AppArmor and Firefox

Discussion in 'all things UNIX' started by vasa1, Nov 8, 2011.

Thread Status:
Not open for further replies.
  1. vasa1
    Offline

    vasa1 Registered Member

    AppArmor and Ubuntu

    I'm tempted to enable (enforce mode) the Firefox profile (supplied with Ubuntu 11.10).
    Code:
    sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
    But suppose I do not want it (in case it "breaks" something), how do I switch just the Firefox profile off? Do I put it into "complain" mode or is there a simple command to turn it off altogether, leaving the other profiles unaffected?
    Last edited: Nov 10, 2011
  2. Ocky
    Offline

    Ocky Registered Member

    vasa1, I have always done it like this:-
    (2 steps)

    sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox
    sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/usr.bin.firefox

    Then restart:-

    sudo /etc/init.d/apparmor reload

    Check:-

    sudo apparmor_status
  3. tlu
    Offline

    tlu Registered Member

    It's sufficient to put it in complain mode with

    sudo aa-complain /etc/apparmor.d/usr.bin.firefox

    Ocky's way disables the profile completely but I haven't found that necessary. You need complain mode anyhow if you want to debug your problems.
  4. vasa1
    Offline

    vasa1 Registered Member

    Thanks, Ocky & tlu!

    I'm going to play chicken on this and wait till Fx 8 is pushed out :oops:

    In the meantime, I'll do a little more reading.

    I would prefer to put it in complain mode to get a handle on what, if anything, goes wrong. But it's going to take a lot more than me to figure out how to fix things.

    Fortunately, my Firefox set-up is pretty simple without too many add-ons / plug-ins. So I don't anticipate many problems.
  5. tlu
    Offline

    tlu Registered Member

    vasa1,

    debugging AppArmor is explained here.

    It's not necessary to wait until FF 8 is out. However, you should NOT add your own rules to the profile in /etc/apparmor.d/usr.bin.firefox (as that one will be overwritten with the update) but rather to /etc/apparmor.d/local/usr.bin.firefox. This recommendation applies not only to Firefox. Note, though, the remarks in /etc/apparmor.d/local/README, particularly the last paragraph which says:

    Thus, if access is denied in /etc/apparmor.d/usr.bin.firefox, you can't allow it in /etc/apparmor.d/local/usr.bin.firefox. But so far this hasn't caused any problems for me.
  6. Ocky
    Offline

    Ocky Registered Member

    With the exception of Oracle's java you should not have any trouble leaving it enabled on 11.10.
    No problems here with these plugins & addons:-
    Code:
    Detected Browser Plugins with related MIME Types:
    
    Plugin(0):  QuickTime Plug-in 7.6.6
    
    Description: The Totem 3.0.1 plugin handles video and audio streams.
    Filename: libtotem-narrowspace-plugin.so
    
    MIME Type  	  Description  	  Suffixes
    video/quicktime	QuickTime video	mov
    video/mp4	MPEG-4 video	mp4
    image/x-macpaint	MacPaint Bitmap image	pntg
    image/x-quicktime	Macintosh Quickdraw/PICT drawing	pict, pict1, pict2
    video/x-m4v	MPEG-4 video	m4v
    
    
    Plugin(1):  VLC Multimedia Plugin (compatible Totem 3.0.1)
    
    Description: The Totem 3.0.1 plugin handles video and audio streams.
    Filename: libtotem-cone-plugin.so
    
    MIME Type  	  Description  	  Suffixes
    application/x-vlc-plugin	VLC Multimedia Plugin	
    application/vlc	VLC Multimedia Plugin	
    video/x-google-vlc-plugin	VLC Multimedia Plugin	
    application/x-ogg	Ogg multimedia file	ogg
    application/ogg	Ogg multimedia file	ogg
    audio/ogg	Ogg Audio	oga
    audio/x-ogg	Ogg Audio	ogg
    video/ogg	Ogg Video	ogv
    video/x-ogg	Ogg Video	ogg
    application/annodex	Annodex exchange format	anx
    audio/annodex	Annodex Audio	axa
    video/annodex	Annodex Video	axv
    video/mpeg	MPEG video	mpg, mpeg, mpe
    audio/wav	WAV audio	wav
    audio/x-wav	WAV audio	wav
    audio/mpeg	MP3 audio	mp3
    application/x-nsv-vp3-mp3	NullSoft video	nsv
    video/flv	Flash video	flv
    video/webm	WebM video	webm
    application/x-totem-plugin	Totem Multimedia plugin	
    audio/midi	MIDI audio	mid, midi
    
    
    Plugin(2):  DivX® Web Player
    
    Description: DivX Web Player version 1.4.0.233
    Filename: libtotem-mully-plugin.so
    
    MIME Type  	  Description  	  Suffixes
    video/divx	AVI video	divx
    
    
    Plugin(3):  Windows Media Player Plug-in 10 (compatible; Totem)
    
    Description: The Totem 3.0.1 plugin handles video and audio streams.
    Filename: libtotem-gmp-plugin.so
    
    MIME Type  	  Description  	  Suffixes
    application/x-mplayer2	AVI video	avi, wma, wmv
    video/x-ms-asf-plugin	ASF video	asf, wmv
    video/x-msvideo	AVI video	asf, wmv
    video/x-ms-asf	ASF video	asf
    video/x-ms-wmv	Windows Media video	wmv
    video/x-wmv	Windows Media video	wmv
    video/x-ms-wvx	Windows Media video	wmv
    video/x-ms-wm	Windows Media video	wmv
    video/x-ms-wmp	Windows Media video	wmv
    application/x-ms-wms	Windows Media video	wms
    application/x-ms-wmp	Windows Media video	wmp
    application/asx	Microsoft ASX playlist	asx
    audio/x-ms-wma	Windows Media audio	wma
    
    
    Plugin(4):  Skype Buttons for Kopete
    
    Description: Mime Type x-skype for Skype Buttons
    Filename: skypebuttons.so
    
    MIME Type  	  Description  	  Suffixes
    application/x-skype	Skype Buttons	
    
    
    Plugin(5):  Shockwave Flash
    
    Description: Shockwave Flash 11.0 r1
    Filename: libflashplayer.so
    
    MIME Type  	  Description  	  Suffixes
    application/x-shockwave-flash	Shockwave Flash	swf
    application/futuresplash	FutureSplash Player	spl
    
    Adblock Plus1.3.10
    BetterPrivacy1.67
    Last tab close button0.3.4
    NoScript2.1.8
    Speed Dial0.9.6.1
    Web2PDF converter
  7. vasa1
    Offline

    vasa1 Registered Member

    Thanks, Ocky and tlu. I took the jump!
    Code:
    aes@aes-Inspiron-1545:~$ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
    [sudo] password for aes: 
    Setting /etc/apparmor.d/usr.bin.firefox to enforce mode.
    aes@aes-Inspiron-1545:~$ 
    
    and
    Code:
    aes@aes-Inspiron-1545:~$ sudo aa-status
    apparmor module is loaded.
    16 profiles are loaded.
    16 profiles are in enforce mode.
       /sbin/dhclient
       /usr/bin/evince
       /usr/bin/evince-previewer
       /usr/bin/evince-thumbnailer
       /usr/lib/NetworkManager/nm-dhcp-client.action
       /usr/lib/connman/scripts/dhclient-script
       /usr/lib/cups/backend/cups-pdf
       /usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}
       /usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}//browser_java
       /usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}//browser_openjdk
       /usr/lib/lightdm/lightdm-guest-session-wrapper
       /usr/lib/telepathy/mission-control-5
       /usr/lib/telepathy/telepathy-*
       /usr/sbin/cupsd
       /usr/sbin/tcpdump
       /usr/share/gdm/guest-session/Xsession
    0 profiles are in complain mode.
    2 processes have profiles defined.
    2 processes are in enforce mode.
       /usr/lib/telepathy/mission-control-5 (1661) 
       /usr/sbin/cupsd (1090) 
    0 processes are in complain mode.
    0 processes are unconfined but have a profile defined.
    aes@aes-Inspiron-1545:~$ 
    
  8. tlu
    Offline

    tlu Registered Member

    Looks good :thumb:

    Have you installed apparmor-notify? It will inform you if soemthing is blocked - useful.
  9. vasa1
    Offline

    vasa1 Registered Member

    I just see
    Code:
    apparmor					install
    apparmor-utils					install
    
    in my list of installed software.

    So I installed it right away. Thanks for the tip.

    All is well so far and there's no obvious hit to speed or CPU usage.

    Edit: even the couple of sites I visit that use Java to present stock charts are fine with the IcedTea stuff. Oracle's Java is not in my list of Fx plug-ins.
    Last edited: Nov 8, 2011
  10. vasa1
    Offline

    vasa1 Registered Member

    When I logged in after starting up my PC this morning, I did get a "notification" which startled me and it disappeared before I could recover and take a screenshot.

    It was about blocking/containing something. If I find the log, I'll post it here. This kern.log is ~1.7MB!

    In the meantime, one more popped up and I caught it.

    Attached Files:

    • hah.png
      hah.png
      File size:
      28.6 KB
      Views:
      883
  11. vasa1
    Offline

    vasa1 Registered Member

    I also installed auditd so that it's easier to find entries. It was suggested here:
    https://wiki.ubuntu.com/DebuggingApparmor
    I'm not sure I need to do anything since my browsing isn't affected. In any case, I'm going to just be in watch and learn more mode for a while.
  12. Ocky
    Offline

    Ocky Registered Member

    I admire your perseverance vasa1. I have never bothered with installing apparmor-notify to find out what was denied. Just trust it to do its job. For me there are also time constraints
    as regards really learning about apparmor, which is a pity, but the PC when switched on is needed 90% of the time for work in real time, like trading. :D
    One thing I like about my Scientific Linux is being able to run firefox, gftp etc. sandboxed with SELinux by issuing a simple command.
    According to Mrk. apparmor is definitely overkill for a home user behind a router, but as I have never had problems with the profiles enabled I just let them be. (I must still have one
    for Opera). I think NoScript will deal with most of our security concerns in firefox ?
  13. vasa1
    Offline

    vasa1 Registered Member

    I am not going to fall for that right away :D

    BTW, what about a simple guest session?
  14. Ocky
    Offline

    Ocky Registered Member

    vasa1, I have never logged in or switched to a guest
    session, but it is a good question. Knowing you, you have probably already
    come across this thread http://ubuntuforums.org/showthread.php?p=11378212
    which has some useful info and links.
    Question:- Why bother ? Or are you not the only master of your computer ? :p
  15. tlu
    Offline

    tlu Registered Member

    I had that message, too, and added this rule in /etc/apparmor.d/local/usr.bin.firefox:

    Code:
    /proc/*/statm r,
    Then execute sudo aa-enforce /etc/apparmor.d/usr.bin.firefox again, and all is well :D

    EDIT: BTW, the screenshot says that you'll find it in /var/log/kern.log
  16. vasa1
    Offline

    vasa1 Registered Member

    That forum is so vast!!!! But thanks, I will read that carefully.
    I'm the sole user but I miss Sandboxie! I was wondering if Guest Session would be a sort of "substitute" for Sandboxie or more sophisticated virtual approaches.

    So, just to be clear, it would be just me using the computer but adding one more "layer" of security. (I hope mrk doesn't read this :D )

    edit: that's a really useful link! As far as I could tell, it would be a significant enhancement. But now to see what the browser can see of my existing profile!!! If a guest session isn't allowed to see my profile, that would be a downer. But again, this is still a gedanken experiment.
    Last edited: Nov 9, 2011
  17. Ocky
    Offline

    Ocky Registered Member

    Now if really sandbox fixated, one can easily do this with selinux (sshots from SL6.1)...
    (To be honest I rarely bother) :argh:

    Firefox with profile and saving of downloads allowed (not recommended).

    FF with profile and dloads saving.png

    Firefox no user profile and no saving of downloads allowed.

    FF no profile and no dloads saving.png

    gftp saving of downloads allowed.

    gftp dloads saving allowed.png
  18. vasa1
    Offline

    vasa1 Registered Member

    tlu,
    • Why did you add that rule?
    • Was it just to get rid of that message?
    • From what I saw, Firefox appears to work just fine (at least on the surface) with this "statm" being denied.
    • How do I learn what "statm" is? (/proc/[pid]/statm: Provides information about memory usage, measured in pages o_O)
    • And does the rule mean that you are giving the process called statm permission to read something?
    After installing auditd, I don't have to look in /var/log/kern.log anymore. The messages are now in /var/log/audit/audit.log and look like this:
    Code:
    type=AVC msg=audit(1320823528.107:31): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/proc/4540/statm" pid=4540 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
    
  19. vasa1
    Offline

    vasa1 Registered Member

    Sandboxie kept me out of trouble when I was on the much-maligned WinXP. Not only that, it was a nice way to experiment with add-ons and other things while keeping the original out of trouble. (Looks like you weren't much of a Sandboxie fan?) And I'm going to leave SELinux well alone for the foreseeable future. Let me understand at least 1% of AppArmor first ;)
  20. Ocky
    Offline

    Ocky Registered Member

    Wrong, I was a Sandboxie (and Returnil) user. Good luck with apparmor - I am out of my depth there. :oops:
  21. tlu
    Offline

    tlu Registered Member



    • Your last statement is correct, IMHO. It's explained here. Why did I add this rule? Well, AFAIR FF 3.6 didn't neeed it, but FF 4.0 and later did - and there must be a reason for that. And since I don't see a security problem I allowed FF read access.

      No - it means that FF is allowed to read /proc/*/statm.

      I wasn't aware of that - thanks :thumb:
  22. tlu
    Offline

    tlu Registered Member

    Quite frankly I don't see the necessity - even AppArmor is actually overkill :D But anyway., you might want to try Arkose which is available from the universe repo. For details see here. I haven't tried it myself, though.
  23. vasa1
    Offline

    vasa1 Registered Member

    Okay!
    Just to be clear, my file will be this exactly:
    Code:
    # Site-specific additions and overrides for usr.bin.firefox.
    # For more details, please see /etc/apparmor.d/local/README.
    /proc/*/statm r,
    and I'll then run the commands you mentioned. Strangely, I haven't had that pop-up appear for a while!
  24. tlu
    Offline

    tlu Registered Member

    Yes, that's it!
  25. vasa1
    Offline

    vasa1 Registered Member

    I just took a look at the audit.log again. I'm pretty sure that the first time I looked it was 51 lines long and just now it was 57 lines long. And there are entries after line 51 corresponding to what the pop-up reported when it would appear.

    So it maybe that the pop-up is regulated in some way not to make a nuisance of itself if the content is essentially the same?

    I'll make the change tomorrow since it's a bit late local time!

    Thanks for all the help :thumb:
Thread Status:
Not open for further replies.