Apparmor Firefox Profile

Discussion in 'all things UNIX' started by pandorax, Nov 28, 2012.

Thread Status:
Not open for further replies.
  1. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    329
    Could someone paste firefox profile here? I enabled the default one but it allows to read and write to another partitions even though it doesn't have such a rule, doesn't allow to play flash videos etc...

    http://rookcifer.blogspot.com/2012/09/custom-firefox-apparmor-profile-for.html

    I did what that guy said. But it doesn't even allow to read Downloads folder although profile has the rule for that. So i would like you to paste your nice profile.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The default profile is crap. I can't believe they still ship with it when it's so broken.

    I'm not on Linux anymore or I'd build one for you.
     
  3. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    329
    Thanks. Apparmor thing is complicated to me. Looks like no one uses apparmor here!
     
  4. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Well, it isn't "simple" but I'm sure there are quite a few users.

    Based on the thinking that crap Apparmor is better than no Apparmor I made my own profile for Firefox (which is installed in my /home directory). I also made profiles for Seamonkey and Chrome. The only problem is that updating Seamonkey and Firefox (both direct and not from the repos) doesn't work. I have to switch to complain mode for the updates.

    It's better to make your own profile than to "borrow" from others because you'll understand things better.
     
  5. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    329
    http://rookcifer.blogspot.com/2012/09/custom-firefox-apparmor-profile-for.html
    Code:
    # Last Modified: Tue Sep 25 13:17:29 2012
    # Author: rookcifer@gmail.com
    #include <tunables/global>
    
    /usr/lib/firefox/firefox {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/browser_openjdk>
      #include <abstractions/dbus-session>
      #include <abstractions/fonts>
      #include <abstractions/nvidia>
    
      network inet dgram,
      network inet stream,
      network inet6 stream,
    
    
      /bin/dash rix,
      /bin/grep rix,
    
      # Put /bin/ps in a child profile for extra security.
      /bin/ps Cx,
    
      # config files.  Most are for the network
      /etc/adobe/mms.cfg r,
      /etc/firefox/syspref.js r,
      /etc/gai.conf r,
      /etc/gnome-vfs-2.0/modules/ r,
      /etc/gnome-vfs-2.0/modules/* r,
      /etc/gnome/defaults.list r,
      /etc/host.conf r,
      /etc/hosts r,
      /etc/lsb-release r,
      /etc/mailcap r,
      /etc/mime.types r,
      /etc/nsswitch.conf r,
      /etc/passwd r,
      /etc/resolv.conf r,
      /etc/xul-ext/ubufox.js r,
      /run/resolvconf/resolv.conf r,
      /sys/devices/system/cpu/present r,
    
      # Be strict with /tmp writes
      /tmp/ r,
      /tmp/* mrwk,
      /tmp/icedteaplugin-*/ w,
      /tmp/icedteaplugin-*/[0-9]*-icedteanp** rw,
      /tmp/orbit-*/ w,
      /tmp/plugtmp/ rw,
      /tmp/plugtmp/* w,
    
      # Evince, gnome-mplayer, transmission, and totem have their own profiles.  
      /usr/bin/evince Px,
      /usr/bin/gnome-mplayer Px,
      /usr/lib/totem/totem-plugin-viewer Px,
      /usr/bin/transmission-gtk Px,
      
    
      /usr/lib/firefox/plugin-container rix,  
      /usr/lib{,32,64}/** mrwk,
    
      /usr/share/ r,
      /usr/share/applications/*.desktop r,
      /usr/share/applications/mimeinfo.cache r,
      /usr/share/glib-2.0/schemas/gschemas.compiled r,
      /usr/share/hunspell/ r,
      /usr/share/icons/ r,
      /usr/share/icons/** r,
      /usr/share/libthai/* r,
      /usr/share/mime/ r,
      /usr/share/mime/** r,
      /usr/share/mozilla/extensions/*/ r,
      /usr/share/pixmaps/ r,
      /usr/share/themes/** r,
      /usr/share/xul-ext/ubufox/ r,
      /usr/share/xul-ext/ubufox/** r,
    
      /var/tmp/ r,
    
      owner /{run,dev}/shm/pulse-shm* k,
      /{run,dev}/shm/pulse-shm* rw,
    
      @{HOME}/.ICEauthority r,
      @{HOME}/.Xauthority r,
      owner @{HOME}/.adobe/Flash_Player/* w,
      @{HOME}/.adobe/Flash_Player/AssetCache/ r,
      @{HOME}/.adobe/Flash_Player/AssetCache/** rw,
      @{HOME}/.cache/dconf/user rw,
      owner @{HOME}/.cache/gnome-mplayer/plugin/gecko-mediaplayer* rw,
      @{HOME}/.config/dconf/user r,
      @{HOME}/.config/ibus/bus/ w,
      @{HOME}/.fontconfig/* r,
      @{HOME}/.icons/ r,
      @{HOME}/.local/share/ r,
      @{HOME}/.local/share/applications/mimeapps.list r,
      @{HOME}/.local/share/applications/mimeinfo.cache r,
      @{HOME}/.local/share/icons/ r,
      @{HOME}/.local/share/icons/**/ r,
      @{HOME}/.local/share/mime/ r,
      @{HOME}/.local/share/mime/** r,
      owner @{HOME}/.local/share/recently-used.xbel* rw,
      @{HOME}/.macromedia/Flash_Player/#SharedObjects/ r,
      owner @{HOME}/.macromedia/Flash_Player/#SharedObjects/** rw,
      @{HOME}/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/** r,
      @{HOME}/.mozilla/** r,
      owner @{HOME}/.mozilla/firefox/*.default/** rw,
      @{HOME}/.nv/GLCache/ r,
      @{HOME}/.nv/GLCache/** rwk,
      @{HOME}/.pulse-cookie rwk,
      owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* rwk,
    
      # Allow downloading files to /Download and uploading from /Public
      @{HOME}/Downloads/ r,
      @{HOME}/Downloads/** rw,
      @{HOME}/Public/ r,
      @{HOME}/Public/** r,
    
      @{PROC}/[0-9]*/cmdline r,
      @{PROC}/[0-9]*/fd/ r,
      @{PROC}/[0-9]*/mountinfo r,
      @{PROC}/[0-9]*/mounts r,
      @{PROC}/[0-9]*/net/dev r,
      @{PROC}/[0-9]*/status r,
    
    
      profile /bin/ps {
        deny capability sys_ptrace,
    
    
        /bin/ps r,
        /dev/tty r,
        /etc/ld.so.cache r,
        /lib/libproc-*.so mr,
        /lib/x86_64-linux-gnu/ld-*.so r,
        /lib/x86_64-linux-gnu/libc-*.so mr,
        /sys/devices/system/cpu/online r,
        /usr/lib/locale/** r,
        /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
        @{PROC}/ r,
        @{PROC}/[0-9]*/cmdline r,
        @{PROC}/[0-9]*/stat r,
        @{PROC}/[0-9]*/status r,
        @{PROC}/[0-9]/cmdline r,
        @{PROC}/[0-9]/stat r,
        @{PROC}/[0-9]/status r,
        @{PROC}/meminfo r,
        @{PROC}/stat r,
        @{PROC}/sys/kernel/pid_max r,
        @{PROC}/tty/drivers r,
        @{PROC}/uptime r,
        @{PROC}/version r,
    
      }
    }
    Could someone tell me why i can't open flash videos and can't read Download directory with this profile then? What makes this profile work for him not for me? Let's say i am going to create my own profile and give rw permission to Download. If so, i would use those rules, right? So it wouldn't work for me again. I hope you got the point!
     
    Last edited: Nov 29, 2012
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Why is it allowed to write here?

    Being able to write where you can map is dangerous, and it shouldn't be necessary outside of cache.

    Not sure about the other issues.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
  8. Whoah, way to catch my attention there. How is it broken? Stuff not working, stuff being insecure, or both?

    Edit: N/M, see here: https://bugs.launchpad.net/ubuntu/ source/firefox/ bug/592121

    TL:DR the default AppArmor profile is worse than nothing, because it gives you a false sense of security. And frankly, the existence of such a rubbish profile makes me think twice about using Ubuntu.
     
    Last edited by a moderator: Nov 29, 2012
  9. Umm wait, it looks to me like the Firefox profile has been updated in 12.10:

    Code:
      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
      owner @{HOME}/ r,
      owner @{HOME}/Public/ r,
      owner @{HOME}/Public/* r,
      owner @{HOME}/Downloads/ r,
      owner @{HOME}/Downloads/* rw,
    Edit: except it doesn't work at all; with Firefox in enforce mode I can still write anywhere in the home directory. WTH!
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That's why I said the profile is so broken and stupid. Apparmor abstractions are the most abused idea I've seen - they completely ruin profiles. That's why you've got that access, it's hidden in some abstraction or an abstraction in an abstraction.
     
  11. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    329
    Which one is more secure? Win 7+EMET+Firefox(noscript etc..) or Ubuntu/Mint+Firefox(noscript etc..) without apparmor?
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Very similar. No real significant difference by default.
     
  13. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    329
    Are you saying that because linux isn't targetted or technical aspect?
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Technical aspect.
     
  15. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    329
    Ok. I am not going to bother with apparmor. I gave up, gives me headache. But it would be good harden it much more.
     
  16. tlu

    tlu Guest

    Anywhere? I sincerely doubt that. The firefox profile contains

    #include <abstractions/ubuntu-browsers.d/firefox>

    which in turn contains

    #include <abstractions/ubuntu-browsers.d/user-files>

    You'll notice that read/write permission to specific files is forbidden here. And it also contains

    #include <abstractions/private-files>

    which extends the list of files where read/write permission is denied.

    If that's not enough for your needs I suggest that you add deny rules in

    /etc/apparmor.d/local/usr.bin.firefox

    EDIT: Your assertion that the default profile "is worse than nothing" and "rubbish" is not justified, IMHO.
     
    Last edited by a moderator: Nov 30, 2012
  17. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I've enabled the default profile and lost access to the webcam. It crashes the Adobe Flash plugin in Chatroulette.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Can't you just place the profile in complain mode, run the webcam, then use sudo aa-logprof ?
     
  19. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    https://wiki.archlinux.org/index.php/AppArmor
     
  20. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I've done that, but it still doesn't work. On complain mode, everything works fine, but on enforce 'sudo aa-logprof' makes no difference.

    Found the answer here: https://bugs.launchpad.net/ubuntu/ source/firefox/ bug/860880
     
    Last edited: Dec 2, 2012
  21. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
Loading...
Thread Status:
Not open for further replies.