Hello. I think that the default Firefox profile can be made more restrictive, stricter. It's pretty simple and can be done by removing a few default rules (mentioned in bug report by Vlad K., for example) etc. Anyway, here are some ideas (based on testing made in the past).
As an example, we can specify, mentions the rules that makes browsing directories works. My tests made in the past, showed that Firefox needs an access only to '/dev/' directory - not the whole and everything in '/**/' folders! The same thing with rules providing an access to documentation and other files (default rule: '/usr/** r,'). In my testings, Firefox needed an access to '/usr/share/{glib-2.0,hunspell}/' folders only! Not everything under '/usr/'. If it's about '/etc/apparmor.d/abstractions/ubuntu-browsers.d/user- files' file and rules to access everything in User home folder: by default, Firefox profile contains rules that allows downloads to '~/Downloads' and uploads from '~/Public' folders, right? Because, there is also one rule related to the 'user-files' file: '<abstractions /ubuntu-browsers.d/firefox>' an access is unrestricted. Changing/removing rules in the 'user-files' file and adding rules that allows User to save files only in '~/Downloads' folder seems to fix such issue - unrestricted access etc. The same thing with unnecessary - in my opinion - rules mentioned above '/**/' and '/usr' and so on. Additionally, there can be added a '<private-files-strict>' rule to deny access to sensitive files and to provide a special attention to (potentially) executable files. (However, during testings appeared a few "DENIED" entries in the logs files and additional rules were needed.) And that's not everything. For example, Users who don't use printers doesn't need '<abstractions/cups_*>' rule, right? There are many rules in default Firefox profile that can be changed/removed etc. (Personally, I'm using profile created from scratch, with more stricter policy). By the way: it seems that with every next Firefox release, a new rules needs to be added. It's happens very often. The latest Firefox version, caused several problems: no menu bar, main window resize, errors with tab, no website could be enabled by clicking on a bookmarks labels etc. Really, the v60 version caused many issues, that required a few new rules. Here are bug report: ● https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1770600 I hope, that it will help someone to fix problems, that may appear after Firefox upgrade to the 60.0 version. Thanks, best regards. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1662501 Title: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict Status in firefox package in Ubuntu: Triaged Bug description: The default Firefox AppArmor profile (package: firefox) allows read access to all files in the system: # in /etc/apparmor.d/usr.bin.firefox: /**/ r This allows browsing all directory contents on the system which violates Least Privilege Principle and allows malware to explore what's on the system (even though there are additional deny rules that protect most sensitive files, a default read all is still unacceptable). In addition (package: apparmor) : # in /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files: @{HOME}/** r, owner @{HOME}/** w, Which allows read write to ALL USER FILES, and read to ALL OTHER USER FILES because default chmod on user dirs is o+rx. Granted, access to ~/.ssh is explicitly denied, but there are things like documents and other user files that should NOT be readable to Firefox at all. This is, IMHO, a vulnerability. The profile should allow read/write ONLY to dirs like ~/Downloads or ~/Public. In addition the above two lines that allow unconfined rw access to HOME/**, should be commented out and explained what it means to enable them if the user really wants that kind of convenience. Modern malware is not just about code execution and modifying local or system files. Modern malware is also very much so about data and identity theft against which the current default AppArmor profile does NOT protect. Take for example password managers like KeePassX. The default profile on ubuntu-browsers would allow unfettered access to the very much sensitive passwords database. Sure, users can override and expand the profile with their local modifications, but this "vulnerability" is not documented or communicated to users and gives a false sense of security ("Oh, I have AppArmor profile on Firefox, I'm safe"). Unfortunately, proper security is not in the domain of casual computer usage and I understand that Ubuntu has to balance between convenience and security but IMHO it is possible to make this more secure AND at the same time inform the user where to DISABLE (rather than enable) those stricter rules. If Ubuntu is not willing to sacrifice the convenience for PROPER security (shame on Ubuntu if that's the case), then AT THE VERY LEAST the user should be informed that the default AppArmor profile, when they install a browser, is biased toward convenience and users SHOULD take additional actions to protect themselves. I'm sure this all applies to more than just the browsers, but browsers are my primary concern here, which are the most vulnerable component in a modern system. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp