Page 2 of 12 FirstFirst 1234 ... LastLast
Results 11 to 20 of 112

Thread: Share your AppArmor Profiles

  1. #11
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Share your AppArmor Profiles

    Quote Originally Posted by teddks View Post
    Doesn't work with rix. I suppose I could write a profile for gnome-open, but pidgin's profile is just not good enough. I would need to give pidgin permissions for xdg-open, /etc/orbitrc, and dash, among other things.

    As for the link: It seems that making a hard link to a symbolic link just causes it to resolve the symbolic link. Would making a script that called firefox with profile arguments work?
    Not a script with apparmor profile arguments ...

    You can write a script that calls firefox (with irx) and restrict firefox.

    And yes, go ahead and call gnome-open with irx, and any other binary it needs (like xdg-open, /etc/orbitrc, and dash) They will all be called, but restricted.

    IMO this is better then Ux, which will call the same xdg-open, /etc/orbitrc, and dash (via gnome-open) but in the case of Ux they will run unrestricted, essentially "breaking out" of your apparmor profile.

    With apparmor calling these things is not a problem so long as you use irx and they are what you consider "normal functioning" of firefox.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  2. #12
    Join Date
    Oct 2008
    Location
    Washington, D.C., USA
    Beans
    118

    Re: Share your AppArmor Profiles

    Quote Originally Posted by bodhi.zazen View Post
    Not a script with apparmor profile arguments ...

    You can write a script that calls firefox (with irx) and restrict firefox.

    And yes, go ahead and call gnome-open with irx, and any other binary it needs (like xdg-open, /etc/orbitrc, and dash) They will all be called, but restricted.

    IMO this is better then Ux, which will call the same xdg-open, /etc/orbitrc, and dash (via gnome-open) but in the case of Ux they will run unrestricted, essentially "breaking out" of your apparmor profile.

    With apparmor calling these things is not a problem so long as you use irx and they are what you consider "normal functioning" of firefox.
    You're confusing two questions. I have two firefox profiles I use for different purposes. I want different apparmor profiles on them. I was asking if I made a script that called /usr/bin/firefox and provided it with the arguments to access one of those two profiles, would it work. I suppose it would, as firefox would just inherit the other script's profile. Would that override a profile for Firefox, is the question...

    As to the other thread of discussion, I don't think ix is better than Ux here, because I have to give Pidgin rights to whatever I want gnome-open to do. gnome-open will eventually call firefox on my system, and if it inherits everything down to that, then I'll be running firefox with Pidgin's limitations. That doesn't seem like a smart policy -- I actually _want_ gnome-open to break out of my Pidgin profile, because it doesn't belong there. I should write a profile for gnome-open, though.

    On a side note, does anyone have a profile for Evolution or Totem?

  3. #13
    Join Date
    Aug 2007
    Location
    Kottawa, Sri Lanka
    Beans
    7,387
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Share your AppArmor Profiles

    Quote Originally Posted by teddks View Post
    You're confusing two questions. I have two firefox profiles I use for different purposes. I want different apparmor profiles on them. I was asking if I made a script that called /usr/bin/firefox and provided it with the arguments to access one of those two profiles, would it work. I suppose it would, as firefox would just inherit the other script's profile. Would that override a profile for Firefox, is the question...

    As to the other thread of discussion, I don't think ix is better than Ux here, because I have to give Pidgin rights to whatever I want gnome-open to do. gnome-open will eventually call firefox on my system, and if it inherits everything down to that, then I'll be running firefox with Pidgin's limitations. That doesn't seem like a smart policy -- I actually _want_ gnome-open to break out of my Pidgin profile, because it doesn't belong there. I should write a profile for gnome-open, though.

    On a side note, does anyone have a profile for Evolution or Totem?
    Firefox doesn't choose the profile it runs with, no application can do that. The profiles are enforced by Apparmor and only Apparmor, if you want to change the profile used when Firefox is to be run, then you need to address the script to remove one profile and add another through Apparmor, which requires root privileges.

    For gnome-open, yes, writing a separate profile for it would be better.

    About Evolution or Totem, I'll see if I can rustle up profiles for them when I have time.

    A note about Apparmor, it enforces profiles using paths, so if you linked a path to the firefox executable, then the profile that was made for the old path will most likely apply since the real path is still the same.
    Last edited by PmDematagoda; December 30th, 2008 at 08:05 AM.
    Think carefully before executing commands containing "rm", especially "sudo rm -rf ", if you require more information concerning this matter, read this.
    I am an experimenter, give me the most stable OS and I can make it unstable in a few hours.

    C == seriously fast == FTW!

  4. #14
    Join Date
    Oct 2008
    Location
    Washington, D.C., USA
    Beans
    118

    Re: Share your AppArmor Profiles

    Quote Originally Posted by PmDematagoda View Post
    Firefox doesn't choose the profile it runs with, no application can do that. The profiles are enforced by Apparmor and only Apparmor, if you want to change the profile used when Firefox is to be run, then you need to address the script to remove one profile and add another through Apparmor, which requires root privileges.

    For gnome-open, yes, writing a separate profile for it would be better.

    About Evolution or Totem, I'll see if I can rustle up profiles for them when I have time.

    A note about Apparmor, it enforces profiles using paths, so if you linked a path to the firefox executable, then the profile that was made for the old path will most likely apply since the real path is still the same.
    Firefox profile, not Apparmor profile.

  5. #15
    Join Date
    Sep 2008
    Location
    Ohio
    Beans
    582

    Re: Share your AppArmor Profiles

    I'm not using AppArmor yet, but I was looking into it. I wanted to know if anyone had a Transmission profile that they were willing to share. Maybe if I had AppArmor running with a profile I might start using Transmission.

  6. #16
    Join Date
    Aug 2007
    Location
    Kottawa, Sri Lanka
    Beans
    7,387
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Share your AppArmor Profiles

    Quote Originally Posted by teddks View Post
    Firefox profile, not Apparmor profile.
    Uhm, I think I just lost you.

    Could you please explain your situation again please?
    Think carefully before executing commands containing "rm", especially "sudo rm -rf ", if you require more information concerning this matter, read this.
    I am an experimenter, give me the most stable OS and I can make it unstable in a few hours.

    C == seriously fast == FTW!

  7. #17
    Join Date
    Oct 2008
    Location
    Washington, D.C., USA
    Beans
    118

    Re: Share your AppArmor Profiles

    Quote Originally Posted by PmDematagoda View Post
    Uhm, I think I just lost you.

    Could you please explain your situation again please?
    Firefox supports profiles. I have one for normal browsing and one for anonymous browsing. I would like to have one AppArmor profile per Firefox profile, as the two different Firefox profiles have different security needs.

  8. #18

    Re: Share your AppArmor Profiles

    hello.
    what do they do with /etc/passwd?
    what is the difference between r:: and ::r in log?

  9. #19
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    /etc/passwd is often read to get the username associated with a user ID. When you run ls -l in the Terminal, for example, the owner and group of the file is stored as a number, like 1000. The ls program will go to /etc/passwd and basically ask "what is the username for user ID 1000".

    r:: means that read permissions for user were requested, while ::r means that read permissions for "other" (not user or group) were requested. If you saw :r: instead, it would mean that read permissions for group were requested.
    Joel Goguen

  10. #20
    Join Date
    Feb 2005
    Location
    ${HOME}
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    Quote Originally Posted by teddks View Post
    Firefox supports profiles. I have one for normal browsing and one for anonymous browsing. I would like to have one AppArmor profile per Firefox profile, as the two different Firefox profiles have different security needs.
    Firefox accepts the -P option, which specifies a name of a profile to use. If given, Firefox will load that profile.
    Code:
    firefox -P <profile name>
    Joel Goguen

Page 2 of 12 FirstFirst 1234 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •