Firefox apparmor profile

Discussion in 'all things UNIX' started by Gullible Jones, Feb 13, 2013.

Thread Status:
Not open for further replies.
  1. Generated on OpenSUSE 12.2, things might be a little different on *buntu. Just wanted to share it, and wondering what editing it could use.

    Code:
    # Last Modified: Wed Feb 13 18:07:20 2013
    #include <tunables/global>
    
    /usr/lib/firefox/firefox {
      #include <abstractions/base>
      #include <abstractions/nameservice>
    
      deny capability sys_ptrace,
    
    
    
      deny /bin/bash rx,
    
      /bin/ps rix,
      /dev/dri/* rw,
      /dev/shm/ r,
      /dev/shm/* rw,
      /dev/tty rw,
      /etc/** r,
      /home/*/.ICEauthority r,
      /home/*/.adobe/**/ r,
      /home/*/.config/* r,
      /home/*/.fontconfig/* r,
      /home/*/.gstreamer-0.10/* r,
      /home/*/.local/** rw,
      /home/*/.macromedia/** rw,
      /home/*/.mozilla/** rwk,
      /home/*/.pulse-cookie rwk,
      /home/*/Downloads/* rw,
      /proc/ r,
      /proc/*/cmdline r,
      /proc/*/fd/ r,
      /proc/*/mountinfo r,
      /proc/*/stat r,
      /proc/*/status r,
      /proc/cpuinfo r,
      /proc/filesystems r,
      /proc/meminfo r,
      /proc/sys/kernel/pid_max r,
      /proc/tty/drivers r,
      /proc/uptime r,
      /sys/devices/system/cpu/present r,
      /tmp/ r,
      /tmp/* rw,
      /tmp/** w,
      /usr/** r,
      /usr/bin/grep rix,
      /usr/lib/firefox/plugin-container rix,
      /usr/lib{,32,64}/** mr,
      /var/** r,
    
    }
    
    This is basically the unedited output of an aa-genprof run.

    - First off, I'm using /usr/lib/firefox/firefox because /usr/bin/firefox points to a shell script... Yay.

    - As you can see, I used globbing, a lot. I figured letting Firefox read from most of the filesystem (/usr, /var, etc.) would be fine. On the other hand, in home directories it can only read from and write to ~/Downloads and a few other places.

    - I denied it from launching bash on general principles. Why should a browser ever need to launch an interactive shell?

    - I'm not entirely sure what sys_ptrace is, but it looks as though Firefox doesn't need it.

    - All the stuff in /proc, I kind of wonder about. How much info does it need about all the stuff I'm running?

    - Likewise rw permission to the world-writeable areas: /tmp, /var/tmp, /dev/shm. Maybe I should limit this? That might be difficult to do sanely; OTOH I don't want it clobbering something else's temp files, that would be a huge hazard.

    - I should really read up on some of the flags. I figured inheritance means that a launched process inherits the same AppArmor profile? Yeah... I should really read up on this stuff.

    - Finally, it seems like HTML5 videos don't work with this setup. Anything in particular I need for that?

    Thanks in advance...

    Edit: oh yeah, one more note - I did do a simple test on this, trying to make Firefox open a downloaded archive in File-roller. The test seemed to indicate that AppArmor was working, insofar as the archive manager was unable to launch.

    Edit 2: also, if you want custom GTK2 themes to work, you have to add the following line:

    Code:
      /home/*/.themes/** r,
    
    Edit 3: Flash stopped working until I gave rw access to the audio devices:

    Code:
      /dev/snd/** rw,
    
    This seems unwise though. Wouldn't the above allow Firefox to also record audio, which I definitely don't want?
     
    Last edited by a moderator: Feb 13, 2013
Loading...
Thread Status:
Not open for further replies.