** Attachment added: "apparmor_parser_-p.txt" https://bugs.launchpad.net/apparmor-profiles/+bug/1609439/+attachment/4713228/+files/apparmor_parser_-p.txt
-- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to AppArmor Profiles. https://bugs.launchpad.net/bugs/1609439 Title: Firefox profile has too much access Status in AppArmor Profiles: New Bug description: usr.bin.firefox in Kubuntu 16.04.1 profile has some fine grained rules defined concerning home directory, such as: owner @{HOME}/ r, ... owner @{HOME}/.{firefox,mozilla}/ rw, owner @{HOME}/.{firefox,mozilla}/** rw, owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k, owner @{HOME}/.{firefox,mozilla}/**/plugins/** mr, owner @{HOME}/.{firefox,mozilla}/plugins/** mr, owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/* rw, owner @{HOME}/Public/ r, owner @{HOME}/Public/* r, ... It *looks* strict at first sight, but I still can read some arbitrary files from my home (sub)directory, such as /home/vincas/talkless.pqi /home/vincas/code/something... It *does* protect .ssh/id_rsa.pub and such, for example, so denies kinda works from "private-files-strict" include. I've checked apparor_parser -d -d, I can see some @{HOME}/** rw... rules, though it looks like it should belong to browser_java, browser_openjdk subprofiles, but it looks like if they are "leaking" somehow for main process. I'm attaching apparmor_parser -d -d and -p outputs. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/1609439/+subscriptions -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
