[pkg-apparmor] Bug#858174: Re: Bug#858174: Please provide an AppArmor profile for Firefox
Vincas Dargis
vindrg at gmail.com
Tue Apr 4 16:43:15 UTC 2017
2017.04.04 08:26, intrigeri rašė:
> Thanks! But it ships disabled (or in complain mode) by default, right?
Yes it's disabled, and it's from firefox package. Tested on clean Ubuntu 16.04 LTS and
17.04 daily build virtual machines (it's the same):
$ file /etc/apparmor.d/disable/usr.bin.firefox
/etc/apparmor.d/disable/usr.bin.firefox: symbolic link to /etc/apparmor.d/usr.bin.firefox
$ dpkg -S /etc/apparmor.d/usr.bin.firefox
firefox: /etc/apparmor.d/usr.bin.firefox
Profile itself does not declare a complain mode.
> OK. So these improvements shall be upstreamed.
>> Or "fixed" old "profiles/apparmor/profiles/extras/usr.lib.firefox.firefox",
>> by sending patches upstream?
>
> Yes, please. And as written above, this doesn't prevent us from
> shipping it to /etc/apparmor.d (disabled by default) if it's
> good enough.
OK but I am still a little puzzled. If Ubuntu Firefox team
does not upstream their profile it (because it's too Ubuntu-specific?), so it
kinda maybe means we can't use it as "fix" for old
"profiles/apparmor/profiles/extras/usr.lib.firefox.firefox" directly, right?
So we just take some interesting parts (like Elecrolysis a.k.a. e10e support?),
ignore networking because Debian kernel does not has it, and... try to push that
into AppArmor upsteam?
>> There is that apparmor-notify, though I haven't tried it myself.
>
> Sadly, it's poorly integrated in Debian currently, iirc because it
> relies on parsing logs instead of using the relevant audit interface.
> I'm pretty sure we have bugs about it in the Debian and upstream bug
> tracking systems.
> Indeed. There's some work going on upstream about these topics, feel
> free to start a discussion about it on the upstream AppArmor mailing
> list :)
Oh well. I imagine it could be some sort of daemon with DBus interface
to inform apps that are concerned about being confined :-) ? Anyway, yeah, that's
upstream discussion.
At least we could do is to upstream this line uncommented (as in Ubuntu Firefox profile):
## include <local/usr.bin.firefox>
so if we will be targeting to make Firefox enabled & enforced by default, this
would allow users to add local changed without modifying profile itself, avoiding merges on
upgrades, making some less pain.
More information about the pkg-apparmor-team
mailing list