Hello.
I think that the default Firefox profile can be made more restrictive,
stricter. It's pretty simple and can be done by removing a few default
rules (mentioned in bug report by Vlad K., for example) etc. Anyway,
here are some ideas (based on testing made in the past).
As an example, we can specify, mentions the rules that makes browsing
directories works. My tests made in the past, showed that Firefox needs
an access only to '/dev/' directory - not the whole and everything in
'/**/' folders! The same thing with rules providing an access to
documentation and other files (default rule: '/usr/** r,'). In my
testings, Firefox needed an access to '/usr/share/{glib-2.0,hunspell}/'
folders only! Not everything under '/usr/'.
If it's about '/etc/apparmor.d/abstractions/ubuntu-browsers.d/user-
files' file and rules to access everything in User home folder: by
default, Firefox profile contains rules that allows downloads to
'~/Downloads' and uploads from '~/Public' folders, right? Because, there
is also one rule related to the 'user-files' file: '<abstractions
/ubuntu-browsers.d/firefox>' an access is unrestricted.
Changing/removing rules in the 'user-files' file and adding rules that
allows User to save files only in '~/Downloads' folder seems to fix such
issue - unrestricted access etc. The same thing with unnecessary - in my
opinion - rules mentioned above '/**/' and '/usr' and so on.
Additionally, there can be added a '<private-files-strict>' rule to deny
access to sensitive files and to provide a special attention to
(potentially) executable files. (However, during testings appeared a few
"DENIED" entries in the logs files and additional rules were needed.)
And that's not everything. For example, Users who don't use printers
doesn't need '<abstractions/cups_*>' rule, right? There are many rules
in default Firefox profile that can be changed/removed etc. (Personally,
I'm using profile created from scratch, with more stricter policy).
By the way: it seems that with every next Firefox release, a new rules
needs to be added. It's happens very often. The latest Firefox version,
caused several problems: no menu bar, main window resize, errors with
tab, no website could be enabled by clicking on a bookmarks labels etc.
Really, the v60 version caused many issues, that required a few new
rules. Here are bug report:
● https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1770600
I hope, that it will help someone to fix problems, that may appear after
Firefox upgrade to the 60.0 version.
Thanks, best regards.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1662501
Title:
since the apparmor profile is disabled by default, please make the
apparmor policy strict with option to make less strict
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
