Results 1 to 10 of 21

Thread: Struggling with Apparmor and Firefox

Hybrid View

  1. #1
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,274
    Distro
    Ubuntu 14.04 Trusty Tahr

    Question Struggling with Apparmor and Firefox

    I am attempting to enable Apparmor for Firefox, but being very new to Apparmor, I have got myself stuck.

    I am running Ubuntu 12.04 64-bit fully updated, and default Firefox from the repositories.

    Here is what I did:

    1. Installed apparmor-profiles.
    2. sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

    At this point, sudo apparmor status reported Firefox in enforce mode.

    However, I hit a small snag. I attempt to open a file that is being downloaded (see screen-shot). But, it no longer opens the file; it downloads but does not open. I presumed that it was because my temporary folder is not /tmp but ~/.tmp. So, I edited the Firefox profile (/etc/apparmor.d/usr.bin.firefox) and added the following two lines:
    Code:
      owner @{HOME}/.tmp/** m,
      @{HOME}/.tmp/.X[0-9]*-lock r,
    Alas, it still didn't work. So, I wanted to disable the profile, to check whether or not my problem was coincidence. I thought that setting the profile to complain mode would do the trick:
    Code:
    sudo aa-complain /etc/apparmor.d/usr.bin.firefox
    Alas again, now I have the profile in both complain and enforce mode!

    Please help me:

    • How do I disable the profile?
    • How do I get the open function working again with the profile enforced?
    Attached Images Attached Images
    Full Circle Magazine :: Cheap Linux stickers :: Problems with WINE?
    In my day, we had outdoors in which to run, play, and socialise. Now we have computers to do those.

  2. #2
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Struggling with Apparmor and Firefox

    Take a quick look at the commands here:

    http://ubuntuforums.org/showthread.php?t=1008906

    restart both apparmor and firefox after making profile changes.

    If you still have a problem, post the errors from the logs.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #3
    Join Date
    Dec 2007
    Beans
    9,025
    Distro
    Lubuntu 16.04 Xenial Xerus

    Re: Struggling with Apparmor and Firefox

    Quote Originally Posted by bodhi.zazen View Post
    Take a quick look at the commands here:

    http://ubuntuforums.org/showthread.php?t=1008906

    restart both apparmor and firefox after making profile changes.

    If you still have a problem, post the errors from the logs.
    Hi bodhi.zazen, great to see you here
    Shortened urls: See point #11 here. And clicking on them could be risky.
    Use ubuntu-support-status with caution.

  4. #4
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Struggling with Apparmor and Firefox

    Quote Originally Posted by Paddy Landau View Post
    I am attempting to enable Apparmor for Firefox, but being very new to Apparmor, I have got myself stuck.

    I am running Ubuntu 12.04 64-bit fully updated, and default Firefox from the repositories.

    Here is what I did:

    1. Installed apparmor-profiles.
    2. sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

    At this point, sudo apparmor status reported Firefox in enforce mode.

    However, I hit a small snag. I attempt to open a file that is being downloaded (see screen-shot). But, it no longer opens the file; it downloads but does not open. I presumed that it was because my temporary folder is not /tmp but ~/.tmp. So, I edited the Firefox profile (/etc/apparmor.d/usr.bin.firefox) and added the following two lines:
    Code:
      owner @{HOME}/.tmp/** m,
      @{HOME}/.tmp/.X[0-9]*-lock r,
    Alas, it still didn't work. So, I wanted to disable the profile, to check whether or not my problem was coincidence. I thought that setting the profile to complain mode would do the trick:
    Code:
    sudo aa-complain /etc/apparmor.d/usr.bin.firefox
    Alas again, now I have the profile in both complain and enforce mode!

    Please help me:

    • How do I disable the profile?
    • How do I get the open function working again with the profile enforced?
    You need to replace the following two lines :

    Code:
      owner /tmp/** m,
      /tmp/.X[0-9]*-lock r,
    with :

    Code:
      owner @{HOME}/.tmp/** m,
      @{HOME}/.tmp/.X[0-9]*-lock r,
    instead of adding them.

    In addition, please make sure that /tmp/ is completely replaced by ~/.tmp/.
    (Hints : /etc/fstab)

    The user manual of Apparmor is here.

    Ah, forgot to tell you that you need to install the following in order to use the Apparmor commands :

    Code:
    sudo apt-get install apparmor-utils
    By the way, in term of security, please do not use Adobe Reader 9 as it has known vulnerabilities.

    Samiux
    Last edited by samiux; January 17th, 2013 at 07:44 PM. Reason: fix typo, add apparmor-utils command

  5. #5
    Join Date
    Dec 2007
    Beans
    9,025
    Distro
    Lubuntu 16.04 Xenial Xerus

    Re: Struggling with Apparmor and Firefox

    Quote Originally Posted by Paddy Landau View Post
    ..., now I have the profile in both complain and enforce mode!
    ...
    Did you change from enforce to complain (or the other way) while Firefox was open?

    And, instead of editing profiles by hand, why don't you use "sudo aa-logprof"?
    Shortened urls: See point #11 here. And clicking on them could be risky.
    Use ubuntu-support-status with caution.

  6. #6
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,274
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Struggling with Apparmor and Firefox

    Thank you for all of your replies. I appreciate them.

    First, I'll answer you individually…

    Quote Originally Posted by bodhi.zazen View Post
    Take a quick look at the commands here:
    http://ubuntuforums.org/showthread.php?t=1008906
    I did, initially, but it seemed to be dated because I got stuck on one point quite early (I forget which point, sorry).

    Quote Originally Posted by samiux View Post
    You need to replace the following two lines :
    Code:
      owner /tmp/** m,
      /tmp/.X[0-9]*-lock r,
    with :
    Code:
      owner @{HOME}/.tmp/** m,
      @{HOME}/.tmp/.X[0-9]*-lock r,
    instead of adding them.
    In addition, please make sure that /tmp/ is completely replaced by ~/.tmp/.
    (Hints : /etc/fstab)
    I have a problem with this approach. This would not work for other users on this system. Is there no way to specify both /tmp and ~/.tmp? Or, even better, to specify ~/.tmp only if the user has such a folder, otherwise /tmp?

    I use ~/.tmp because my home folder is encrypted, so it creates extra security. However, not all users do this. I have set my temporary files to ~/.tmp by adding the following lines to /etc/profile:
    Code:
    if [ -d "${HOME}"/.tmp ]
    then
            export TMP="${HOME}"/.tmp
            export TEMP="${HOME}"/.tmp
            export TMPDIR="${HOME}"/.tmp
    fi
    I have temporarily done as you ask in usr.bin.firefox (but not in /etc/fstab, though) to see what works.

    Quote Originally Posted by samiux View Post
    The user manual of Apparmor is here.
    Thank you; that has been most helpful.

    Quote Originally Posted by samiux View Post
    By the way, in term of security, please do not use Adobe Reader 9 as it has known vulnerabilities.
    Oh… but version 10 is not available to Linux. I really do prefer Adobe to Evince for several reasons, especially when printing. Any suggestions?

    Quote Originally Posted by vasa1 View Post
    Did you change from enforce to complain (or the other way) while Firefox was open?
    I think that must have been my problem. That problem has gone away today.

    Quote Originally Posted by vasa1 View Post
    And, instead of editing profiles by hand, why don't you use "sudo aa-logprof"?
    Hmm, I did not know about it! Thanks for pointing it out. However, I have been reading the manual and trying to run it, but I am utterly lost! I do not understand how to use it.

    Now, I'll give what has happened…

    Experiment 1

    I made the change to usr.bin.firefox as Samiux suggested; reloaded the profile; restarted Firefox.

    Unfortunately, I still have the problem.

    I disabled the profile and restarted Firefox; and it works correctly again.

    So…

    Experiment 2

    I reverted my ~/.tmp back to the normal /tmp (both /etc/profile and usr.bin.profile, and logged out and in again), with the Apparmor profile disabled. Firefox works as expected.

    I re-enabled the profile; and, sadly, again the download does not open Adobe. (I have also checked this with a Libre Office document, and the same problem happens.)

    So, ~/.tmp was a red herring. For now, I'll leave /tmp as is.

    What next?
    Full Circle Magazine :: Cheap Linux stickers :: Problems with WINE?
    In my day, we had outdoors in which to run, play, and socialise. Now we have computers to do those.

  7. #7
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,274
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Struggling with Apparmor and Firefox

    Silly me — I forgot to look at the logs.

    Here are the lines posted in /var/log/kern.log when I attempt to open the PDF document from the download dialogue.
    Code:
    Jan 18 11:33:54 Daisy kernel: [  163.325601] type=1400 audit(1358508834.268:58): apparmor="DENIED" operation="exec" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper" name="/opt/Adobe/Reader9/Reader/intellinux/bin/acroread" pid=5768 comm="acroread" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
    Also, I noticed a line that shows when I first open Firefox:
    Code:
    Jan 18 11:33:08 Daisy kernel: [  117.893057] type=1400 audit(1358508788.835:57): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/apt/sources.list" pid=4465 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Surely that should not happen?

    EDIT 1:

    It gets worse! The profile is even preventing me from uploading screen-shots into Ubuntu Forums!
    Code:
    Jan 18 12:38:10 Daisy kernel: [ 4019.503753] type=1400 audit(1358512690.443:62): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name=2F7075626C69632F43686F6F73696E67206170706C69636174696F6E2E706E67 pid=4465 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=65534
    For now, I have disabled the Firefox profile, so that I can continue to do what I need to do.

    Perhaps I need to completely disable and remove Apparmor and all of its settings, then reinstall? If so, how do I go about it?

    EDIT 2:

    I have enabled this profile on another 12.04 system (which does not use ~/.tmp). It has the same problem with the downloads! [very sad face]
    Last edited by Paddy Landau; January 18th, 2013 at 02:53 PM. Reason: Previous comments corrupted from an unrelated problem
    Full Circle Magazine :: Cheap Linux stickers :: Problems with WINE?
    In my day, we had outdoors in which to run, play, and socialise. Now we have computers to do those.

  8. #8
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Struggling with Apparmor and Firefox

    Quote Originally Posted by Paddy Landau View Post
    Silly me — I forgot to look at the logs.

    Here are the lines posted in /var/log/kern.log when I attempt to open the PDF document from the download dialogue.
    Code:
    Jan 18 11:33:54 Daisy kernel: [  163.325601] type=1400 audit(1358508834.268:58): apparmor="DENIED" operation="exec" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper" name="/opt/Adobe/Reader9/Reader/intellinux/bin/acroread" pid=5768 comm="acroread" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
    Also, I noticed a line that shows when I first open Firefox:
    Code:
    Jan 18 11:33:08 Daisy kernel: [  117.893057] type=1400 audit(1358508788.835:57): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/apt/sources.list" pid=4465 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Surely that should not happen?

    EDIT 1:

    It gets worse! The profile is even preventing me from uploading screen-shots into Ubuntu Forums!
    Code:
    Jan 18 12:38:10 Daisy kernel: [ 4019.503753] type=1400 audit(1358512690.443:62): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name=2F7075626C69632F43686F6F73696E67206170706C69636174696F6E2E706E67 pid=4465 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=65534
    For now, I have disabled the Firefox profile, so that I can continue to do what I need to do.

    Perhaps I need to completely disable and remove Apparmor and all of its settings, then reinstall? If so, how do I go about it?

    EDIT 2:

    I have enabled this profile on another 12.04 system (which does not use ~/.tmp). It has the same problem with the downloads! [very sad face]
    I would like to know if you are using the default Firefox apparmor rules from the Ubuntu or not?

    If you are using default Firefox apparmor rules, it should not have any problem.

    Samiux

  9. #9
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,274
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Struggling with Apparmor and Firefox

    Quote Originally Posted by vasa1 View Post
    The early part of man aa-logprof is relatively easy to understand.
    Well, the manual says that aa-logprof is an interactive command. But when I start it, aa-logprof gives a couple of messages, thinks for a few seconds, and ends. So, I really don't know what to do with the application.

    Quote Originally Posted by vasa1 View Post
    By the way, you may want to look at some links I referred to here.
    Thanks. It makes interesting reading, but still does not solve my problem.

    I feel like such a dummy with Apparmor — I really am not understanding it!

    Quote Originally Posted by samiux View Post
    I would like to know if you are using the default Firefox apparmor rules from the Ubuntu or not?
    Yes, I simply installed apparmor-profiles and enabled usr.bin.firefox in enforce mode (confirmed with sudo apparmor_status). I made no changes to the profile (I have undone the changes that I originally made with /tmp).

    What I really need to do is fix the Firefox profile such that:

    1. I can open a file instead of just downloading it. If this step cannot be easily done, OK, I could live without it, because I can still download.
    2. Allow me to upload files, which I cannot do with the profile.

    In your quote, vasa1, it says, "It is a distribution choice to not break [the browser] with too-aggressive security protections." Unfortunately, especially regarding uploads, it has broken it!

    EDIT: For whatever reason, uploads have started to work again today.
    Last edited by Paddy Landau; January 19th, 2013 at 11:37 AM. Reason: Fixed unclear grammar
    Full Circle Magazine :: Cheap Linux stickers :: Problems with WINE?
    In my day, we had outdoors in which to run, play, and socialise. Now we have computers to do those.

  10. #10
    Join Date
    Dec 2007
    Beans
    9,025
    Distro
    Lubuntu 16.04 Xenial Xerus

    Re: Struggling with Apparmor and Firefox

    Quote Originally Posted by Paddy Landau View Post
    ...

    Hmm, I did not know about it! Thanks for pointing it out. However, I have been reading the manual and trying to run it, but I am utterly lost! I do not understand how to use it.
    ...
    The early part of man aa-logprof is relatively easy to understand. Do take a look at it. Once you get the hang of it, I think you won't need to look at the logs anymore. aa-logprof will do that for you.

    Overall, your usage seems quite complex! Mine is simple with no encryption and just the one user. All the best.

    By the way, you may want to look at some links I referred to here.
    Shortened urls: See point #11 here. And clicking on them could be risky.
    Use ubuntu-support-status with caution.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •