Apparmor Profiles for Firefox and Edge-beta Browsers

As stated before /etc/apparmor.d/user.bin.firefox doesn't exist.
Only /etc/apparmor.d/disable/usr.bin.firefox exists. // Kind: broken link
probably because the link target is not there. (/etc/apparmor.d/usr.bin.firefox)

 

Okay, so Mint obviously handled this issue in a strange way. Anyway, there is no Firefox profile ready to use, so you might want to get one from another source - like the one in /usr/share/apparmor/extra-profiles.

Code:

sudo rm /etc/apparmor.d/disable/usr.bin.firefox
sudo cp /usr/share/apparmor/extra-profiles/firefox /etc/apparmor.d

Then you can try to execute

Code:

sudo aa-enforce /etc/apparmor.d/firefox

or, if Firefox is broken,

Code:

sudo aa-complain /etc/apparmor.d/firefox

and add needed rules by repeatedly executing sudo aa-logprof. If Firefox works flawlessly you can again set the profile into enforce mode.

 

@summerheat or @wat0114
For now trying to create a profile for LibreWolf. (used more than Firefox)
Easiest way maybe for me is create a skeleton profile, set Apparmor to complain mode
and use aa-logprof tool to evaluate the denials. Still may be difficult for me though.

Code:

$ aa-easyprof /usr/bin/librewolf

Command 'aa-easyprof' not found, but can be installed with:

Code:

sudo apt install apparmor-easyprof

Haven't installed it yet.

Easyprof generates the basic skeleton profile policy.
Have you used easyprof before?

 

Or just use aa-genprof, use the browser as you would normally, especially exercising as many of the functions as possible, then hit (S)Scan, answer the prompts, repeat then (S)ave changes, repeat above steps, (S)ave changes again. After you get no more prompts to answer, you can select (F)inish. Do not hit (F)inish until you have repeated the above several times over and aa-logprof results in no more logged paths to deal with. If Librewolf won't open or is broken after you select (F)inish (which sets the profile to enforce mode) then you can do sudo aa-complain /etc/apparmor.d/name-of-your-librewolf-profile, then try again with using the browser and running aa-logprof again.

There is a pretty good basic tutorial here. I have found with both Librewolf and Firefox it's better to choose (ix) rather than (Px) when choosing execute modes. PX can get you into complicated matters, and in the case of these browsers I find DRM content won't play if I choose Px mode for the plugin-container.

EDIT

I just took a look at my latest Librewolf profile from last June, and the following paths were set to Px mode:

/usr/bin/dash Px,
/usr/bin/lsb_release Px,
/usr/bin/python3.9 Px,

These gave me no issues to speak of, but these one I put to ix mode:

/usr/share/librewolf/librewolf mrix,
/usr/share/librewolf/plugin-container mrix,

Your aa-logrof profiling may not result in the same as mine, though.

It might be a good idea to wait for summerheat to respond before you continue.

 

No, I haven't. And according to the man page it seems to be only useful if there are specific templates available which are to be used for that profile. I tried it and this is the result:

Code:

sudo aa-easyprof /usr/bin/bogofilter

# vim:syntax=apparmor
# AppArmor policy for bogofilter
# ###AUTHOR###
# ###COPYRIGHT###
# ###COMMENT###

#include <tunables/global>

# No template variables specified

"/usr/bin/bogofilter" {
  #include <abstractions/base>

  # No abstractions specified

  # No policy groups specified

  # No read paths specified

  # No write paths specified
}


ERROR: Invalid policy

Since I couldn't find a librewolf profile on github I agree with @wat0114 to write your own. This is a good learning experience, and here is a good tutorial. However, I suggest to not use sudo aa-genprof librewolf but rather sudo aa-autodep librewolf. The difference is: aa-genprof creates a profile and lets you interactively add rules - but sets it into enforce mode once you close the application. This is usually too early. Normally you have to start an application multiple times to catch all necessary rules, and if the profile is already in enforce mode it often breaks the application. This is why I prefer aa-autodep which keeps the profile in complain mode and you can add rules with aa-logprof. If everything works as expected you can set it into enforce mode by executing sudo aa-enforce /etc/apparmor.d/<profile_name>.

Alternatively, you could also copy the firefox profile from /usr/share/apparmor/extra-profiles to /etc/apparmor.d, rename it, adjust the paths therein to the ones used by librewolf, keep it in complain mode and add needed rules with aa-logprof. However, I doubt that it would be much easier. And again, creating an own profile is a great learning opportunity.

 

Hi summerheat,

no, it only sets to enforce mode once (F)inish is selected while building the profile. If Compu K just exercises the profile building as follows:

1. Open Librewolf and use as much functionality as possible including: add browser extensions, play web video, go through Settings, bookmarks, basically everything possible you can think of about the way the browser will be used.
   
2. Hit (S)can and build rules interactively with emphasis on keeping the path rules fairly simple
   
3. Hit (S)ave once no more entries are presented
4. Repeat steps 1-3 at least a couple more times
5. Hit (F)inish - then the profile will be enforced

run Librewolf for a while, then run sudo aa-logprof and build rules interatively if more are found and presented.

That said, sudo aa-autodep librewolf is perfectly fine for sure, especially if Compu K is more comfortable with it.

 

Ah yes, sorry, you are right, I haven‘t used aa-genprof a long time. But I still prefer aa-autodep as I usually leave new profiles in complain mode for a couple of days (at least for complex applications like browsers).

 

@summerheat and @wat0114

Accidently made a mistake yesterday with aa-genprof for librewolf

Code:

Writing updated profile for /usr/bin/firejail.
Traceback (most recent call last):
  File "/usr/sbin/aa-genprof", line 114, in <module>
    apparmor.autodep(program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 624, in autodep
    write_profile_ui_feedback(pname)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2999, in write_profile_ui_feedback
    write_profile(profile, is_attachment)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3010, in write_profile
    newprof = tempfile.NamedTemporaryFile('w', suffix='~', delete=False, dir=profile_dir)
  File "/usr/lib/python3.8/tempfile.py", line 679, in NamedTemporaryFile
    (fd, name) = _mkstemp_inner(dir, prefix, suffix, flags, output_type)
  File "/usr/lib/python3.8/tempfile.py", line 389, in _mkstemp_inner
    fd = _os.open(file, flags, 0o600)
PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/tmp0crg4th1~'


An unexpected error occoured!

For details, see /tmp/apparmor-bugreport-wmqlubph.txt

Don't see this file in tmp. Hope I didn't cause any problems/issues for Apparmor
or anything related to proper functioning of system.
Error probably occured because of entering wrong command in terminal. Believe
I forgot to enter sudo for aa-genprof librewolf.

I'll take a look at what you both posted and see if I'm able to accomplish it.

 

Yes, without sudo you don‘t have write premission for /etc/apparmor.d.

 

@Compu KTed

what is the name of the librewolf profile found under /etc/apparmor.d/ ? Is it usr.share.librewolf.librewolf by any chance? Also, are you running it under firejail?

I installed latest Librewolf from the ppa and updated a profile I had from last June. I'm just curious what you have.

Btw, apparmor does a funny thing when you are building a profile. You can usually find duplicate entries such as for example:

Code:

owner /home/*/.librewolf/*/storage/default/https*.ca/ls/ r,
owner /home/*/.librewolf/*/storage/default/https*.ca/ls/ w,

Notice they are exactly the same paths, with the exception one has read (r,) rights while the other has (w,) write rights. This is harmless but it creates unnecessary clutter. All you have to do when opening your profile with a text editor (I like geany, so I do sudo geany /etc/apparmor.d/usr.share.librewolf.librewolf) is change one of them to have both (rw,) rights and delete the other one. Then you will just have:

Code:

owner /home/*/.librewolf/*/storage/default/https*.ca/ls/ rw,

 

There is no librewolf profile in /etc/apparmor.d. It is currently running under Firejail.
Librewolf installed via terminal commands. Additional repositories.

 

There is no librewolf profile as you executed aa-genprof without sudo. But anyway - why do you want to create a profile if Librewolf is running under Firejail? In that case it is already properly sandboxed. It is possible to run it under both AppArmor and Firejail. But I suggest that you don't do that until you're more familiar with both. Or do you want to run it under AppArmor only?

Which commands? Which repositories? What's the output of

Code:

which -a librewolf

 

So did aa-genprof without sudo command remove librewolf profile or maybe it wasn't there to begin with?

$ which -a librewolf

Code:

/usr/local/bin/librewolf
/usr/bin/librewolf
/bin/librewolf

NOTE: There was a problem opening the file /usr/local/bin/librewolf.
The file you opened has some invalid characters. If you continue editing this file
you could corrupt this document. You can also choose another character encoding and try again.

No editing by me was done for any of the above files when opened.

NOTE: Additional Repositories

Code:

 deb [arch=amd64 signed-by=/usr/share/keyrings/librewolf.gpg] http://deb.librewolf.net jammy main
/etc/apt/sources.list.d/librewolf.list

Desktop launcher for Librewolf is not Firejailed

Code:

Command: /usr/share/librewolf/librewolf %u

Mint menu for Librewolf is firejailed

Code:

Command: firejail librewolf %u

Launches to /usr/bin/firejail

Couldn't I run Librewolf desktop launcher with Apparmor for testing or does
Apparmor write to the other Librewolf firejailed launcher as well?

 

aa-genprof tried to create that profile in /etc/apparmor.d but as a user you don't have write permissions. That's why it's necessary to temporarily gain root privileges by using sudo.

This is not meant to be saucy - but you really have to learn about permissions (e.g., here) in Linux and about using sudo (among other things), otherwise you'll permanently run into trouble.

That's because /usr/local/bin/librewolf is only a symbolic link (symlink) pointing to /usr/bin/firejail. It was obviously created by executing sudo firecfg.

Please execute and read man firecfg. It says among other things:

This is very strange! /usr/share doesn't usually contain executables and isnt't in the PATH. Please show the output of echo $PATH.

This is strange as well as sudo firecfg should have fixed that.

No, AppArmor doesn't write to desktop launchers and does not depend on them.

Really, and no offense intended: But you really have to learn the Linux basics first (this seems to be good learning site). You're taking the second or third step before the first, and that leads to nothing good.

 

Actually, and fwiw, when I ran sudo aa-autodep librewolf, it generated the profile: usr.share.librewolf.librewolf, and that completed profile, after several rounds of sudo aa-logprof, works fine when enforced. Profile attached.

 

Funny! So Librewolf is installed in /usr/share/librewolf, indeed? Then there should be a librewolf script in /usr/bin which says:

Code:

#!/bin/sh
exec /usr/share/librewolf/librewolf "$@"

 

@summerheat
@wat0114
I did run sudo firecfg command.

Configuring symlinks in /usr/local/bin based on firecfg.config
The list does include:
firefox created
librewolf created

Fixing desktop files in /home/<user name>/.local/share/applications
librewolf.desktop skipped: file exists

Loading AppArmor profile

Librewolf desktop launch command:

Code:

librewolf %u

/user/local/bin/librewolf

Same command in Mint menu for launching librewolf.

NOTE: Popup message occurs when clicking on Librewolf desktop configuration file:
Untrusted application launcher. The desktop file "librewolf.desktop" is in an insecure location
and not marked as executable. If you do not trust this program, click cancel.
Options:
Launch Anyway
Mark Executable
Cancel

$ echo $PATH

Code:

/home/<user name>/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

Librewolf Mint menu launch command:

Code:

librewolf %u

/usr/local/bin/librewolf

Command:

Code:

/usr/bin/firejail /usr/bin/librewolf

Profile:

Code:

 /etc/firejail/librewolf.profile

NOTE: Firefox same as Librewolf and both are firejailed.