On Thu, 29 Jan 2015 12:07:19 +0100 intrigeri <intrig...@debian.org> wrote:
> Francois Marier wrote (26 Jan 2015 23:54:39 GMT) :
> > If I look at the /etc/apparmor.d/abstractions/ubuntu-browsers file on my Sid
> > machine, it looks like this is fixed:
> > [...]
> > Or perhaps I've misunderstood what this bug is about?
>
> I think you did misunderstood:
>
> * This bug is about confining Iceweasel properly under its
> own profile.
> * These lines in abstractions/ubuntu-browsers are about very vaguely
> confining Firefox/Iceweasel with the (broadly open)
> sanitized_helper, when it's started from e.g. Evince or Pidgin.
>
> The latter indeed is properly addressed in Debian these days AFAIK,
> as you point out. The former is not, hence this bug report.
>
> Hoping to have clarified :)
>
>
I'm far from an expert in apparmor, but I did modify the Iceweasel
profile to at least use analogous paths in Debian to the paths in Ubuntu...
I've attached a rough patch. I renamed the profile to
usr.lib.iceweasel.iceweasel instead of usr.lib.firefox.firefox just for
my own convenience.
I'm currently getting some denials to:
/my_home_dir/.cache/mozilla/firefox/xxxyyyzz.default/startupCache/startupCache.8.little
and
/my_home_dir/.config/dconf/user
and
/my_home_dir/.cache/mozilla/firefox/xxxyyyzz.default/safebrowsing/goog-malware-shavar.cache
Hope that will at least help development toward a mature profile...
Iceweasel is an incredibly popular package, and at high-risk for
exploitation, so I'm honestly surprised that it hasn't gotten more
attention than it has with regard to apparmor confinement. So instead of
just complaining, I figured I'd at least try to put some work in to make
things a little better. Hope it helps.
Best,
Ben
--- /usr/share/doc/apparmor-profiles/extras/usr.lib.firefox.firefox
2014-12-12 08:28:41.000000000 -0500
+++ /etc/apparmor.d/usr.lib.iceweasel.iceweasel 2015-11-19 15:58:02.819965446
-0500
@@ -16,7 +16,7 @@
# /usr/lib/firefox-4.0b8/firefox
# but not:
# /usr/lib/firefox-4.0b8/firefox.sh
-/usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} {
+/usr/lib/iceweasel{,-[0-9]*}/iceweasel{,*[^s][^h]} {
#include <abstractions/audio>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
@@ -32,7 +32,7 @@
@{PROC}/@{pid}/net/ipv6_route r,
# should maybe be in abstractions
- /usr/share/xubuntu/applications/defaults.list r,
+ /usr/share/gnome/applications/defaults.list r,
owner /tmp/** m,
owner /var/tmp/** m,
/tmp/.X[0-9]*-lock r,
@@ -42,7 +42,7 @@
/etc/wildmidi/wildmidi.cfg r,
# firefox specific
- /etc/firefox*/** r,
+ /etc/iceweasel*/** r,
/etc/xul-ext/** r,
/etc/xulrunner{,-[0-9]*}/** r,
/etc/gre.d/* r,
@@ -50,8 +50,8 @@
/etc/mime.types r,
# noisy
- deny /usr/lib/firefox{,-[0-9]*}/** w,
- deny /usr/lib/{firefox,xulrunner}-addons/** w,
+ deny /usr/lib/iceweasel{,-[0-9]*}/** w,
+ deny /usr/lib/{iceweasel,xulrunner}-addons/** w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /.suspended r,
deny /boot/initrd.img* r,
@@ -61,8 +61,8 @@
deny /usr/bin/gconftool-2 x,
# These are needed when a new user starts firefox and firefox.sh is used
- /usr/lib/firefox{,-[0-9]*}/** ixr,
- deny /usr/lib/firefox/firefox.sh x,
+ /usr/lib/iceweasel{,-[0-9]*}/** ixr,
+ # deny /usr/lib/iceweasel/firefox.sh x, # doesnt exist?
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/pwd ixr,
@@ -108,7 +108,7 @@
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
- owner @{HOME}/.gnome2/firefox*-bin-* rw,
+ # owner @{HOME}/.gnome2/firefox*-bin-* rw, # doesnt exist?
#
# Extensions
@@ -116,8 +116,8 @@
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.mozilla/**/extensions/** mixr,
- deny /usr/lib/firefox{,-[0-9]*}/update.test w,
- deny /usr/lib/mozilla/extensions/**/ w,
+ deny /usr/lib/iceweasel{,-[0-9]*}/update.test w,
+ deny /usr/lib/iceweasel/components/extensions/**/ w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /usr/share/mozilla/ w,
