[apparmor] [PATCH] include IceWeasel in FireFox abstraction

Kees Cook kees at ubuntu.com
Wed Apr 25 18:31:21 UTC 2012 

Hi Jamie,

On Wed, Apr 25, 2012 at 07:21:26AM -0500, Jamie Strandboge wrote:
> On Tue, 2012-04-24 at 17:01 -0700, Kees Cook wrote:
> > Include IceWeasel in FireFox abstraction.
> > 
> > Author: Intrigeri <intrigeri at debian.org>
> > Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661176
> > 
> > Signed-off-by: Kees Cook <kees at ubuntu.com>
> > 
> > Index: apparmor-debian/profiles/apparmor.d/abstractions/ubuntu-browsers
> > ===================================================================
> > --- apparmor-debian.orig/profiles/apparmor.d/abstractions/ubuntu-browsers	2012-04-24 11:03:46.506994000 -0700
> > +++ apparmor-debian/profiles/apparmor.d/abstractions/ubuntu-browsers	2012-04-24 13:01:22.499517948 -0700
> > @@ -29,8 +29,8 @@
> >  
> >    # this should cover all firefox browsers and versions (including shiretoko
> >    # and abrowser)
> > -  /usr/bin/firefox Cxr -> sanitized_helper,
> > -  /usr/lib/firefox*/firefox*.sh Cx -> sanitized_helper,
> > +  /usr/bin/{firefox,iceweasel} Cxr -> sanitized_helper,
> > +  /usr/lib/{firefox*,iceweasel}/{firefox*.sh,iceweasel} Cx -> sanitized_helper,
> >  
> >    # some unpackaged, but popular browsers
> >    /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
> > 
> 
> Hmmm, there is a namespace issue here. We are fixing a Debian bug in an
> Ubuntu abstraction for a package that is not available on Ubuntu. I
> understand why this was done, and I see icecat is in the context. ISTR
> there being some repo that Ubuntu users could get icecat.... So I guess
> I just wanted to bring up the point that Debian may want to consider
> their own namespace. I would prefer if this was not mixed in with the
> official Ubuntu browser though. Can you separate it out like with
> icecat? Once that is done:
> 
> Acked-By: Jamie Strandboge <jamie at canonical.com>

Do you mean putting this in the file:

+  /usr/bin/iceweasel Cxr -> sanitized_helper,
+  /usr/lib/iceweasel/iceweasel Cx -> sanitized_helper,

Instead of combining it with firefox, or do you mean an entirely separate
abstraction?

-Kees

-- 
Kees Cook

More information about the AppArmor mailing list