Apparmor Firefox Profile

Could someone paste firefox profile here? I enabled the default one but it allows to read and write to another partitions even though it doesn't have such a rule, doesn't allow to play flash videos etc...

http://rookcifer.blogspot.com/2012/09/custom-firefox-apparmor-profile-for.html

I did what that guy said. But it doesn't even allow to read Downloads folder although profile has the rule for that. So i would like you to paste your nice profile.

 

The default profile is crap. I can't believe they still ship with it when it's so broken.

I'm not on Linux anymore or I'd build one for you.

 

Thanks. Apparmor thing is complicated to me. Looks like no one uses apparmor here!

 

Well, it isn't "simple" but I'm sure there are quite a few users.

Based on the thinking that crap Apparmor is better than no Apparmor I made my own profile for Firefox (which is installed in my /home directory). I also made profiles for Seamonkey and Chrome. The only problem is that updating Seamonkey and Firefox (both direct and not from the repos) doesn't work. I have to switch to complain mode for the updates.

It's better to make your own profile than to "borrow" from others because you'll understand things better.

 

http://rookcifer.blogspot.com/2012/09/custom-firefox-apparmor-profile-for.html

Code:

# Last Modified: Tue Sep 25 13:17:29 2012
# Author: rookcifer@gmail.com
#include <tunables/global>

/usr/lib/firefox/firefox {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/browser_openjdk>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/nvidia>

  network inet dgram,
  network inet stream,
  network inet6 stream,


  /bin/dash rix,
  /bin/grep rix,

  # Put /bin/ps in a child profile for extra security.
  /bin/ps Cx,

  # config files.  Most are for the network
  /etc/adobe/mms.cfg r,
  /etc/firefox/syspref.js r,
  /etc/gai.conf r,
  /etc/gnome-vfs-2.0/modules/ r,
  /etc/gnome-vfs-2.0/modules/* r,
  /etc/gnome/defaults.list r,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/lsb-release r,
  /etc/mailcap r,
  /etc/mime.types r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/resolv.conf r,
  /etc/xul-ext/ubufox.js r,
  /run/resolvconf/resolv.conf r,
  /sys/devices/system/cpu/present r,

  # Be strict with /tmp writes
  /tmp/ r,
  /tmp/* mrwk,
  /tmp/icedteaplugin-*/ w,
  /tmp/icedteaplugin-*/[0-9]*-icedteanp** rw,
  /tmp/orbit-*/ w,
  /tmp/plugtmp/ rw,
  /tmp/plugtmp/* w,

  # Evince, gnome-mplayer, transmission, and totem have their own profiles.  
  /usr/bin/evince Px,
  /usr/bin/gnome-mplayer Px,
  /usr/lib/totem/totem-plugin-viewer Px,
  /usr/bin/transmission-gtk Px,
  

  /usr/lib/firefox/plugin-container rix,  
  /usr/lib{,32,64}/** mrwk,

  /usr/share/ r,
  /usr/share/applications/*.desktop r,
  /usr/share/applications/mimeinfo.cache r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/hunspell/ r,
  /usr/share/icons/ r,
  /usr/share/icons/** r,
  /usr/share/libthai/* r,
  /usr/share/mime/ r,
  /usr/share/mime/** r,
  /usr/share/mozilla/extensions/*/ r,
  /usr/share/pixmaps/ r,
  /usr/share/themes/** r,
  /usr/share/xul-ext/ubufox/ r,
  /usr/share/xul-ext/ubufox/** r,

  /var/tmp/ r,

  owner /{run,dev}/shm/pulse-shm* k,
  /{run,dev}/shm/pulse-shm* rw,

  @{HOME}/.ICEauthority r,
  @{HOME}/.Xauthority r,
  owner @{HOME}/.adobe/Flash_Player/* w,
  @{HOME}/.adobe/Flash_Player/AssetCache/ r,
  @{HOME}/.adobe/Flash_Player/AssetCache/** rw,
  @{HOME}/.cache/dconf/user rw,
  owner @{HOME}/.cache/gnome-mplayer/plugin/gecko-mediaplayer* rw,
  @{HOME}/.config/dconf/user r,
  @{HOME}/.config/ibus/bus/ w,
  @{HOME}/.fontconfig/* r,
  @{HOME}/.icons/ r,
  @{HOME}/.local/share/ r,
  @{HOME}/.local/share/applications/mimeapps.list r,
  @{HOME}/.local/share/applications/mimeinfo.cache r,
  @{HOME}/.local/share/icons/ r,
  @{HOME}/.local/share/icons/**/ r,
  @{HOME}/.local/share/mime/ r,
  @{HOME}/.local/share/mime/** r,
  owner @{HOME}/.local/share/recently-used.xbel* rw,
  @{HOME}/.macromedia/Flash_Player/#SharedObjects/ r,
  owner @{HOME}/.macromedia/Flash_Player/#SharedObjects/** rw,
  @{HOME}/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/** r,
  @{HOME}/.mozilla/** r,
  owner @{HOME}/.mozilla/firefox/*.default/** rw,
  @{HOME}/.nv/GLCache/ r,
  @{HOME}/.nv/GLCache/** rwk,
  @{HOME}/.pulse-cookie rwk,
  owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* rwk,

  # Allow downloading files to /Download and uploading from /Public
  @{HOME}/Downloads/ r,
  @{HOME}/Downloads/** rw,
  @{HOME}/Public/ r,
  @{HOME}/Public/** r,

  @{PROC}/[0-9]*/cmdline r,
  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/[0-9]*/mountinfo r,
  @{PROC}/[0-9]*/mounts r,
  @{PROC}/[0-9]*/net/dev r,
  @{PROC}/[0-9]*/status r,


  profile /bin/ps {
    deny capability sys_ptrace,


    /bin/ps r,
    /dev/tty r,
    /etc/ld.so.cache r,
    /lib/libproc-*.so mr,
    /lib/x86_64-linux-gnu/ld-*.so r,
    /lib/x86_64-linux-gnu/libc-*.so mr,
    /sys/devices/system/cpu/online r,
    /usr/lib/locale/** r,
    /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
    @{PROC}/ r,
    @{PROC}/[0-9]*/cmdline r,
    @{PROC}/[0-9]*/stat r,
    @{PROC}/[0-9]*/status r,
    @{PROC}/[0-9]/cmdline r,
    @{PROC}/[0-9]/stat r,
    @{PROC}/[0-9]/status r,
    @{PROC}/meminfo r,
    @{PROC}/stat r,
    @{PROC}/sys/kernel/pid_max r,
    @{PROC}/tty/drivers r,
    @{PROC}/uptime r,
    @{PROC}/version r,

  }
}

Could someone tell me why i can't open flash videos and can't read Download directory with this profile then? What makes this profile work for him not for me? Let's say i am going to create my own profile and give rw permission to Download. If so, i would use those rules, right? So it wouldn't work for me again. I hope you got the point!

 

Why is it allowed to write here?

Being able to write where you can map is dangerous, and it shouldn't be necessary outside of cache.

Not sure about the other issues.

 

@pandorax,

check out this apparmor thread.

 

Whoah, way to catch my attention there. How is it broken? Stuff not working, stuff being insecure, or both?

Edit: N/M, see here: https://bugs.launchpad.net/ubuntu/ source/firefox/ bug/592121

TLR the default AppArmor profile is worse than nothing, because it gives you a false sense of security. And frankly, the existence of such a rubbish profile makes me think twice about using Ubuntu.

 

Umm wait, it looks to me like the Firefox profile has been updated in 12.10:

Code:

  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  owner @{HOME}/ r,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,

Edit: except it doesn't work at all; with Firefox in enforce mode I can still write anywhere in the home directory. WTH!

 

That's why I said the profile is so broken and stupid. Apparmor abstractions are the most abused idea I've seen - they completely ruin profiles. That's why you've got that access, it's hidden in some abstraction or an abstraction in an abstraction.

 

Which one is more secure? Win 7+EMET+Firefox(noscript etc..) or Ubuntu/Mint+Firefox(noscript etc..) without apparmor?

 

Very similar. No real significant difference by default.

 

Are you saying that because linux isn't targetted or technical aspect?

 

Technical aspect.

 

Ok. I am not going to bother with apparmor. I gave up, gives me headache. But it would be good harden it much more.

 

Anywhere? I sincerely doubt that. The firefox profile contains

#include <abstractions/ubuntu-browsers.d/firefox>

which in turn contains

#include <abstractions/ubuntu-browsers.d/user-files>

You'll notice that read/write permission to specific files is forbidden here. And it also contains

#include <abstractions/private-files>

which extends the list of files where read/write permission is denied.

If that's not enough for your needs I suggest that you add deny rules in

/etc/apparmor.d/local/usr.bin.firefox

EDIT: Your assertion that the default profile "is worse than nothing" and "rubbish" is not justified, IMHO.

 

I've enabled the default profile and lost access to the webcam. It crashes the Adobe Flash plugin in Chatroulette.

 

Can't you just place the profile in complain mode, run the webcam, then use sudo aa-logprof ?

 

https://wiki.archlinux.org/index.php/AppArmor

 

I've done that, but it still doesn't work. On complain mode, everything works fine, but on enforce 'sudo aa-logprof' makes no difference.

Found the answer here: https://bugs.launchpad.net/ubuntu/ source/firefox/ bug/860880

 

maybe you'll find sandfox sandboxing more appealing than wrestling with apparmor:
http://igurublog.wordpress.com/downloads/script-sandfox/