** Description changed: First of all I'd like to apologize in advance if this is the wrong place to report this, since I don't know where the "usr.bin.firefox-esr" apparmor-profile stems from and if I should report this to the apparmor- profiles Launchpad or Gitlab repository or the official Mozilla Firefox- ESR PPA. If this is the wrong place, feel free to close this issue. I also posted this bug on the Gitlab repository: (https://gitlab.com/apparmor/apparmor-profiles/issues/3). System Information: - Up-to-date stable release of Ubuntu 18.10 (Problem also persisted in 18.04 LTS) - - Newest stable release of Firefox-ESR from the official Mozilla PPA (https://gitlab.com/apparmor/apparmor-profiles/issues/3) - - apparmor, apparmor-utils and apparmor-profiles installed + - Newest stable release of Firefox-ESR from the official Mozilla PPA (https://launchpad.net/~mozillateam/+archive/ubuntu/ppa) + - apparmor, apparmor-utils and apparmor-profiles installed Description of Problem: Firefox-ESR is succesfully set to enforce mode with "$ sudo aa-enforce usr.bin.firefox-esr". By checking "$ sudo aa-status" and looking under "X profiles are in enforce mode" you see the enforced profiles for Firefox and Firefox-ESR (Firefox was also set to enforce-mode): /usr/lib/firefox-esr/firefox{,*[^s][^h]} /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox-esr/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox-esr/firefox{,*[^s][^h]}//sanitized_helper /usr/lib/firefox/firefox{,*[^s][^h]} /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper But if you run Firefox-ESR you don't see its process(es) listed under "X processes are in enforce mode". Also the perceivable start-up slow-down due to apparmor is missing. Saving files in custom defined forbidden file paths is also possible. Firefox-ESR is apparently running without apparmor enforced. Possible Solution of the Problem: If you compare the apparmor-profiles under "/etc/apparmor.d/" of Firefox and Firefox-ESR you notice that they are very similar: Firefox # We want to confine the binaries that match: # /usr/lib/firefox/firefox # /usr/lib/firefox/firefox # but not: # /usr/lib/firefox/firefox.sh /usr/lib/firefox/firefox{,*[^s][^h]} { Firefox-ESR # We want to confine the binaries that match: # /usr/lib/firefox-esr/firefox-esr # /usr/lib/firefox-esr/firefox # but not: # /usr/lib/firefox-esr/firefox.sh /usr/lib/firefox-esr/firefox{,*[^s][^h]} { If you check "/usr/lib/firefox/" you will find the "firefox" application file and the "firefox.sh" script. But if you check "/usr/lib/firefox- esr/" you will find the application file is named "firefox-esr" not "firefox", but the script is still "firefox.sh". Therefore line 14 "/usr/lib/firefox-esr/firefox{,*[^s][^h]} {" in "usr.bin.firefox-esr" isn't working, since it should be "/usr/lib /firefox-esr/firefox-esr{,*[^s][^h]} {" or even just "/usr/lib/firefox- esr/firefox-esr {". By manually correcting the apparmor profile and reinforcing it, Firefox- ESR successfully runs in enforced mode and its process(es) are listed under "X processes are in enforce mode". Everything seems to be working correctly. Checking "X profiles are in enforce mode" again shows the old and new profile enforced simultaneously: /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]} /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_java /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_openjdk /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//lsb_release /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//sanitized_helper /usr/lib/firefox-esr/firefox{,*[^s][^h]} /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox-esr/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox-esr/firefox{,*[^s][^h]}//sanitized_helper /usr/lib/firefox/firefox{,*[^s][^h]} /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper After setting Firefox-ESR to complain-mode and then again to enforce- mode the old enforced profile is removed: /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]} /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_java /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_openjdk /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//lsb_release /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//sanitized_helper /usr/lib/firefox/firefox{,*[^s][^h]} /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper
-- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to AppArmor Profiles. https://bugs.launchpad.net/bugs/1800789 Title: Syntax Error in Firefox Profile Generation makes Firefox-ESR run unconfined although Profile is enforced Status in AppArmor Profiles: New Bug description: First of all I'd like to apologize in advance if this is the wrong place to report this, since I don't know where the "usr.bin.firefox- esr" apparmor-profile stems from and if I should report this to the apparmor-profiles Launchpad or Gitlab repository or the official Mozilla Firefox-ESR PPA. If this is the wrong place, feel free to close this issue. I also posted this bug on the Gitlab repository: (https://gitlab.com/apparmor/apparmor-profiles/issues/3). System Information: - Up-to-date stable release of Ubuntu 18.10 (Problem also persisted in 18.04 LTS) - Newest stable release of Firefox-ESR from the official Mozilla PPA (https://launchpad.net/~mozillateam/+archive/ubuntu/ppa) - apparmor, apparmor-utils and apparmor-profiles installed Description of Problem: Firefox-ESR is succesfully set to enforce mode with "$ sudo aa-enforce usr.bin.firefox-esr". By checking "$ sudo aa-status" and looking under "X profiles are in enforce mode" you see the enforced profiles for Firefox and Firefox-ESR (Firefox was also set to enforce-mode): /usr/lib/firefox-esr/firefox{,*[^s][^h]} /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox-esr/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox-esr/firefox{,*[^s][^h]}//sanitized_helper /usr/lib/firefox/firefox{,*[^s][^h]} /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper But if you run Firefox-ESR you don't see its process(es) listed under "X processes are in enforce mode". Also the perceivable start-up slow- down due to apparmor is missing. Saving files in custom defined forbidden file paths is also possible. Firefox-ESR is apparently running without apparmor enforced. Possible Solution of the Problem: If you compare the apparmor-profiles under "/etc/apparmor.d/" of Firefox and Firefox-ESR you notice that they are very similar: Firefox # We want to confine the binaries that match: # /usr/lib/firefox/firefox # /usr/lib/firefox/firefox # but not: # /usr/lib/firefox/firefox.sh /usr/lib/firefox/firefox{,*[^s][^h]} { Firefox-ESR # We want to confine the binaries that match: # /usr/lib/firefox-esr/firefox-esr # /usr/lib/firefox-esr/firefox # but not: # /usr/lib/firefox-esr/firefox.sh /usr/lib/firefox-esr/firefox{,*[^s][^h]} { If you check "/usr/lib/firefox/" you will find the "firefox" application file and the "firefox.sh" script. But if you check "/usr/lib/firefox-esr/" you will find the application file is named "firefox-esr" not "firefox", but the script is still "firefox.sh". Therefore line 14 "/usr/lib/firefox-esr/firefox{,*[^s][^h]} {" in "usr.bin.firefox-esr" isn't working, since it should be "/usr/lib /firefox-esr/firefox-esr{,*[^s][^h]} {" or even just "/usr/lib /firefox-esr/firefox-esr {". By manually correcting the apparmor profile and reinforcing it, Firefox-ESR successfully runs in enforced mode and its process(es) are listed under "X processes are in enforce mode". Everything seems to be working correctly. Checking "X profiles are in enforce mode" again shows the old and new profile enforced simultaneously: /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]} /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_java /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_openjdk /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//lsb_release /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//sanitized_helper /usr/lib/firefox-esr/firefox{,*[^s][^h]} /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox-esr/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox-esr/firefox{,*[^s][^h]}//sanitized_helper /usr/lib/firefox/firefox{,*[^s][^h]} /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper After setting Firefox-ESR to complain-mode and then again to enforce- mode the old enforced profile is removed: /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]} /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_java /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_openjdk /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//lsb_release /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//sanitized_helper /usr/lib/firefox/firefox{,*[^s][^h]} /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/1800789/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
