Apparmor Profiles for Firefox and Edge-beta Browsers

Removed Firefox ESR for now. Installed Firefox 121.0 (64bit)

Was looking at /usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox

NOTE: /extra-profiles/README - The profiles in this directory are not turned on by default
because they are not as mature as the profiles in /etc/apparmor.d/.

In some cases, it is because the profile hasn't been updated to work
with newer code; in other cases, it because any benefit provided by the
profile is much less than the potential for causing problems.

In short, feel free to try these profiles if you wish, but be aware that
they may not work on default configurations, let alone your specific
configuration.

Don't see any Firefox profiles in /etc/apparmor.d
I'm assuming this is correct and there shouldn't be any FF profiles here.

There is however, in /etc/apparmor.d/local/usr.bin.firefox

Code:

# Site-specific additions and overrides for usr.bin.firefox.
# For more details, please see /etc/apparmor.d/local/README.

Is this correct? Sorry for all the questions I'm still learning apparmor.

NOTE: After installing Firefox (not esr version) as you mentioned in previous
post I do have in /usr/lib/firefox and firefox-addons folders but no Firefox
in /usr/share/ yet I see LibreWolf folder here. // LibreWolf also installed.

 

Well this has taken an unexpected turn, sigh. I was all geared up and ready for firefox-esr

I would take a good look at the tutorial links summerheat provided back in post #24 and see if you can get a reasonable comfort level with aa-logprof profiling and creating rules on the fly.

If you do gain some comfort level with profiling, then you could try the profile usr.lib.firefox.firefox under the extra-profiles directory.

1. copy and paste it into your Documents folder
2. open terminal: cd Documents
3. sudo mv usr.lib.firefox.firefox /etc/apparmor.d/
4. sudo aa-enforce /etc/apparmor.d/usr.lib.firefox.firefox
5. launch firefox - assuming it does launch - then: sudo aa-status and check for enforced profile and firefox processes
6. If firefox does not launch or it launches in a "broken" state, then...
7. sudo aa-complain /etc/apparmor.d/usr.lib.firefox.firefox
8. sudo service apparmor reload
9. Launch firefox again, and exercise as much functionality as you normally would when browsing
10. sudo aa-logprof and create the rules.

That's okay.

That should be okay.

 

@wat0114

I can install FF-esr, but I would like to know if I do sudo apt-get install firefox-esr will that
show up in my Mint menu and also show as "installed" in Synaptic Package Manager and/or
the Software Manager? When I installed FF-esr before (firefox-115.4.0esr.tar.bz2) it was
extracted to my /home/ folder, but there was no FF-esr in the Mint menu & it was absent
in the Package Manager and Software Manager as being "installed".
Probably because FF ESR is not listed to begin with in both those managers.
Firefox reg version is listed in the repositories in Linux Mint so it's listed in SPM & SM.
Actually IIRC Firefox is pre-installed in Linux Mint.

It makes it so much easier if one chooses to UNINSTALL an app if one can use Synaptic Package
Manager to mark for complete removal.

NOTE: There also is an AppImage available for Firefox-esr, but don't know
how that would work with using Apparmor.

 

That's okay, don't feel obligated to install FF-esr, even though I did gripe a bit earlier, as the only change in this process is the profile for FF will look a bit different. Otherwise all the steps are the same. As for a package not showing up in a distro's package manager, that isn't a problem, as long as one of the repositories it has will install a package via sudo apt-get install <name of package>

Complete removal can easily be done with:

sudo apt-get remove <name of package>
sudo apt-get autoremove
sudo apt-get autoclean

So with Firefox now installed can you please try:

which firefox

Also please post a screenshot of Firefox running processes when it is launched, similar to the attached below when I use htop:

 

Did the following and started Firefox. It launched, but I was immediately bombarded
with Apparmor notifications all at one time something like 11 or more covering the screen.
After that individual popups started appearing. When I went to websites I'm again seeing
multiple Apparmor popup notifications on the screen. When I closed Firefox again multiple
Apparmor popup messages appeared on screen. Yes I can turn off notifications, but I would
like to see Apparmor in action and the reason for the popup notifications.

179 DENIED in /var/log/kern.log // here is one example

Code:

apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]}" pid=11824 comm="apparmor_parser"

One Apparmor popup notification reads: // symbols may not be exact, but you
should get the jest of the message.

Code:

Apparmor Message
Profile:/usr/lib/firefox{-[0-9]*}/firefox{*[^s][^h]}
Operation:open
Name:/sys/devices/system/cpu/present
Denied:r
Logfile:/var/log/kern.log
For more information,please see:
https://wiki.ubuntu.com/DebuggingApparmor

Also after doing sudo aa-status I see under profiles in enforce mode

Code:

/usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]}

Under processes in enforce mode I see 7 processes listed for Firefox.
They all look pretty much the same. Here is one example:

Code:

/usr/lib/firefox/firefox-bin (11827) /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]}

I stopped at step 5 and didn't do any more Terminal commands.
How do I reverse these actions for now without having to go back
to a system restore?

Can I just remove/delete usr.lib.firefox.firefox from /etc/apparmor.d/ to stop
all the popup notifications and everything will be back to the way it was before?

 

@wat0114, regarding post #54
There is no 'Which' listed in Software Manager repositories for Mint.
There is however 'Whichman' listed in the repositories.
Whichman uses a fault tolerant approximate matching algorithm to search for
man-pages that match approximately the specified name.

htop? Edit
Okay looked up htop. Interactive process viewer that allows one to scroll the list
vertically & horizontally to see all processes & their full command lines.
Review: Small problem for machines with many cores, the cpu usage bars become unreadable.


If I do go back to Firefox-esr, then Firefox will be uninstalled.
Decided I don't really want or need 2 versions of FF on Mint.

 

@Compu KTed

you could try:

whereis firefox
or
type firefox

How about also, open whatever file explorer you use for mint, search from the root directory "firefox" (no quotes), right-lick the binary and shell script, Properties, what are their paths? Please see attached screenshot below:

 

Terminal command: Whereis firefox
Result: firefox: /usr/bin/firefox /usr/lib/firefox

Terminal command: firefox
Result:[GFX1-]: glxtest: ManageChildProcess failed

[GFX1-]: No GPUs detected via PCI

Running that command also resulted in a ton of Apparmor popups on my screen
and in the Terminal.

example in Terminal:

Code:

(firefox:3158): dconf-CRITICAL **: 13:52:08.694: unable to create file '/run/user/1000/dconf/user': Permission denied.  dconf will not work properly.
[Parent 3158, Main Thread] WARNING: unable to create file '/run/user/1000/dconf/user': Permission denied.  dconf will not work properly.: 'glib warning', file /builds/worker/checkouts/gecko/toolkit/xre/nsSigHandlers.cpp:187 

 

Just saw this post. So you do have an existing firefox profile. The name of it is bizarre. Where did you get it from? Can you try cat /etc/apparmor.d/usr.lib.firefo* and post the contents enclosed in code tags like you did earlier.

Easier is to sudo aa-complain usr.lib.fire*

 

This is probably /usr/share/apparmor/extra-profiles/firefox

Or sudo aa-disable ...

Yes, but you can also disable notifications and repeatedly start sudo aa-logprof. As I wrote somewhere earlier, applications often request premissions that they don't really need. This can lead to a lot of disturbing notifications. I really suggest that you make yourself comfortable with aa-logprof.

 

Location: /usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox

Terminal command:
cat /etc/apparmor.d/usr.lib.firefo*
cat: '/etc/apparmor.d/usr.lib.firefo*': No such file or directory

Terminal command: which firefox
/usr/bin/firefox

 

That is correct. There is also listed in extra-profiles folder
usr.lib.firefox.firefox.sh
usr.lib.firefox.mozilla-xremote-client

Like to keep notifications on instead of searching log files, but as you said lot of disturbing notifications.
Maybe I need to just go back to my old standby Firejail and yes I know about firejail with Apparmor.
That may be to much for me to handle though.

 

But aa-logprof is not about searching log files. Yes, it uses audit.log but presents rules for the various requests which you can interactively accept, ignore, explicitly deny or modify. And the advantage is that you only have to execute it if something doesn’t work as expected.

 

All those Apparmor popup notifications seem to be written to /var/log/kern.log

Looking at /etc/apparmor/logprof.conf

Code:

[settings]
  profiledir = /etc/apparmor.d /etc/subdomain.d
  inactive_profiledir = /usr/share/apparmor/extra-profiles 
  logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages

I have no/etc/subdomain.d
I have no/var/log/audit/audit.log
I have no /var/log/messages

Code:

[qualifiers]
  # things will be painfully broken if bash has a profile
  /bin/bash       = icnu
  /usr/bin/bash  = icnu
  /bin/ksh	 = icnu
  /usr/bin/ksh  = icnu
  /bin/dash	 = icnu
  /usr/bin/dash	 = icnu
  /bin/zsh       = icnu
  /usr/bin/zsh   = icnu 

Code:

 # these programs can't function if they're confined
  /bin/mount    = u
  /usr/bin/mount = u
  /etc/init.d/subdomain = u
  /sbin/cardmgr = u
  /usr/sbin/cardmgr = u
  /sbin/subdomain_parser = u
  /usr/sbin/subdomain_parser = u
  /usr/sbin/genprof = u
  /usr/sbin/logprof = u
  /usr/lib/YaST2/servers_non_y2/ag_genprof = u
  /usr/lib/YaST2/servers_non_y2/ag_logprof = u 

Code:

 # these ones shouldn't have their own profiles
  /bin/awk      = icn
  /usr/bin/awk  = icn
  /bin/cat      = icn
  /usr/bin/cat  = icn
  /bin/chmod    = icn
  /usr/bin/chmod = icn
  /bin/chown    = icn
  /usr/bin/chown = icn
  /bin/cp       = icn
  /usr/bin/cp   = icn
  /bin/gawk     = icn
  /usr/bin/gawk = icn
  /bin/grep     = icn
  /usr/bin/grep = icn
  /bin/gunzip   = icn
  /usr/bin/gunzip = icn
  /bin/gzip     = icn
  /usr/bin/gzip = icn
  /bin/kill     = icn
  /usr/bin/kill = icn
  /bin/ln       = icn
  /usr/bin/ln   = icn
  /bin/ls       = icn
  /usr/bin/ls   = icn
  /bin/mkdir    = icn
  /usr/bin/mkdir = icn
  /bin/mv       = icn
  /usr/bin/mv   = icn
  /bin/readlink = icn
  /usr/bin/readlink = icn
  /bin/rm       = icn
  /usr/bin/rm   = icn
  /bin/sed      = icn
  /usr/bin/sed  = icn
  /bin/touch    = icn
  /usr/bin/touch = icn
  /sbin/killall5 = icn
  /usr/sbin/killall5 = icn
  /usr/bin/find = icn
  /usr/bin/killall = icn
  /usr/bin/nice = icn
  /usr/bin/perl = icn
  /usr/bin/python       = icn
  /usr/bin/python2      = icn
  /usr/bin/python2.7    = icn
  /usr/bin/python3      = icn
  /usr/bin/python3.3    = icn
  /usr/bin/python3.4    = icn
  /usr/bin/python3.5    = icn
  /usr/bin/python3.6    = icn
  /usr/bin/python3.7    = icn
  /usr/bin/tr   = icn 

 

@Compu KTed,

I've all but given up on this. You need to make yourself comfortable with aa-logprof as @summerheat suggests a couple posts ago, and you also need to commit yourself to really tackling this head on, rather than burying yourself in trivialities, otherwise you will not gain any useful progress on utilizing Apparmor as a security tool to harden a Linux setup. Sorry, but this has to be posted.

 

I second this. @Compu KTed : the way how you present all this to us makes it impossible to give proper assistance.

 

@wat0114
@summerheat

Your right. I'm going to stop posting here about Apparmor for now until I can get a better understanding of how it works.
Sorry about that. I do thank you for all your help and it's very much appreciated. I will be posting over in Firejail thread
(see post #62) as one issue has come up about FCW. I do realize that I still have to deal with Apparmor when using Firejail.

 

@Compu KTed

Mostly out of curiosity, I imaged the latest Linux mint Cinnamon iso to a pendrive a few evenings ago and booted into its live environment. I was able to run the which firefox command, it showed /usr/bin/firefox, and install all the apparmor packages according to Step 1: from this link. Everything seemed to appear and work as I'd expect from a Debian-based distro, all very much similar to what I have on my MX-23 distro. I also tried my usr.bin.firefox profile, attached below, and it worked fine, although I did run sudo aa-logprof and had to make just a few modifications to it.

 

@wat0114
You are correct. The which firefox command I see is in the same location /usr/bin/firefox
I still have in /etc/apparmor.d/disable/usr.bin.firefox and I don't know why
it's listed there since I don't recall putting it there originally. I've seen the page you linked
to. I do have the following installed in Mint:
Apparmor-profiles
Apparmor-profiles-extra
Apparmor-utils
Python3-apparmor
Python3-libapparmor
Apparmor-notify
Apparmor

I will be coming back to Apparmor hopefully soon, but for now as stated earlier
I'm working with Firejail and Firetools. Don't know if you have used Firejail
with Apparmor before, but if you or summerheat or anyone else at Wilders has I
sure would appreciate your help. Thanks for imaging Cinnamon Mint and posting
your usr.bin.firefox profile.

 

No problem.

I knew I forgot to mention something earlier I had also installed firefox on the live environment with sudo apt-get install firefox, and of course the profile mostly worked for it, just that it needed a bit of tweaking. That's why I'm fairly confident that profile will probably work for you if you install firefox the same way, resulting in the same build.

As for firejail, I've used it occasionally before, including paired with apparmor. I had some issues recently with it, somehow resolving them, but in the end I just decide apparmor was enough. No doubt summerheat has a better grasp of it than I.

 

It‘s there because you obviously executed sudo aa-disable … before.

Yes, I have and I do. But before you start doing this as well you should really become familiar with both Firejail and AppArmor. Otherwise this would really be a recipe for never-ending problems.

 

Found some info on Mint forums about Mint 20.2 & 20.3 and why Firefox profile usr.bin.firefox was removed
from /etc/apparmor.d and now is located in /etc/apparmor.d/disable.

NOTE: Before I made any changes I backed up apparmor.d and in the apparmor.d.bak folder
usr.bin.firefox was listed in the disable folder. So it seems it is disabled by default.

Comments made on Mint forum:
This profile was disabled and not active in LM 20.2. Seems the Firefox AppArmor profile is not included in the Firefox package maintained by Clem; the one you download straight from the Linux Mint server(s). Firefox profile was disabled by Ubuntu years ago and Mint Team did logical thing removing a pair of /etc/apparmor.d/disable/usr.bin.firefox and the profile disabled by it.
Apparently Firefox didn't play well with setting up the user_namespace, doing the chroot etc. It looks like Firefox sandbox may be crippled.

I haven't verified these comments about these issues as I haven't enabled usr.bin.firefox and created a custom profile.

 

Yes, but it should still be available in /etc/apparmor.d as the file in the disable subfolder is only a symlink to the original profile.

Well, those comments about user-namespaces and chroot and crippled sandbox are BS. The reason why the firefox profile is no longer available is probably due to the fact that Ubuntu started some time ago to install Firefox as a snap package and, hence, stopped providing the firefox profile they had offered before. Mint didn't join the snap voyage with the effect that that profile is now missing or is deactivated.

Executing sudo aa-enforce /etc/apparmor.d/usr.bin.firefox will change that. If that profile breaks Firefox you can temporarily set it into complain mode with sudo aa-complain /etc/apparmor.d/usr.bin.firefox and add needed rules with sudo aa-logprof. Once all is well set it back into enforce mode. Remember, though, that that profile is not used if you sandbox Firefox with Firejail.

 

@summerheat

Comments can be wrong so it's good to have another point of view. Also Mint left intact
usr.bin.firefox profile in etc/apparmor.d/local.
Looks like for specific additions and overrides for usr.bin.firefox. I suppose one could
remove usr.bin.firefox from the disable folder and then restore it or should I just leave
it as disabled?

Is this correct commands to remove and restore usr.bin.firefox?

Code:

sudo rm -v /etc/apparmor.d/disable/usr.bin.firefox
sudo apparmor_parser /etc/apparmor.d/usr.bin.firefox

 

As mentioned in the previous post, if /etc/apparmor.d/usr.bin.firefox exists (and it should - otherwise /etc/apparmor.d/disable/usr.bin.firefox which is only a symlink would point to a non-existing file), executing sudo aa-enforce /etc/apparmor.d/usr.bin.firefox or sudo aa-complain /etc/apparmor.d/usr.bin.firefox is sufficient and much easier. (If it doesn't exist, the second command won't do anything anyhow or, rather, result in an error).