Ubuntu
firefox-3.5 package

Firefox flash enable Profile include

Bug #146507 reported by Philippe Baumgart
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox-3.5 (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Binary package hint: apparmor

Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/Desktop/** (ie ability to save file in your Desktop directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Expected Result: No error should appears in the apparmor audit log file during a basic web session (this exclude Firefox extension installation for the moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin 9.0.48.0ubuntu11
The profile is attached , I'm looking for feedbacks and suggestions !
Please use the attachment with the latest version of the profile and enjoy a Apparmor secured browsing !

The content below is outdated but left here for history purpose only:
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability sys_ptrace,

  / r,
  /bin/dash ixr,
  /bin/grep ixr,
  /bin/ls ixr,
  /bin/ps ixr,
  /bin/pwd ixr,
  /bin/sed ixr,
  /bin/which ixr,
  /dev/snd/controlC0 rw,
  /dev/snd/pcmC0D0p rw,
  /dev/snd/timer r,
  /dev/tty r,
  /etc/firefox/pref/ r,
  /etc/firefox/pref/firefox.js r,
  /etc/fonts/** r,
  /etc/gai.conf r,
  /etc/gnome-vfs-2.0/modules/ r,
  /etc/gnome-vfs-2.0/modules/default-modules.conf r,
  /etc/gnome-vfs-2.0/modules/extra-modules.conf r,
  /etc/gnome-vfs-2.0/modules/font-method.conf r,
  /etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
  /etc/gnome-vfs-2.0/modules/theme-method.conf r,
  /etc/gnome/defaults.list r,
  /etc/mailcap r,
  /etc/mime.types r,
  /etc/mtab r,
  /etc/python2.5/site.py r,
  /home/ r,
  /home/*/ r,
  /home/*/** krw,
  /proc/ r,
  /proc/*/cmdline r,
  /proc/*/maps r,
  /proc/*/mounts r,
  /proc/*/stat r,
  /proc/*/status r,
  /proc/meminfo r,
  /proc/stat r,
  /proc/sys/kernel/pid_max r,
  /proc/tty/drivers r,
  /proc/uptime r,
  /proc/version r,
  /tmp/ r,
  /tmp/** rw,
  /usr/bin/apturl r,
  /usr/bin/basename ixr,
  /usr/bin/dirname ixr,
  /usr/bin/eog ixr,
  /usr/bin/gedit ixr,
  /usr/bin/gksu ixr,
  /usr/bin/python2.5 ixr,
  /usr/bin/sudo ixr,
  /usr/bin/totem ixr,
  /usr/lib/** mr,
  /usr/lib/firefox/firefox ixr,
  /usr/lib/firefox/firefox-bin ixr,
  /usr/lib/firefox/run-mozilla.sh ixr,
  /usr/lib/gamin/gam_server ixr,
  /usr/local/lib/python2.5/site-packages/ r,
  /usr/local/share/applications/ r,
  /usr/local/share/applications/mimeinfo.cache r,
  /usr/local/share/icons/ r,
  /usr/sbin/synaptic ixr,
  /usr/share/X11/XKeysymDB r,
  /usr/share/alsa/** r,
  /usr/share/applications/ r,
  /usr/share/applications/* r,
  /usr/share/firefox/** r,
  /usr/share/fonts/** r,
  /usr/share/gdm/applications/ r,
  /usr/share/gdm/applications/mimeinfo.cache r,
  /usr/share/icons/ r,
  /usr/share/icons/** r,
  /usr/share/mime/** r,
  /usr/share/myspell/*/ r,
  /usr/share/myspell/dicts/* r,
  /usr/share/pixmaps/ r,
  /usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
  /usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
  /usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
  /usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
  /usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
  /usr/share/python-support/python-apport/apport_python_hook.py r,
  /usr/share/python-support/python-gobject/* r,
  /usr/share/python-support/python-gobject/gtk-2.0/** r,
  /usr/share/python-support/python-gtk2/** r,
  /usr/share/themes/Default/gtk-2.0-key/gtkrc r,
  /usr/share/themes/Human/gtk-2.0/* r,
  /usr/share/ubuntu-artwork/* r,
  /usr/share/ubuntu-artwork/home/* r,
  /usr/share/ubuntu-artwork/img/* r,
  /var/cache/fontconfig/* r,
  /var/lib/defoma/fontconfig.d/* r,
  /var/tmp/ r,
}

See original description
Philippe Baumgart (philoboy)
description: updated
Philippe Baumgart (philoboy)
description: updated
Revision history for this message
Kees Cook (kees) wrote : Re: [Bug 146507] apparmor Firefox flash enabled Profile include

Hi,

Thanks for working on this profile!

On Fri, Sep 28, 2007 at 10:27:00PM -0000, Philippe Baumgart wrote:
> rw for /home/*/** (ie ability to save file inside your home directory)

This doesn't seem like a good idea. Perhaps just to Desktop/ ? You
wouldn't want firefox stealing your ssh private keys, for example.

> rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)

Please use the abstractions/user-tmp file.

> /dev/snd/controlC0 rw,
> /dev/snd/pcmC0D0p rw,
> /dev/snd/timer r,

Please use the abstractions/audio file.

> /etc/gnome-vfs-2.0/modules/ r,
> ...

Please use the abstractions/gnome (which includes user-tmp, X and fonts)

> /home/ r,
> /home/*/ r,

These two shouldn't be needed.

> /home/*/** krw,

For /home/*, please use @{HOME} global variable. And I'd recommend not
doing more than:

  @{HOME}/Desktop/** krwl,
  @{HOME}/.mozilla/firefox/** krwl,

> /proc/ r,
> /proc/*/cmdline r,
> /proc/*/maps r,
> /proc/*/mounts r,
> /proc/*/stat r,
> /proc/*/status r,
> /proc/meminfo r,
> /proc/stat r,
> /proc/sys/kernel/pid_max r,
> /proc/tty/drivers r,
> /proc/uptime r,
> /proc/version r,

These should already be in various abstractions (but please use @{PROC}
if you need to).

> /usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,

There is a python abstraction too.

Good start!

Philippe Baumgart (philoboy)
description: updated
description: updated
description: updated
Revision history for this message
Philippe Baumgart (philoboy) wrote :

Thanks a lot for your comment Kees, here is the new version that allows rw only to Desktop and .mozilla/firefox
But I'm afraid the gnome abstraction seems to allow way too much things

# Last Modified: Wed Sep 26 05:22:46 2007
#include <tunables/global>
/usr/lib/firefox/firefox {
  #include <abstractions/base>
  #include <abstractions/gnome>

  capability sys_ptrace,

  / r,
  /bin/dash ixr,
  /bin/grep ixr,
  /bin/ls ixr,
  /bin/ps ixr,
  /bin/pwd ixr,
  /bin/sed ixr,
  /bin/which ixr,
  /etc/firefox/pref/ r,
  /etc/firefox/pref/firefox.js r,
  /etc/gai.conf r,
  /etc/gnome/defaults.list r,
  /etc/mailcap r,
  /etc/mime.types r,
  /etc/mtab r,
  /etc/python2.5/site.py r,
  @{HOME}/Desktop/** krw,
  @{HOME}/.mozilla/firefox/** krw,
  /usr/bin/basename ixr,
  /usr/bin/dirname ixr,
  /usr/bin/eog ixr,
  /usr/bin/evince ixr,
  /usr/bin/gedit ixr,
  /usr/bin/gksu ixr,
  /usr/bin/python2.5 ixr,
  /usr/bin/sudo ixr,
  /usr/bin/totem ixr,
  /usr/lib/** mr,
  /usr/lib/firefox/firefox ixr,
  /usr/lib/firefox/firefox-bin ixr,
  /usr/lib/firefox/run-mozilla.sh ixr,
  /usr/lib/gamin/gam_server ixr,
  /usr/local/lib/python2.5/site-packages/ r,
  /usr/local/share/applications/ r,
  /usr/local/share/applications/mimeinfo.cache r,
  /usr/local/share/icons/ r,
  /usr/sbin/synaptic ixr,
  /usr/share/applications/ r,
  /usr/share/applications/* r,
  /usr/share/firefox/** r,
  /usr/share/myspell/*/ r,
  /usr/share/myspell/dicts/* r,
  /usr/share/synaptic/glade/* r,
  /usr/share/ubuntu-artwork/* r,
  /usr/share/ubuntu-artwork/home/* r,
  /usr/share/ubuntu-artwork/img/* r,
}

Revision history for this message
Philippe Baumgart (philoboy) wrote :

Forget my last profile it's not working I forgot to restart the deamon while testing it ... Im working on it and I hope to post a better version soon !

Revision history for this message
Kees Cook (kees) wrote : Re: [Bug 146507] Re: Firefox flash enable Profile include

Great! When you do, please use the "Attach" function rather than
pasting it into the comment. This makes it easy for people to download
and test. Thanks!

Revision history for this message
Philippe Baumgart (philoboy) wrote :

Here is the new version , please test it and let me know if this works well for you too.

Philippe Baumgart (philoboy)
description: updated
description: updated
Mathias Gug (mathiaz)
Changed in apparmor:
importance: Undecided → Wishlist
Revision history for this message
Hinnerk (haardt) wrote :

I had to add these entries:

/etc/orbitrc r,
/tmp/krb5cc_* k,
@{HOME}/.local/share/applications/** r,
/usr/share/locale-langpack/** r,

Revision history for this message
Philippe Baumgart (phil-roxor) wrote :

Thanks for your contrib, by the way there is one thing to do to make this profile useful to most people it's enabling java plugin usage. I hope to find some time to work on it in a week or two but if someone is already working on it please post it here so that we can check if we can merge it with this profile.

Revision history for this message
J.Ring (jonatan-ring) wrote : downloads

Personally I would set firefox to download files to a separate directory and not give it access to the entire dekstop, like so:

@{HOME}/Desktop/downloads/** krw,

However, I guess you want the profile to match firefox' default configuration if it is to go into the repository.

Revision history for this message
Philippe Baumgart (phil-roxor) wrote : Re: [Bug 146507] downloads

You got the point, I'm not a big fan of this default location either
but this is not my choice to make ...
Any body checked the java plugin compatibility with this profile ?

On 30 oct. 07, at 17:05, J.Ring wrote:

> Personally I would set firefox to download files to a separate
> directory
> and not give it access to the entire dekstop, like so:
>
> @{HOME}/Desktop/downloads/** krw,
>
> However, I guess you want the profile to match firefox' default
> configuration if it is to go into the repository.
>
> --
> Firefox flash enable Profile include
> https://bugs.launchpad.net/bugs/146507
> You received this bug notification because you are a direct subscriber
> of the bug.

Kees Cook (kees)
Changed in apparmor (Ubuntu):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

firefox-3.5 in Ubuntu 9.10 now has an opt-in profile.

affects: apparmor (Ubuntu) → firefox-3.5 (Ubuntu)
Changed in firefox-3.5 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.