tux/.firefox/run-mozilla.sh//null-66//null-7d
/home/tux/.firefox/run-mozilla.sh//null-66//null-7e
/home/tux/.firefox/run-mozilla.sh//null-66//null-7f
/home/tux/.firefox/run-mozilla.sh//null-66//null-80
/home/tux/.firefox/run-mozilla.sh//null-66//null-81
/home/tux/.firefox/run-mozilla.sh//null-66//null-82
/home/tux/.firefox/run-mozilla.sh//null-66//null-83
/home/tux/.firefox/run-mozilla.sh//null-66//null-84
/home/tux/.firefox/run-mozilla.sh//null-66//null-85
/home/tux/.firefox/run-mozilla.sh//null-66//null-86
/home/tux/.firefox/run-mozilla.sh//null-66//null-87
/home/tux/.firefox/run-mozilla.sh//null-66//null-88
/home/tux/.firefox/run-mozilla.sh//null-66//null-89
/home/tux/.firefox/run-mozilla.sh//null-66//null-8a
/home/tux/.firefox/run-mozilla.sh//null-66//null-8b
/home/tux/.firefox/run-mozilla.sh//null-66//null-8c
/home/tux/.firefox/run-mozilla.sh//null-66//null-8d
/home/tux/.firefox/run-mozilla.sh//null-66//null-8e
/home/tux/.firefox/run-mozilla.sh//null-66//null-8f
/home/tux/.firefox/run-mozilla.sh//null-66//null-90
/home/tux/.firefox/run-mozilla.sh//null-66//null-91
/home/tux/.firefox/run-mozilla.sh//null-66//null-92
/home/tux/.firefox/run-mozilla.sh//null-66//null-93
/home/tux/.firefox/run-mozilla.sh//null-66//null-94
/home/tux/.firefox/run-mozilla.sh//null-66//null-95
/home/tux/.firefox/run-mozilla.sh//null-66//null-96
/home/tux/.firefox/run-mozilla.sh//null-66//null-97
/home/tux/.firefox/run-mozilla.sh//null-66//null-98
/home/tux/.firefox/run-mozilla.sh//null-66//null-99
/sbin/klogd
/sbin/syslog-ng
/sbin/syslogd
/usr/bin/basename
/usr/bin/expr
/usr/lib/chromium-browser/chromium-browser
/usr/lib/chromium-browser/chromium-browser//null-9a
/usr/lib/chromium-browser/chromium-browser//null-9b
/usr/lib/chromium-browser/chromium-browser//null-9b//null-9c
/usr/lib/chromium-browser/chromium-browser//null-9b//null-9d
/usr/lib/chromium-browser/chromium-browser//null-9b//null-9e
/usr/lib/chromium-browser/chromium-browser//null-9b//null-9f
/usr/lib/chromium-browser/chromium-browser//null-9b//null-a0
/usr/lib/chromium-browser/chromium-browser//null-9b//null-a1
/usr/lib/chromium-browser/chromium-browser//null-9b//null-a2
/usr/lib/chromium-browser/chromium-browser//null-a3
/usr/lib/chromium-browser/chromium-browser//null-a3//null-a4
/usr/lib/chromium-browser/chromium-browser//null-a3//null-a4//null-a5
/usr/lib/chromium-browser/chromium-browser//null-a3//null-a4//null-a6
/usr/lib/chromium-browser/chromium-browser//null-a3//null-a4//null-a7
/usr/lib/chromium-browser/chromium-browser//null-a3//null-a4//null-a8
/usr/lib/chromium-browser/chromium-browser//null-a3//null-a4//null-a9
/usr/lib/chromium-browser/chromium-browser//null-a3//null-a4//null-aa
/usr/lib/chromium-browser/chromium-browser//null-a3//null-a4//null-ab
/usr/lib/chromium-browser/chromium-browser//null-a3//null-a4//null-ac
/usr/lib/chromium-browser/chromium-browser//null-a3//null-a4//null-ac//null-ad
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/smbd
/usr/sbin/traceroute
8 processes have profiles defined.
2 processes are in enforce mode :
/sbin/dhclient3 (887)
/usr/sbin/cupsd (1117)
6 processes are in complain mode.
/usr/lib/chromium-browser/chromium-browser (3811)
/usr/lib/chromium-browser/chromium-browser (3809)
/usr/lib/chromium-browser/chromium-browser//null-9a (3813)
/usr/lib/chromium-browser/chromium-browser//null-9a (3862)
/usr/sbin/avahi-daemon (902)
/usr/sbin/avahi-daemon (903)
0 processes are unconfined but have a profile defined.
Code:
# Last Modified: Sat Jul 30 23:05:58 2011
#include <tunables/global>
/home/tux/.firefox/firefox {
#include <abstractions/apache2-common>
#include <abstractions/base>
deny owner "/home/tux/Desktop/Harsha Bhogle on the 1st Test Match between India and England, at Lord's - YouTube.flv" w,
/bin/dash ix,
/etc/mailcap r,
/etc/mime.types r,
owner /home/*/.firefox/chrome/icons/default/default16.png r,
owner /home/*/.firefox/chrome/icons/default/default32.png r,
owner /home/*/.firefox/chrome/icons/default/default48.png r,
owner /home/*/.firefox/firefox r,
owner /home/*/.firefox/run-mozilla.sh r,
/home/*/.firefox/run-mozilla.sh px,
owner /home/*/.mozilla/firefox/4w442atz.default/NoScriptSTS.db w,
owner /home/*/.mozilla/firefox/4w442atz.default/NoScriptSTS.db.tmp rw,
owner /home/*/.mozilla/firefox/4w442atz.default/adblockplus/cache.js w,
owner /home/*/.mozilla/firefox/4w442atz.default/adblockplus/patterns.ini w,
owner /home/*/.mozilla/firefox/4w442atz.default/adblockplus/patterns.ini-temp rw,
owner /home/*/.mozilla/firefox/4w442atz.default/bookmarkbackups/ r,
owner /home/*/.mozilla/firefox/4w442atz.default/content-prefs.sqlite rwk,
owner /home/*/.mozilla/firefox/4w442atz.default/cookies.sqlite wk,
owner /home/*/.mozilla/firefox/4w442atz.default/downloads.sqlite rwk,
owner /home/*/.mozilla/firefox/4w442atz.default/dta_queue.sqlite wk,
owner /home/*/.mozilla/firefox/4w442atz.default/extensions/netvideohunter@netvideohunter.com/chrome/content/mediaList.xul r,
owner /home/*/.mozilla/firefox/4w442atz.default/localstore-1.rdf rw,
owner /home/*/.mozilla/firefox/4w442atz.default/localstore.rdf w,
owner /home/*/.mozilla/firefox/4w442atz.default/permissions.sqlite wk,
owner /home/*/.mozilla/firefox/4w442atz.default/places.sqlite wk,
owner /home/*/.mozilla/firefox/4w442atz.default/places.sqlite-shm wk,
owner /home/*/.mozilla/firefox/4w442atz.default/prefs-1.js rw,
owner /home/*/.mozilla/firefox/4w442atz.default/prefs.js rw,
owner /home/*/.mozilla/firefox/4w442atz.default/sessionstore-1.js w,
owner /home/*/.mozilla/firefox/4w442atz.default/signons.sqlite rwk,
owner /home/*/.mozilla/firefox/4w442atz.default/urlclassifierkey3.txt rw,
owner /home/*/.mozilla/firefox/4w442atz.default/webappsstore.sqlite wk,
owner /home/*/.recently-used.xbel r,
/proc/meminfo r,
owner /tmp/plugtmp/plugin-crossdomain.xml w,
/usr/bin/basename px,
/usr/bin/dirname rix,
/usr/bin/expr px,
/usr/share/fonts/** r,
/usr/share/icons/DMZ-White/cursors/hand r,
/usr/share/icons/Humanity/actions/16/document-open.svg r,
/usr/share/icons/Humanity/actions/16/document-print-preview.svg r,
/usr/share/icons/Humanity/actions/16/document-print.svg r,
/usr/share/icons/Humanity/actions/16/document-properties.svg r,
/usr/share/icons/Humanity/actions/16/document-save-as.svg r,
/usr/share/icons/Humanity/actions/16/edit-copy.svg r,
/usr/share/icons/Humanity/actions/16/edit-cut.svg r,
/usr/share/icons/Humanity/actions/16/edit-delete.svg r,
/usr/share/icons/Humanity/actions/16/edit-paste.svg r,
/usr/share/icons/Humanity/actions/16/go-home.svg r,
/usr/share/icons/Humanity/actions/16/go-next.svg r,
/usr/share/icons/Humanity/actions/16/go-previous.svg r,
/usr/share/icons/Humanity/actions/16/media-playback-pause.svg r,
/usr/share/icons/Humanity/actions/16/media-playback-start.svg r,
/usr/share/icons/Humanity/actions/16/process-stop.svg r,
/usr/share/icons/Humanity/actions/16/system-shutdown.svg r,
/usr/share/icons/Humanity/actions/16/view-refresh.svg r,
/usr/share/icons/Humanity/actions/22/edit-undo.svg r,
/usr/share/icons/Humanity/actions/24/go-next.svg r,
/usr/share/icons/Humanity/actions/24/go-previous.svg r,
/usr/share/icons/Humanity/places/16/folder.svg r,
Code:
# Last Modified: Sat Jul 30 23:05:59 2011
#include <tunables/global>
/home/tux/.firefox/run-mozilla.sh flags=(complain) {
#include <abstractions/apache2-common>
#include <abstractions/base>
/bin/dash ix,
owner /home/*/.firefox/run-mozilla.sh r,
owner /home/*/.mozilla/firefox/4w442atz.default/adblockplus/patterns.ini-temp rw,
owner /home/*/.mozilla/firefox/4w442atz.default/prefs.js r,
owner /home/*/.mozilla/firefox/4w442atz.default/signons.sqlite k,
/usr/bin/basename rix,
}
Code:
$ /home/tux/.firefox/firefox
/home/tux/.firefox/run-mozilla.sh: 39: dirname: Permission denied
/home/tux/.firefox/run-mozilla.sh: 312: uname: Permission denied
[: 312: !=: unexpected operator
exec: 392: /home/tux/.firefox/firefox-bin: Permission denied