Firefox flash enable Profile include
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firefox-3.5 (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/Desktop/** (ie ability to save file in your Desktop directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Expected Result: No error should appears in the apparmor audit log file during a basic web session (this exclude Firefox extension installation for the moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin 9.0.48.0ubuntu11
The profile is attached , I'm looking for feedbacks and suggestions !
Please use the attachment with the latest version of the profile and enjoy a Apparmor secured browsing !
The content below is outdated but left here for history purpose only:
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/
#include <abstractions/base>
#include <abstractions/
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/
/etc/
/etc/fonts/** r,
/etc/gai.conf r,
/etc/
/etc/
/etc/
/etc/
/etc/
/etc/
/etc/
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/share/icons/ r,
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/var/
/var/
/var/tmp/ r,
}
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in apparmor: | |
importance: | Undecided → Wishlist |
Changed in apparmor (Ubuntu): | |
status: | New → Triaged |
Hi,
Thanks for working on this profile!
On Fri, Sep 28, 2007 at 10:27:00PM -0000, Philippe Baumgart wrote:
> rw for /home/*/** (ie ability to save file inside your home directory)
This doesn't seem like a good idea. Perhaps just to Desktop/ ? You
wouldn't want firefox stealing your ssh private keys, for example.
> rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
Please use the abstractions/ user-tmp file.
> /dev/snd/controlC0 rw,
> /dev/snd/pcmC0D0p rw,
> /dev/snd/timer r,
Please use the abstractions/audio file.
> /etc/gnome- vfs-2.0/ modules/ r,
> ...
Please use the abstractions/gnome (which includes user-tmp, X and fonts)
> /home/ r,
> /home/*/ r,
These two shouldn't be needed.
> /home/*/** krw,
For /home/*, please use @{HOME} global variable. And I'd recommend not
doing more than:
@{HOME} /Desktop/ ** krwl, /.mozilla/ firefox/ ** krwl,
@{HOME}
> /proc/ r, kernel/ pid_max r,
> /proc/*/cmdline r,
> /proc/*/maps r,
> /proc/*/mounts r,
> /proc/*/stat r,
> /proc/*/status r,
> /proc/meminfo r,
> /proc/stat r,
> /proc/sys/
> /proc/tty/drivers r,
> /proc/uptime r,
> /proc/version r,
These should already be in various abstractions (but please use @{PROC}
if you need to).
> /usr/share/ pycentral/ apturl/ site-packages/ AptUrl/ Parser. py r,
There is a python abstraction too.
Good start!