Apparmor Profiles for Firefox and Edge-beta Browsers

Yes, that's the reason, indeed.

 

Thanks!

Hi summerheat,

in my /etc/apparmor.d/local directory, I have lots of empty documents, including cups-browsed. I never actually have done anything to profiles in this directory before, honestly not even being acutely aware of it i know many of these profiles are under the usual /etc/apparmor.d/ directory and are actively enforced, so if they needed updating, would it have to be done in here or the local directory still?

 

@wat0114
@summerheat

No printer is connected. Same entry apparmor="DENIED"...cups-browsed also listed in /var/log/syslog.
No files listed in /var/log/apparmor

Apparmor popup notifications. Not sure, but maybe this is why I'm getting popup messages.
/etc/apparmor/notify.conf

# Set to 'no' to disable AppArmor notifications globally
show_notifications="yes"

Yep those notification popups can be annoying. Ran command sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile: /usr/sbin/cups-browsed
Capability: sys_nice
Severity: 8

[1 - capability sys_nice,]
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish


Firefox will be next to fix.

 

Nice. I'm curious to see what the Firefox notifications are. Probably nothing out of the ordinary

 

Yes, for every pre-installed profile there is also an empty one in local. You can, of course, modify them in /etc/apparmor.d with aa-logprof but, as mentioned, those modifications will be gone after an AppArmor update as those pre-installed profiles from upstream will be overwritten. So to make sure that your modifications persist you should add them to the profiles in local.

Again, this does not apply to self-written profiles or profiles you got from another source and copied to /etc/apparmor.d.

 

Thanks for the explanation, summerheat!

 

Before moving on to Firefox setup which will be after this is resolved,

Does allowing the "sys_nice" capability for cups-browsed cause any possible security risk?
Should I add the "deny capability sys_nice," to silence the log messages?
Should I create a file named /etc/apparmor.d/local/usr.sbin.cups-browsed with the contents "deny capability sys_nice,"? (including the comma).

NOTE: etc/apparmor.d/local/usr.sbin.cups-browsed // File already exists but is EMPTY.

 

Please see summerheat's response in his post #30.

Again, please see summerheat's post #30.

FWIW, if it were me, if printing is working exactly as expected, I'd deny capability sys_nice, and see what happens. If printing continues to work as intended, then this is the correct decision on the rule. If printing is somehow broken, then allow with path rule:
capability sys_nice, as summerheat earlier mentioned. If this latter rule allows printing to work, then it is the correct rule.

At the end of the day, any application being enforced by an Apparmor profile is trying to perform its duties as intended, and as long as it's not being influence by malware, then any path it's trying to do something on, needs to be allowed in its Apparmor profile. A good example of this is Firefox browser on Linux MX-23, an Ubuntu-based distro, attempting to update a popular extension: uBlock Origin:

Code:

 owner /home/*/.mozilla/firefox/*.default-release/extensions/staged/ rw,
 owner /home/*/.mozilla/firefox/*.default-release/extensions/staged/uBlock0@raymondhill.net.xpi rw,

These are two Apparmor path rules that are required for uBlock Origin to update to the latest version. If these are not included in the profile: opt.firefox.firefox then this extension will not be able to update to latest version.

It's simply up to the end user to decide if an attempt by an application is required or not, and especially if it's being influenced maliciously. A simple rule of thumb I use: if I don't allow an attempt and it breaks the application'sfunctionality, then i had better create a rule to allow it. And let's face it, you probably don't have malware running on your current Linux Distro

 

@wat0114
@summerheat

Think I have those Apparmor "DENIED" popup messages not showing up anymore. As stated earlier
there is no external printer connected to laptop. I did add capability sys_nice, to /etc/apparmor.d/local/
usr.sbin.cups-browsed. (set to allow if I'm understanding you both correctly)

NOTE: Checked /etc/apparmor.d/usr.sbin.cups-browsed and listed is:
deny capability sys_nice,

Is that correct?

Also Firefox NOT Firefox ESR is listed in profiles enforce mode
/home/<username>/firefox

Firefox ESR is not installed like Firefox that shows up in your Linux menu, Software
Manager and Package Manager as installed.

Shouldn't Firefox ESR be listed under processes are in enforce mode
when browser is running? It's not listed. (sudo aa-status)

 

Yes.

Sorry, but I'm confused about your Firefox setup.

1. Which version of Firefox do you have installed?
2. If you have it, what is the name of the Apparmor Firefox profile under: /etc/apparmor.d/ (could be opt.firefox.firefox, for example)
   
3. When entering sudo aa-status do you see a Firefox profile anywhere under enforce mode or complain mode?

 

Question 1. Firefox ESR
Question 2. home.<username>.firefox
Question3. Yes, /home/<username>/firefox listed under profiles enforce mode


Firefox ESR is not a PPA install. Downloaded Firefox esr file and extracted it.
Have 2 folders listed in /home/<username>/

.mozilla
firefox

NOTE: /etc/apparmor.d/local/usr.bin.firefox // listed
/etc/apparmor.d/disable/usr.bin.firefox // listed Why listed under disable folder?


How do I know if apparmor is actually working with Firefox ESR?
Does Apparmor distinquish between Firefox and Firefox ESR? In other words all I see
is Firefox listed in apparmor profiles. Do I need to add Firefox ESR profile to apparmor?

 

That could be a pre-installed Firefox profile that was already included in your Linux distribution. You can open it with a text editor and see what it looks like. it is under the Disable folder because the profile is not enabled. I suspect it's a profile that will probably work with the ppa firefox browser.

In order to re-enable a profile that has been disabled, check out this link:

https://ubuntu.com/server/docs/security-apparmor

the two commands needed to re-enable a profile are:

sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

With FF ESR running, do aa-status and you should see some Firefox processes running in enforced mode. eg:

How apparmor distinguishes between which firefox version is being used, depends on the particular profile in use and being enforced. A profile built for firefox ppa is going to look quite different than a profile built for the ESR version, and therefore the specific profile needs to be used for whichever version firefox you are running.

 

This can actually be done simply by executing

sudo aa-enforce /etc/apparmor.d/profile.name

or

sudo aa-complain /etc/apparmor.d/profile.name

 

Nice. I thought the enforce command only worked on enabled profiles under the /etc/apparmor.d/ directory.

 

sudo aa-enforce /etc/apparmor.d/home.<username>.firefox // Was done

Result:Setting /etc/apparmor.d/home.<username>.firefox to enforce mode.

 

Started Firefox ESR and checked sudo aa-status
Result: No Firefox processes are listed/running in enforce mode

As stated before /home/<username>/firefox is in enforce mode under profiles.

/etc/apparmor.d/disable/usr.bin.firefox // Need root permissions to open it.
Even when applying root permissions (Elevated Privileges) to open disable folder and then
file with text editor I see nothing listed in usr.bin.firefox (Plain text)

NOTE: On the usr.bin.firefox icon itself there is a arrow indicator on left side and an [X] on right.

When right-clicking on usr.bin.firefox and selecting Properties I see:
Kind: broken link What is this?
Link Target: /etc/apparmor.d/usr.bin.firefox
Location: /etc/apparmor.d/disable
Size: 31 bytes


sudo rm /etc/apparmor.d/disable/usr.bin.firefox // ran the command
(this command must of REMOVED usr.bin.firefox from disable folder)

cat /etc/apparmor.d/usr.bin.firefox | sudo apparmor_parser -a
Result: cat: /etc/apparmor.d/usr.bin.firefox: No such file or directory
(Probably because of the sudo rm... command)

I hope I didn't need that file. It's gone!

 

Hi KTed,

I don't think you need that file, as it was in the /etc/apparmor.d/disable/ directory.

This is getting a bit complicated, but possibly easily resolved depending on a few things. Let's first establish:

1. What is the Linux distro you are using?
2. Open Firefox-esr, Help->About Firefox and post the exact version number. Might be: 115.6.0esr (64 bit).
3. Open a terminal and type: which firefox-esr and post the output. Might be: /usr/bin/firefox-esr

We will go from there. Hopefully @summerheat can suggest something. He has expert knowledge of Apparmor.

I'm thinking that profile you have: /home/<username>/firefox is bogus. It doesn't seem right at all that the binary would be run from your user directory, but maybe it is, we'll see. If you can open the profile in a text editor, please post the contents. You might need to do: sudo <name-of-text-editor> /etc/apparmor.d/name-of-profile

 

@wat0114

1. What is the Linux distro you are using? Linux Mint 20.3
2 Open Firefox-esr, Help->About Firefox and post the exact version number. Might be: 115.6.0esr (64 bit).
That's correct. Firefox 115.6.0esr (64 bit)
3. Open a terminal and type: which firefox-esr and post the output. Might be: /usr/bin/firefox-esr
Opened terminal and typed: which firefox-esr // No output

Are you sure that's a command?

A problem I created:

$ aa-notify
USAGE: aa-notify [OPTIONS]

Display AppArmor notifications or messages for DENIED entries.

OPTIONS
-p, --poll poll AppArmor logs and display notifications

$ aa-notify -p, --poll
unknown option: p,
Starting aa-notify
aa-notify: WARN: killing old daemon '1464' // Is this Permanent and what happens?

 

Good. It's Debian-based

Good

Yes 100%



It shows the path to the firefox-esr binary as: /usr/bin/firefox-esr binary. This is where it should be. Something odd about here your firefox-esr binary is. Can you right-click the launcher: Edit Application...-> Application-> Environment variables- Program. What is the path?

EDIT

I just realized you might not have the which utility installed. You might need to sudo apt-get install which

Hmmm, this I'm not sure of. Never played with aa-notify, but you can check: sudo aa-status and make sure expected profiles and processes are enforced. If so, i think you are okay.

 

Yes, but it is - as @Compu KTed wrote earlier - in /home/<username>/firefox, and that‘s why the which command doesn‘t show it as it only outputs executables in the PATH. To see your specific PATH you can execute:

Code:

echo $PATH

It won‘t contain /home/ ….

The question is where the apparmor profile for that Firefox Version came from?

@Compu KTed : please provide
1. the full output of sudo aa-logprof
2. the full content of the apparmor profile for Firefox:

Code:

cat /etc/apparmor.d/your-specific-profile-name

And please post both outputs in code tags for better readability.

​

 

Right, and I understand it's not running from the normal directory path.

Good question.

Okay, so I installed firefox-esr yesterday on my Debian-based MX-23 setup using: sudo apt-get install firefox-esr, and generated a working apparmor profile for it. The main installation paths for it are: /usr/lib/firefox-esr/ and /usr/share/firefox-esr/.

Just my humble opinion on what Compu Kted likely needs to do, after he follows your suggestions above:

1. Re-install firefox-esr via sudo apt-get install firefox-esr - and determine if it installed mainly in the paths I posted above. It should!
2. If he's comfortable, generate and configure an apparmor profile for it, or I would be happy to give him mine to try out. It is configured to only allow uBlock Origin extension, but otherwise I believe it will work for him.

Attached is my generic profile. The signal send and ptrace send lines are probably superfluous and nothing to worry about.

If he uses it, save it somewhere like Documents folder re-named without .txt so it is named as usr.lib.firefox-esr.firefox-esr , open terminal -> Cd Documents -> sudo mv usr.lib.firefox-es* /etc/apparmor.d/ -> sudo aa-enforce /etc/apparmor.d/usr.lib.firefox-es*

Try to launch firefox-esr with launcher generated by new install, and if successful, try sudo aa-status and see if the profile and firefox-esr processes are enforced.

Optional: file permissions on it are probably overkill, so they can be relaxed a bit with: sudo chmod 644 /etc/apparmor.d/usr.lib.firefox-es*

 

echo $PATH

Code:

/home/<username>/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

sudo aa-logprof

Code:

Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.

cat /etc/apparmor.d/your-specific-profile-name

Code:

cat /etc/apparmor.d/home.<username>.firefox

# Last Modified: Sat Dec 16 21:26:33 2023
#include <tunables/global>

/home/<username>/firefox {
  #include <abstractions/base>

}

 

@Compu KTed

so you basically have an empty apparmor profile for firefox-esr. please try the following:

1. Launch firefox-esr
2. open a system process monitor, whatever Mint uses, and filter for firefox-esr processes currently running. you should see numerous: /usr/lib/firefox-esr/firefox-esr processes.

 

Everything showing up as Firefox. Think I'm going to remove Firefox-esr and either re-install it
or just install reg version of Firefox. I know that one can also run both versions of Firefox at same time.

NOTE: Have /usr/lib/firefox/distribution/searchplugins/locale/ // Blank

 

Agreed. Why not install both, and try the attached firefox-esr profle. I believe this is quite easily resolved.