[apparmor] some urgent questions

Jamie Strandboge jamie at canonical.com
Mon Feb 14 16:32:54 UTC 2011 

On Sun, 2011-02-13 at 15:56 -0800, Seth Arnold wrote:
> On Sun, Feb 13, 2011 at 7:13 AM, alexofen at gmail.com <alexofen at gmail.com> wrote:
> > (4) the Apparmor in Ubuntu 10.10 regular install and its profiles are not
> > "very develloped" right?
> > Maybe somebody can comment on this, it would help me evaluate if what I see
> > on a ordinary Ubuntu install is already safe?
> > I actually do not think so as I would doubt the distributors sacrificed
> > "problem-free-delployment-distro" for less safe. Hence
> > not very harsh rules to not risk "problems". Any comment would help
> 
> The profiles in Ubuntu are _very_ developed, but they probably have
> very different goals than you do. :)
> 
> The philosophy behind the Ubuntu profiles is roughly: "Allow
> everything that a user _might_ do or _might_ configure." Some
> assumptions are made, e.g., firefox should never modify ssh keys. But
> if a user clicks on a .doc file in firefox, they will probably expect
> openoffice to start with a copy of the doc, ready for editing and
> saving anywhere. So the firefox profile contains a _huge_ number of
> "ux" (unconfined) transitions for helper programs. Obviously, for
> something like a DHCP server or NTP daemon, it is much easier to
> provide a tight profile than for something as huge and unwieldy as
> firefox.
> 
> I understand why Ubuntu has several very permissive profiles: having
> the profiles makes viruses or worms harder to write, as the tools
> available to a worm author are drastically reduced, but the average
> user will never see reduced functionality.
> 
> I do not like the default firefox profile from Ubuntu. I edited the
> profile and removed all the "ux" rules. I do not trust firefox enough
> to have "ux" rules. Thankfully, it is very easy to do :) but it does
> require you to make a choice: either confine all the helper programs
> you _do_ want, or decide that you will start those helper programs
> manually when you do want to start one of them unconfined.

(Minor correction, it uses 'PUx' rather than 'ux', so if you have a
policy defined for the executable, it will use it. Policy for the
executable or not, it will use glibc's secure execution to clean the
environment.)

As the author of the firefox policy, I'll comment on this. I never
particularly liked all of the access that needs to be granted for a
default installation, but then I am not allowed to break the browser. :)
This comes up often enough that we have a FAQ[1] entry in the Ubuntu
wiki that discusses the profile's intent among other things. Specifying
a strict policy is easier in Ubuntu 10.10 (from the FAQ):
"In Ubuntu 10.10 the default shipped profile is the same as above, but
its use of includes allows for much greater flexibility for tightly
confining firefox. /etc/apparmor.d/usr.bin.firefox is a very restricted
profile, but includes both /etc/apparmor.d/local/usr.bin.firefox
and /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox.
/etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox contains other
include files for tasks such as multimedia, productivity, etc and the
file can be manipulated via the aa-update-browser command.
/etc/apparmor.d/local/usr.bin.firefox is used for site-specific
adjustments (see /etc/apparmor.d/local/README for details and caveats)."

Eg, my /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox is empty,
and I specify only a few plugins and helpers using either Px or ix
in /etc/apparmor.d/local/usr.bin.firefox. This way writes are confined
to ~/Downloads and owner reads from /tmp and ~/Public, with executes all
confined (excepting a couple things like ps and uname -- see the base
firefox profile for details).

[1]https://wiki.ubuntu.com/SecurityTeam/FAQ#Firefox%20AppArmor%20profile

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110214/9c3113d3/attachment.pgp>

More information about the AppArmor mailing list