[Bug 1662501] Re: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict
Could we eventually use xdg-desktop-portal? https://bugzilla.mozilla.org/show_bug.cgi?id=1490186 ** Bug watch added: Mozilla Bugzilla #1490186 https://bugzilla.mozilla.org/show_bug.cgi?id=1490186 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1662501 Title: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1662501] Re: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict
Hmmm, interesting! I wouldn't hold out too long on giving the friendly tools smarts vis-a-vis conditionals, since that kind of logic isn't necessarily straightforward (i.e. can be hard/time-consuming to implement), it's not necessary for power/paranoid users (we're happy resorting to a text editor), and even low-skill users are better served by a debconf prompt anyway. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1662501 Title: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1662501] Re: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict
On Sun, Jul 29, 2018 at 11:35:58PM -, Daniel Richard G. wrote: > I think we could really use some kind of conditional construct (IF ... > THEN ...) in AppArmor syntax. Everything being talking about here apparmor_parser does in fact have conditionals of exactly this form. They aren't documented -- or used -- because the friendly tools don't yet know how to parse the contents, or suggest changing the value of the booleans in response to events in the logs. Some Day. :) Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1662501 Title: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1662501] Re: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict
I think we could really use some kind of conditional construct (IF ... THEN ...) in AppArmor syntax. Everything being talking about here should, ideally, be adjustable using tunables. With a debconf configuration option, even. Between users who want strict access control to user files, and users who don't know "how to computer," there's no way we're going to get agreement on a default configuration that satisfies the former. The best outcome, then, is to make tightening up the access easy, and editing lines in the guts of profile and abstraction files IMO does not measure up to that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1662501 Title: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1662501] Re: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict
Hello.
I think that the default Firefox profile can be made more restrictive,
stricter. It's pretty simple and can be done by removing a few default
rules (mentioned in bug report by Vlad K., for example) etc. Anyway,
here are some ideas (based on testing made in the past).
As an example, we can specify, mentions the rules that makes browsing
directories works. My tests made in the past, showed that Firefox needs
an access only to '/dev/' directory - not the whole and everything in
'/**/' folders! The same thing with rules providing an access to
documentation and other files (default rule: '/usr/** r,'). In my
testings, Firefox needed an access to '/usr/share/{glib-2.0,hunspell}/'
folders only! Not everything under '/usr/'.
If it's about '/etc/apparmor.d/abstractions/ubuntu-browsers.d/user-
files' file and rules to access everything in User home folder: by
default, Firefox profile contains rules that allows downloads to
'~/Downloads' and uploads from '~/Public' folders, right? Because, there
is also one rule related to the 'user-files' file: '' an access is unrestricted.
Changing/removing rules in the 'user-files' file and adding rules that
allows User to save files only in '~/Downloads' folder seems to fix such
issue - unrestricted access etc. The same thing with unnecessary - in my
opinion - rules mentioned above '/**/' and '/usr' and so on.
Additionally, there can be added a '' rule to deny
access to sensitive files and to provide a special attention to
(potentially) executable files. (However, during testings appeared a few
"DENIED" entries in the logs files and additional rules were needed.)
And that's not everything. For example, Users who don't use printers
doesn't need '' rule, right? There are many rules
in default Firefox profile that can be changed/removed etc. (Personally,
I'm using profile created from scratch, with more stricter policy).
By the way: it seems that with every next Firefox release, a new rules
needs to be added. It's happens very often. The latest Firefox version,
caused several problems: no menu bar, main window resize, errors with
tab, no website could be enabled by clicking on a bookmarks labels etc.
Really, the v60 version caused many issues, that required a few new
rules. Here are bug report:
● https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1770600
I hope, that it will help someone to fix problems, that may appear after
Firefox upgrade to the 60.0 version.
Thanks, best regards.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1662501
Title:
since the apparmor profile is disabled by default, please make the
apparmor policy strict with option to make less strict
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1662501] Re: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict
I have created simialr bug in
https://bugs.launchpad.net/firefox/+bug/1609439 . It's confusing having
too (or more?) Firefoxes in launchpad...
My original issue was that usr.bin.firefox contains kinda..
misinformation, if I may, with rules like:
owner @{HOME}/Downloads/* rw,
while included user-files profile allows all home access (except some
denies of course), making this mentioned rule redundant.
Anyway, I agree that profile could be stricter, although question
arises, will I be able to suggest it for my not-that-savvy friends of
mine, if they would be able to download only to the Downloads, and
upload only from, let's say Home maybe (and Downloads and Pubic...)?
What a bout cat pics placed anywhere within home or mounted drive or
whatever? :) .
About user-files: there is /etc/apparmor.d/abstractions/private-files so
maybe it could be improved and used as main deny list, alternative to
/etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files ?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1662501
Title:
since the apparmor profile is disabled by default, please make the
apparmor policy strict with option to make less strict
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1662501] Re: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict
Jamie,
thanks for the elaborate explanation and directing the issue where it
matters.
I'd just like to comment on switching the issue to "firefox" package and
"the firefox profile can be adjusted to remove the user-files
abstraction ..."
Removal of "user-files" abstraction would weaken the security because
user-files contains explicit DENY rules for ~/.ssh and kde|gnome
wallets, as well as ~/.gpg (!!). While that would, in turn, also imply
removal of "@{HOME}/** r" ruleset, and thus imply no access to files in
user's HOME directory at all, it would compound with default Firefox'
policy of "/**/ r," which would then allow at least listing of all user
files.
The user-files abstraction is important. It protects known sensitive
files, but it should also deny all access to anything but ~/Downloads
and/or ~/Public. With a few comments with which the user can be directed
to easily re-enable full @{HOME} access if she or he so desires.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1662501
Title:
since the apparmor profile is disabled by default, please make the
apparmor policy strict with option to make less strict
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1662501] Re: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict
Clarification re snaps and the 'home' interface> the 'home' interface does not grant access to toplevel hidden files and directories. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1662501 Title: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
