[pkg-apparmor] Bug#746418: Fixed?

Thu Nov 19 21:17:47 UTC 2015

On Thu, 29 Jan 2015 12:07:19 +0100 intrigeri <intrigeri at debian.org> wrote:
> Francois Marier wrote (26 Jan 2015 23:54:39 GMT) :
> > If I look at the /etc/apparmor.d/abstractions/ubuntu-browsers file on my Sid
> > machine, it looks like this is fixed:
> > [...]
> > Or perhaps I've misunderstood what this bug is about?
> 
> I think you did misunderstood:
> 
> * This bug is about confining Iceweasel properly under its
>   own profile.
> * These lines in abstractions/ubuntu-browsers are about very vaguely
>   confining Firefox/Iceweasel with the (broadly open)
>   sanitized_helper, when it's started from e.g. Evince or Pidgin.
> 
> The latter indeed is properly addressed in Debian these days AFAIK,
> as you point out. The former is not, hence this bug report.
> 
> Hoping to have clarified :)
> 
> 


I'm far from an expert in apparmor, but I did modify the Iceweasel
profile to at least use analogous paths in Debian to the paths in Ubuntu...

I've attached a rough patch. I renamed the profile to
usr.lib.iceweasel.iceweasel instead of usr.lib.firefox.firefox just for
my own convenience.

I'm currently getting some denials to:

/my_home_dir/.cache/mozilla/firefox/xxxyyyzz.default/startupCache/startupCache.8.little

and

/my_home_dir/.config/dconf/user

and

/my_home_dir/.cache/mozilla/firefox/xxxyyyzz.default/safebrowsing/goog-malware-shavar.cache

Hope that will at least help development toward a mature profile...

Iceweasel is an incredibly popular package, and at high-risk for
exploitation, so I'm honestly surprised that it hasn't gotten more
attention than it has with regard to apparmor confinement. So instead of
just complaining, I figured I'd at least try to put some work in to make
things a little better. Hope it helps.

Best,

Ben
-------------- next part --------------

--- /usr/share/doc/apparmor-profiles/extras/usr.lib.firefox.firefox	2014-12-12 08:28:41.000000000 -0500
+++ /etc/apparmor.d/usr.lib.iceweasel.iceweasel	2015-11-19 15:58:02.819965446 -0500
@@ -16,7 +16,7 @@
 #  /usr/lib/firefox-4.0b8/firefox
 # but not:
 #  /usr/lib/firefox-4.0b8/firefox.sh
-/usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} {
+/usr/lib/iceweasel{,-[0-9]*}/iceweasel{,*[^s][^h]} {
   #include <abstractions/audio>
   #include <abstractions/cups-client>
   #include <abstractions/dbus-session>
@@ -32,7 +32,7 @@
   @{PROC}/@{pid}/net/ipv6_route r,
 
   # should maybe be in abstractions
-  /usr/share/xubuntu/applications/defaults.list r,
+  /usr/share/gnome/applications/defaults.list r,
   owner /tmp/** m,
   owner /var/tmp/** m,
   /tmp/.X[0-9]*-lock r,
@@ -42,7 +42,7 @@
   /etc/wildmidi/wildmidi.cfg r,
 
   # firefox specific
-  /etc/firefox*/** r,
+  /etc/iceweasel*/** r,
   /etc/xul-ext/** r,
   /etc/xulrunner{,-[0-9]*}/** r,
   /etc/gre.d/* r,
@@ -50,8 +50,8 @@
   /etc/mime.types r,
 
   # noisy
-  deny /usr/lib/firefox{,-[0-9]*}/** w,
-  deny /usr/lib/{firefox,xulrunner}-addons/** w,
+  deny /usr/lib/iceweasel{,-[0-9]*}/** w,
+  deny /usr/lib/{iceweasel,xulrunner}-addons/** w,
   deny /usr/lib/xulrunner-*/components/*.tmp w,
   deny /.suspended r,
   deny /boot/initrd.img* r,
@@ -61,8 +61,8 @@
   deny /usr/bin/gconftool-2 x,
 
   # These are needed when a new user starts firefox and firefox.sh is used
-  /usr/lib/firefox{,-[0-9]*}/** ixr,
-  deny /usr/lib/firefox/firefox.sh x,
+  /usr/lib/iceweasel{,-[0-9]*}/** ixr,
+  # deny /usr/lib/iceweasel/firefox.sh x, # doesnt exist?
   /usr/bin/basename ixr,
   /usr/bin/dirname ixr,
   /usr/bin/pwd ixr,
@@ -108,7 +108,7 @@
   owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
   owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
   owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
-  owner @{HOME}/.gnome2/firefox*-bin-* rw,
+  # owner @{HOME}/.gnome2/firefox*-bin-* rw, # doesnt exist?
 
   #
   # Extensions
@@ -116,8 +116,8 @@
   # Allow 'x' for downloaded extensions, but inherit policy for safety
   owner @{HOME}/.mozilla/**/extensions/** mixr,
 
-  deny /usr/lib/firefox{,-[0-9]*}/update.test w,
-  deny /usr/lib/mozilla/extensions/**/ w,
+  deny /usr/lib/iceweasel{,-[0-9]*}/update.test w,
+  deny /usr/lib/iceweasel/components/extensions/**/ w,
   deny /usr/lib/xulrunner-addons/extensions/**/ w,
   deny /usr/share/mozilla/extensions/**/ w,
   deny /usr/share/mozilla/ w,
