** Description changed:
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the
filesystem in:
- rw for /home/*/** (ie ability to save file inside your home directory)
+ rw for /home/*/Desktop/** (ie ability to save file in your Desktop directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect
...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the
profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the
icon from the gnome panel then I go to youtube.com and try to play a video,
finally I try to save a web page to my home folder.
Expected Result: No error should appears in the apparmor audit log file
during a basic web session (this exclude Firefox extension installation for the
moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin
9.0.48.0ubuntu11
- The profile is below, I'm looking for feedbacks and suggestions !
-
+ The profile is attached , I'm looking for feedbacks and suggestions !
+ Please use the attachment with the latest version of the profile and enjoy a
Apparmor secured browsing !
+ The content below is outdated but left here for history only:
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
}
** Description changed:
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the
filesystem in:
rw for /home/*/Desktop/** (ie ability to save file in your Desktop directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect
...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the
profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the
icon from the gnome panel then I go to youtube.com and try to play a video,
finally I try to save a web page to my home folder.
Expected Result: No error should appears in the apparmor audit log file
during a basic web session (this exclude Firefox extension installation for the
moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin
9.0.48.0ubuntu11
The profile is attached , I'm looking for feedbacks and suggestions !
Please use the attachment with the latest version of the profile and enjoy a
Apparmor secured browsing !
- The content below is outdated but left here for history only:
+ The content below is outdated but left here for history purpose only:
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
}
--
Firefox flash enable Profile include
https://bugs.launchpad.net/bugs/146507
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
