Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Apparmor: 1 processes are unconfined but have a profile defined
543 views
Skip to first unread message
Ge
Jul 13, 2018, 12:20:03 PM7/13/18
to
Hello
Im trying to make my own profiles for apparmor.
I made a profile for firefox-esr but for some reason i cant get apparmor
to confine it. I run aa-enforce firefox-esr but nothing change.
Any ideas?
Thanks in advance for your help.
$sudo aa-status
apparmor module is loaded.
21 profiles are loaded.
21 profiles are in enforce mode.
/etc/apparmor.d/usr.lib.firefox-esr.firefox-esr
/usr/bin/exo-open
/usr/bin/firefox
/usr/bin/freshclam
/usr/bin/gsettings-data-convert
/usr/bin/liferea
/usr/bin/lsb_release
/usr/bin/mupdf
/usr/bin/proxy
/usr/bin/vlc
/usr/lib/firefox-esr/firefox-esr
/usr/lib/firefox-esr/plugin-container
/usr/lib/mupdf/mupdf-x11
/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess
/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess
/usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1
thunderbird
thunderbird//browser_java
thunderbird//browser_openjdk
thunderbird//gpg
thunderbird//sanitized_helper
0 profiles are in complain mode.
4 processes have profiles defined.
3 processes are in enforce mode.
/usr/bin/freshclam (689)
/usr/lib/firefox-esr/plugin-container (1843)
thunderbird (925)
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
/usr/lib/firefox-esr/firefox-esr (1798)
Im trying to make my own profiles for apparmor.
I made a profile for firefox-esr but for some reason i cant get apparmor
to confine it. I run aa-enforce firefox-esr but nothing change.
Any ideas?
Thanks in advance for your help.
$sudo aa-status
apparmor module is loaded.
21 profiles are loaded.
21 profiles are in enforce mode.
/etc/apparmor.d/usr.lib.firefox-esr.firefox-esr
/usr/bin/exo-open
/usr/bin/firefox
/usr/bin/freshclam
/usr/bin/gsettings-data-convert
/usr/bin/liferea
/usr/bin/lsb_release
/usr/bin/mupdf
/usr/bin/proxy
/usr/bin/vlc
/usr/lib/firefox-esr/firefox-esr
/usr/lib/firefox-esr/plugin-container
/usr/lib/mupdf/mupdf-x11
/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess
/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess
/usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1
thunderbird
thunderbird//browser_java
thunderbird//browser_openjdk
thunderbird//gpg
thunderbird//sanitized_helper
0 profiles are in complain mode.
4 processes have profiles defined.
3 processes are in enforce mode.
/usr/bin/freshclam (689)
/usr/lib/firefox-esr/plugin-container (1843)
thunderbird (925)
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
/usr/lib/firefox-esr/firefox-esr (1798)
Reco
Jul 13, 2018, 3:50:03 PM7/13/18
to
Hi.
On Fri, Jul 13, 2018 at 07:10:51PM +0300, Ge wrote:
> Hello
> Im trying to make my own profiles for apparmor.
>
> I made a profile for firefox-esr but for some reason i cant get apparmor
> to confine it. I run aa-enforce firefox-esr but nothing change.
First, you're supposed to restart confined process, as Apparmor profile
applies on process start only.
Second, Apparmor applies to a full pathnames only, and aa-enforce is
dumb enough to pick /usr/bin/firefox-esr instead of a real firefox
binary (which should be /usr/lib/firefox-esr/firefox-esr).
> Any ideas?
> Thanks in advance for your help.
Third, I see a discrepancy here:
> $sudo aa-status
> apparmor module is loaded.
> 21 profiles are loaded.
> 21 profiles are in enforce mode.
> /etc/apparmor.d/usr.lib.firefox-esr.firefox-esr
...
> /usr/bin/firefox
...
Can you share it?
Reco
On Fri, Jul 13, 2018 at 07:10:51PM +0300, Ge wrote:
> Hello
> Im trying to make my own profiles for apparmor.
>
> I made a profile for firefox-esr but for some reason i cant get apparmor
> to confine it. I run aa-enforce firefox-esr but nothing change.
applies on process start only.
Second, Apparmor applies to a full pathnames only, and aa-enforce is
dumb enough to pick /usr/bin/firefox-esr instead of a real firefox
binary (which should be /usr/lib/firefox-esr/firefox-esr).
> Any ideas?
> Thanks in advance for your help.
> $sudo aa-status
> apparmor module is loaded.
> 21 profiles are loaded.
> 21 profiles are in enforce mode.
> /etc/apparmor.d/usr.lib.firefox-esr.firefox-esr
> /usr/bin/firefox
...
> 3 processes are in enforce mode.
> /usr/bin/freshclam (689)
> /usr/lib/firefox-esr/plugin-container (1843)
...
> /usr/bin/freshclam (689)
> /usr/lib/firefox-esr/plugin-container (1843)
> 1 processes are unconfined but have a profile defined.
> /usr/lib/firefox-esr/firefox-esr (1798)
Which binary does your custom profile apply to?
> /usr/lib/firefox-esr/firefox-esr (1798)
Can you share it?
Reco
Reco
Jul 13, 2018, 4:50:03 PM7/13/18
to
Hi.
I accept on-list communication only.
On Fri, Jul 13, 2018 at 11:09:19PM +0300, Ge wrote:
> Hi i couldn't figure out so i delete all Firefox profiles and i started
> again from the beginning
If you just deleted the files from /etc/apparmor.d - that won't be
enough as old profiles are still loaded into the running kernel.
See if it sticks after the reboot.
But,
> My Firefox profile now seems to work.
>
> sudo cat ./usr.lib.firefox-esr.firefox-esr
If your Apparmor profile is not world-readable then you're doing it
wrong (i.e. sudo should not be needed for this).
> [sudo] password for gssd:
> # Last Modified: Fri Jul 13 19:58:57 2018
> #include <tunables/global>
>
> /usr/lib/firefox-esr/firefox-esr {
That line's crucial. Enabling and disabling should be done via
aa-enforce/aa-complain /usr/lib/firefox-esr/firefox-esr.
> "/home/gssd/.mozilla/firefox/Crash Reports/*" r,
This one and everything like it are better written as:
owner "@{HOME}/.mozilla/firefox/Crash Reports/*" r
And I wonder whenever disabling writing crash reports was intentional.
> /home/*/.mozilla/firefox/72z9u2as.default/browser-extension-data/** rw,
This one:
owner @{HOME}/.mozilla/firefox/*/browser-extension-data/** rw,
Everything else is more or less ok.
Reco
I accept on-list communication only.
On Fri, Jul 13, 2018 at 11:09:19PM +0300, Ge wrote:
> Hi i couldn't figure out so i delete all Firefox profiles and i started
> again from the beginning
If you just deleted the files from /etc/apparmor.d - that won't be
enough as old profiles are still loaded into the running kernel.
See if it sticks after the reboot.
But,
> My Firefox profile now seems to work.
>
> sudo cat ./usr.lib.firefox-esr.firefox-esr
If your Apparmor profile is not world-readable then you're doing it
wrong (i.e. sudo should not be needed for this).
> [sudo] password for gssd:
> # Last Modified: Fri Jul 13 19:58:57 2018
> #include <tunables/global>
>
> /usr/lib/firefox-esr/firefox-esr {
That line's crucial. Enabling and disabling should be done via
aa-enforce/aa-complain /usr/lib/firefox-esr/firefox-esr.
> "/home/gssd/.mozilla/firefox/Crash Reports/*" r,
This one and everything like it are better written as:
owner "@{HOME}/.mozilla/firefox/Crash Reports/*" r
And I wonder whenever disabling writing crash reports was intentional.
> /home/*/.mozilla/firefox/72z9u2as.default/browser-extension-data/** rw,
This one:
owner @{HOME}/.mozilla/firefox/*/browser-extension-data/** rw,
Everything else is more or less ok.
Reco
Ge
Jul 13, 2018, 5:00:04 PM7/13/18
to
Hi!
Thanks for your detail reply.
On 07/13/2018 11:42 PM, Reco wrote:
> Hi.
>
> I accept on-list communication only.
>
> On Fri, Jul 13, 2018 at 11:09:19PM +0300, Ge wrote:
>> Hi i couldn't figure out so i delete all Firefox profiles and i started
>> again from the beginning
>
> If you just deleted the files from /etc/apparmor.d - that won't be
> enough as old profiles are still loaded into the running kernel.
> See if it sticks after the reboot.
>
> But,
I also reboot my laptop
>> [sudo] password for gssd:
>> # Last Modified: Fri Jul 13 19:58:57 2018
>> #include <tunables/global>
>>
>> /usr/lib/firefox-esr/firefox-esr {
>
> That line's crucial. Enabling and disabling should be done via
> aa-enforce/aa-complain /usr/lib/firefox-esr/firefox-esr.
>
Yes i used aa-enforce and aa-disable. I didnt use aa-complain that much.
automatically created them.
Thanks again for your help!
Thanks for your detail reply.
On 07/13/2018 11:42 PM, Reco wrote:
> Hi.
>
> I accept on-list communication only.
>
> On Fri, Jul 13, 2018 at 11:09:19PM +0300, Ge wrote:
>> Hi i couldn't figure out so i delete all Firefox profiles and i started
>> again from the beginning
>
> If you just deleted the files from /etc/apparmor.d - that won't be
> enough as old profiles are still loaded into the running kernel.
> See if it sticks after the reboot.
>
> But,
>
>> My Firefox profile now seems to work.
>>
>> sudo cat ./usr.lib.firefox-esr.firefox-esr
>
> If your Apparmor profile is not world-readable then you're doing it
> wrong (i.e. sudo should not be needed for this).
>
Why?
>> My Firefox profile now seems to work.
>>
>> sudo cat ./usr.lib.firefox-esr.firefox-esr
>
> If your Apparmor profile is not world-readable then you're doing it
> wrong (i.e. sudo should not be needed for this).
>
>> [sudo] password for gssd:
>> # Last Modified: Fri Jul 13 19:58:57 2018
>> #include <tunables/global>
>>
>> /usr/lib/firefox-esr/firefox-esr {
>
> That line's crucial. Enabling and disabling should be done via
> aa-enforce/aa-complain /usr/lib/firefox-esr/firefox-esr.
>
>
>> "/home/gssd/.mozilla/firefox/Crash Reports/*" r,
>
> This one and everything like it are better written as:
>
> owner "@{HOME}/.mozilla/firefox/Crash Reports/*" r
>
> And I wonder whenever disabling writing crash reports was intentional.
>
>> /home/*/.mozilla/firefox/72z9u2as.default/browser-extension-data/** rw,
>
> This one:
>
> owner @{HOME}/.mozilla/firefox/*/browser-extension-data/** rw,
>
>
I didnt write the profile files. I used aa-genprof and aa-logprof to
>> "/home/gssd/.mozilla/firefox/Crash Reports/*" r,
>
> This one and everything like it are better written as:
>
> owner "@{HOME}/.mozilla/firefox/Crash Reports/*" r
>
> And I wonder whenever disabling writing crash reports was intentional.
>
>> /home/*/.mozilla/firefox/72z9u2as.default/browser-extension-data/** rw,
>
> This one:
>
> owner @{HOME}/.mozilla/firefox/*/browser-extension-data/** rw,
>
>
automatically created them.
Thanks again for your help!
Reco
Jul 14, 2018, 6:10:03 AM7/14/18
to
Hi.
On Fri, Jul 13, 2018 at 11:59:00PM +0300, Ge wrote:
> > On Fri, Jul 13, 2018 at 11:09:19PM +0300, Ge wrote:
> >> Hi i couldn't figure out so i delete all Firefox profiles and i started
> >> again from the beginning
> >
> > If you just deleted the files from /etc/apparmor.d - that won't be
> > enough as old profiles are still loaded into the running kernel.
> > See if it sticks after the reboot.
> >
> > But,
> I also reboot my laptop
> >
> >> My Firefox profile now seems to work.
> >>
> >> sudo cat ./usr.lib.firefox-esr.firefox-esr
> >
> > If your Apparmor profile is not world-readable then you're doing it
> > wrong (i.e. sudo should not be needed for this).
> >
> Why?
You won't increase overall security by setting such files
non-world-readable, and requiring root just to read such files is wrong.
Reco
On Fri, Jul 13, 2018 at 11:59:00PM +0300, Ge wrote:
> > On Fri, Jul 13, 2018 at 11:09:19PM +0300, Ge wrote:
> >> Hi i couldn't figure out so i delete all Firefox profiles and i started
> >> again from the beginning
> >
> > If you just deleted the files from /etc/apparmor.d - that won't be
> > enough as old profiles are still loaded into the running kernel.
> > See if it sticks after the reboot.
> >
> > But,
> I also reboot my laptop
> >
> >> My Firefox profile now seems to work.
> >>
> >> sudo cat ./usr.lib.firefox-esr.firefox-esr
> >
> > If your Apparmor profile is not world-readable then you're doing it
> > wrong (i.e. sudo should not be needed for this).
> >
> Why?
non-world-readable, and requiring root just to read such files is wrong.
Reco
0 new messages