AppArmor and Firefox

AppArmor and Ubuntu

I'm tempted to enable (enforce mode) the Firefox profile (supplied with Ubuntu 11.10).

Code:

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

But suppose I do not want it (in case it "breaks" something), how do I switch just the Firefox profile off? Do I put it into "complain" mode or is there a simple command to turn it off altogether, leaving the other profiles unaffected?

 

vasa1, I have always done it like this:-
(2 steps)

sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox
sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/usr.bin.firefox

Then restart:-

sudo /etc/init.d/apparmor reload

Check:-

sudo apparmor_status

 

It's sufficient to put it in complain mode with

sudo aa-complain /etc/apparmor.d/usr.bin.firefox

Ocky's way disables the profile completely but I haven't found that necessary. You need complain mode anyhow if you want to debug your problems.

 

Thanks, Ocky & tlu!

I'm going to play chicken on this and wait till Fx 8 is pushed out

In the meantime, I'll do a little more reading.

I would prefer to put it in complain mode to get a handle on what, if anything, goes wrong. But it's going to take a lot more than me to figure out how to fix things.

Fortunately, my Firefox set-up is pretty simple without too many add-ons / plug-ins. So I don't anticipate many problems.

 

vasa1,

debugging AppArmor is explained here.

It's not necessary to wait until FF 8 is out. However, you should NOT add your own rules to the profile in /etc/apparmor.d/usr.bin.firefox (as that one will be overwritten with the update) but rather to /etc/apparmor.d/local/usr.bin.firefox. This recommendation applies not only to Firefox. Note, though, the remarks in /etc/apparmor.d/local/README, particularly the last paragraph which says:

Thus, if access is denied in /etc/apparmor.d/usr.bin.firefox, you can't allow it in /etc/apparmor.d/local/usr.bin.firefox. But so far this hasn't caused any problems for me.

 

With the exception of Oracle's java you should not have any trouble leaving it enabled on 11.10.
No problems here with these plugins & addons:-

Code:

Detected Browser Plugins with related MIME Types:

Plugin(0):  QuickTime Plug-in 7.6.6

Description: The Totem 3.0.1 plugin handles video and audio streams.
Filename: libtotem-narrowspace-plugin.so

MIME Type  	  Description  	  Suffixes
video/quicktime	QuickTime video	mov
video/mp4	MPEG-4 video	mp4
image/x-macpaint	MacPaint Bitmap image	pntg
image/x-quicktime	Macintosh Quickdraw/PICT drawing	pict, pict1, pict2
video/x-m4v	MPEG-4 video	m4v


Plugin(1):  VLC Multimedia Plugin (compatible Totem 3.0.1)

Description: The Totem 3.0.1 plugin handles video and audio streams.
Filename: libtotem-cone-plugin.so

MIME Type  	  Description  	  Suffixes
application/x-vlc-plugin	VLC Multimedia Plugin	
application/vlc	VLC Multimedia Plugin	
video/x-google-vlc-plugin	VLC Multimedia Plugin	
application/x-ogg	Ogg multimedia file	ogg
application/ogg	Ogg multimedia file	ogg
audio/ogg	Ogg Audio	oga
audio/x-ogg	Ogg Audio	ogg
video/ogg	Ogg Video	ogv
video/x-ogg	Ogg Video	ogg
application/annodex	Annodex exchange format	anx
audio/annodex	Annodex Audio	axa
video/annodex	Annodex Video	axv
video/mpeg	MPEG video	mpg, mpeg, mpe
audio/wav	WAV audio	wav
audio/x-wav	WAV audio	wav
audio/mpeg	MP3 audio	mp3
application/x-nsv-vp3-mp3	NullSoft video	nsv
video/flv	Flash video	flv
video/webm	WebM video	webm
application/x-totem-plugin	Totem Multimedia plugin	
audio/midi	MIDI audio	mid, midi


Plugin(2):  DivX® Web Player

Description: DivX Web Player version 1.4.0.233
Filename: libtotem-mully-plugin.so

MIME Type  	  Description  	  Suffixes
video/divx	AVI video	divx


Plugin(3):  Windows Media Player Plug-in 10 (compatible; Totem)

Description: The Totem 3.0.1 plugin handles video and audio streams.
Filename: libtotem-gmp-plugin.so

MIME Type  	  Description  	  Suffixes
application/x-mplayer2	AVI video	avi, wma, wmv
video/x-ms-asf-plugin	ASF video	asf, wmv
video/x-msvideo	AVI video	asf, wmv
video/x-ms-asf	ASF video	asf
video/x-ms-wmv	Windows Media video	wmv
video/x-wmv	Windows Media video	wmv
video/x-ms-wvx	Windows Media video	wmv
video/x-ms-wm	Windows Media video	wmv
video/x-ms-wmp	Windows Media video	wmv
application/x-ms-wms	Windows Media video	wms
application/x-ms-wmp	Windows Media video	wmp
application/asx	Microsoft ASX playlist	asx
audio/x-ms-wma	Windows Media audio	wma


Plugin(4):  Skype Buttons for Kopete

Description: Mime Type x-skype for Skype Buttons
Filename: skypebuttons.so

MIME Type  	  Description  	  Suffixes
application/x-skype	Skype Buttons	


Plugin(5):  Shockwave Flash

Description: Shockwave Flash 11.0 r1
Filename: libflashplayer.so

MIME Type  	  Description  	  Suffixes
application/x-shockwave-flash	Shockwave Flash	swf
application/futuresplash	FutureSplash Player	spl

Adblock Plus1.3.10
BetterPrivacy1.67
Last tab close button0.3.4
NoScript2.1.8
Speed Dial0.9.6.1
Web2PDF converter

 

Thanks, Ocky and tlu. I took the jump!

Code:

aes@aes-Inspiron-1545:~$ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
[sudo] password for aes: 
Setting /etc/apparmor.d/usr.bin.firefox to enforce mode.
aes@aes-Inspiron-1545:~$ 

and

Code:

aes@aes-Inspiron-1545:~$ sudo aa-status
apparmor module is loaded.
16 profiles are loaded.
16 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-thumbnailer
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}
   /usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}//browser_java
   /usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}//browser_openjdk
   /usr/lib/lightdm/lightdm-guest-session-wrapper
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/sbin/cupsd
   /usr/sbin/tcpdump
   /usr/share/gdm/guest-session/Xsession
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/lib/telepathy/mission-control-5 (1661) 
   /usr/sbin/cupsd (1090) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
aes@aes-Inspiron-1545:~$ 

 

Looks good

Have you installed apparmor-notify? It will inform you if soemthing is blocked - useful.

 

I just see

Code:

apparmor					install
apparmor-utils					install

in my list of installed software.

So I installed it right away. Thanks for the tip.

All is well so far and there's no obvious hit to speed or CPU usage.

Edit: even the couple of sites I visit that use Java to present stock charts are fine with the IcedTea stuff. Oracle's Java is not in my list of Fx plug-ins.

 

When I logged in after starting up my PC this morning, I did get a "notification" which startled me and it disappeared before I could recover and take a screenshot.

It was about blocking/containing something. If I find the log, I'll post it here. This kern.log is ~1.7MB!

In the meantime, one more popped up and I caught it.

 

I also installed auditd so that it's easier to find entries. It was suggested here:
https://wiki.ubuntu.com/DebuggingApparmor

I'm not sure I need to do anything since my browsing isn't affected. In any case, I'm going to just be in watch and learn more mode for a while.

 

I admire your perseverance vasa1. I have never bothered with installing apparmor-notify to find out what was denied. Just trust it to do its job. For me there are also time constraints
as regards really learning about apparmor, which is a pity, but the PC when switched on is needed 90% of the time for work in real time, like trading.
One thing I like about my Scientific Linux is being able to run firefox, gftp etc. sandboxed with SELinux by issuing a simple command.
According to Mrk. apparmor is definitely overkill for a home user behind a router, but as I have never had problems with the profiles enabled I just let them be. (I must still have one
for Opera). I think NoScript will deal with most of our security concerns in firefox ?

 

I am not going to fall for that right away

BTW, what about a simple guest session?

 

vasa1, I have never logged in or switched to a guest
session, but it is a good question. Knowing you, you have probably already
come across this thread http://ubuntuforums.org/showthread.php?p=11378212
which has some useful info and links.
Question:- Why bother ? Or are you not the only master of your computer ?

 

I had that message, too, and added this rule in /etc/apparmor.d/local/usr.bin.firefox:

Code:

/proc/*/statm r,

Then execute sudo aa-enforce /etc/apparmor.d/usr.bin.firefox again, and all is well

EDIT: BTW, the screenshot says that you'll find it in /var/log/kern.log

 

That forum is so vast!!!! But thanks, I will read that carefully.

I'm the sole user but I miss Sandboxie! I was wondering if Guest Session would be a sort of "substitute" for Sandboxie or more sophisticated virtual approaches.

So, just to be clear, it would be just me using the computer but adding one more "layer" of security. (I hope mrk doesn't read this )

edit: that's a really useful link! As far as I could tell, it would be a significant enhancement. But now to see what the browser can see of my existing profile!!! If a guest session isn't allowed to see my profile, that would be a downer. But again, this is still a gedanken experiment.

 

Now if really sandbox fixated, one can easily do this with selinux (sshots from SL6.1)...
(To be honest I rarely bother)

Firefox with profile and saving of downloads allowed (not recommended).



Firefox no user profile and no saving of downloads allowed.



gftp saving of downloads allowed.

 

tlu,

• Why did you add that rule?
• Was it just to get rid of that message?
• From what I saw, Firefox appears to work just fine (at least on the surface) with this "statm" being denied.
• How do I learn what "statm" is? (/proc/[pid]/statm: Provides information about memory usage, measured in pages )
• And does the rule mean that you are giving the process called statm permission to read something?

After installing auditd, I don't have to look in /var/log/kern.log anymore. The messages are now in /var/log/audit/audit.log and look like this:

Code:

type=AVC msg=audit(1320823528.107:31): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/proc/4540/statm" pid=4540 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

 

Sandboxie kept me out of trouble when I was on the much-maligned WinXP. Not only that, it was a nice way to experiment with add-ons and other things while keeping the original out of trouble. (Looks like you weren't much of a Sandboxie fan?) And I'm going to leave SELinux well alone for the foreseeable future. Let me understand at least 1% of AppArmor first

 

Wrong, I was a Sandboxie (and Returnil) user. Good luck with apparmor - I am out of my depth there.

 

• 
  
  Your last statement is correct, IMHO. It's explained here. Why did I add this rule? Well, AFAIR FF 3.6 didn't neeed it, but FF 4.0 and later did - and there must be a reason for that. And since I don't see a security problem I allowed FF read access.
  
  
  No - it means that FF is allowed to read /proc/*/statm.
  
  
  I wasn't aware of that - thanks

 

Quite frankly I don't see the necessity - even AppArmor is actually overkill But anyway., you might want to try Arkose which is available from the universe repo. For details see here. I haven't tried it myself, though.

 

Okay!
Just to be clear, my file will be this exactly:

Code:

# Site-specific additions and overrides for usr.bin.firefox.
# For more details, please see /etc/apparmor.d/local/README.
/proc/*/statm r,

and I'll then run the commands you mentioned. Strangely, I haven't had that pop-up appear for a while!

 

Yes, that's it!

 

I just took a look at the audit.log again. I'm pretty sure that the first time I looked it was 51 lines long and just now it was 57 lines long. And there are entries after line 51 corresponding to what the pop-up reported when it would appear.

So it maybe that the pop-up is regulated in some way not to make a nuisance of itself if the content is essentially the same?

I'll make the change tomorrow since it's a bit late local time!

Thanks for all the help