Background: A) To see if apparmor (aa) is on my computer, I got terminal with ctrl alt t. Then I did Terminal Entry (TE): sudo apparmor_status Terminal Reply (tr): 38 profiles are loaded. 36 are in enforce mode (tr then listed those 36 enforce profiles) 2 profiles are in complain mode (tr then listed those 2 complain profiles) B) I did NOT find a profile for Firefox (FF) in tr's list of 38 profiles. So I did TE: sudo aa-enforce /etc/apparmor.d/usr.bin.firefox TR: Setting sudo aa-enforce /etc/apparmor.d/usr.bin.firefox to enforce mode C) To re-check aa status I did: TE: sudo apparmor_status TR: 43 profiles are loaded. 41 are in enforce mode (sr then listed those 41 enforce profiles -- the added 5 profiles were those for FF) 2 profiles are in complain mode (sr then listed those 2 complain profiles) ==>2 QUESTIONs: 1-Does sr statement, "43 profiles are loaded" mean that aa is actively monitoring those 43 profiles? 2- If aa is NOT monitoring those profiles, how do I get aa to do so? Any & all comments will be greatly appreciated!
First of all: https://help.ubuntu.com/community/AppArmor is a nice introduction to AppArmor (although not really up-to-date, e.g. snaps are not covered). A more comprehensive guide (although openSuSe-specific) is https://documentation.suse.com/sles/12-SP4/html/SLES-all/part-apparmor.html. Could you please present the output of sudo aa-status (which is a shortcut for sudo apparmor_status)? If you couldn't find a profile for usr.bin.firefox, it doesn't exist, hence enforcing it doesn't make sense. I assume - as mentioned in the Firejail thread - that Firefox is installed on your system as snap. So sudo aa-status should show several profiles called snap.firefox*. And they should be in enforce mode. I'm not very familiar with that as I'm not using an Ubuntu-based distro. But on my wife's Kubuntu system those profiles are not in /etc/apparmor.d like the other profiles but the rules are rather defined in /snap/firefox/current/snap/manifest.yaml. Again, I'm not familiar with snaps so you should read the documentation on https://snapcraft.io/docs, specifically https://snapcraft.io/docs/security-sandboxing. But if those snap.firefox.* profiles exist and they are in enforce mode all is good.
@summerheat -- When I first checked apparmor, it had NOT loaded Firefox profile. Therefore, I did a file search & found Firefox's unused profile in /etc/apparmor.d/usr.bin.firefox. So I loaded that profile to apparmor, in enforce mode, by sudo aa-enforce /etc/apparmor.d/usr.bin.firefox, as noted in post 1, paragraph B. Result -- apparmor is now monitoring the Firefox profile, as noted in paragraph C.
@bellgamin, well done, it looks like you're good to go If you haven't already checked, with Firefox open, do: sudo aa-status again and scroll down the output and make sure you see the Firefox running processes enforced, similar to below:
Perfect, I just wanted to be sure the profile was relevant to and working for the Firefox build you're using
Ah, sorry, I somehow misread your post. So it's obvious that Zorin - although being an Ubuntu derivative - does not install Firefox as snap unlike Ubuntu. BTW, AppArmor does also "monitor" profiles in complain mode. But rule violations are only logged and not blocked (unless something is blocked by a deny rule which is enforced even in complain mode).
For non-techies, a GUI version of AppArmor might come in very handy. Does one exist, anybody know? For those familiar with these applications, what I would hope for is something that the user can set and adjust along the lines of VoodooShield or OSArmor in Windows.
The userspace tools delivered with AppArmor (like aa-logprof etc.) are actually sufficient. A GUI won‘t help much if there is a lack of knowledge about AppArmor. That said, Yast in opensuse has some AppArmor support but I‘m not very familiar with it.
Thanks. A well-done GUI will help in providing that education, as tooltips will pop up when the user hovers the mouse pointer over a setting, or clicks on a "?" next to the item. (This is actually how I've learned how to use most of my Windows programs.) The user can then also see each setting in context and (hopefully) better grasp its function and meaning.
I'm not aware of such a GUI. And I still doubt that it would be very helpful. Learning the structure and the syntax of AppArmor profiles from some tutorials is not that hard. It's more difficult to determine if a (read, write, execute) request by an application is necessary or not for the application to work properly and should therefore be granted or not. This is something a GUI can't tell you. In many cases this is easy to answer (particularly if the application continues to work without problems if not granted) and sometimes you have to dig a bit deeper. And often it's your decision what you are willing to allow, e.g, if your browser should be able to access your Documents folder or not. Or if your browser should be able to execute apps or scripts in /home/username/bin (hint: it should not). AppArmor is a very flexible tool. Generally, the pre-installed profiles are mostly okay but you can still finetune them to your needs by adding rules to the respective profiles in /etc/apparmor.d/local (please read the README therein). And the more so profiles you create yourself with sudo aa-autodep or sudo aa-genprof. But if you do so it's your decision what you allow or deny to an application. A GUI can't help here.
