[apparmor] [Bug 1609439] Re: Firefox profile has too much access
Simon Déziel
1609439 at bugs.launchpad.net
Wed Aug 3 14:56:42 UTC 2016
This comes from the inclusion of abstractions/ubuntu-browsers.d/firefox
that in turn includes /etc/apparmor.d/abstractions/ubuntu-browsers.d
/user-files:
# Allow read to all files user has DAC access to and write access to all
# files owned by the user in $HOME.
@{HOME}/ r,
@{HOME}/** r,
owner @{HOME}/** w,
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bugs.launchpad.net/bugs/1609439
Title:
Firefox profile has too much access
Status in AppArmor Profiles:
New
Bug description:
usr.bin.firefox in Kubuntu 16.04.1 profile has some fine grained rules
defined concerning home directory, such as:
owner @{HOME}/ r,
...
owner @{HOME}/.{firefox,mozilla}/ rw,
owner @{HOME}/.{firefox,mozilla}/** rw,
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{firefox,mozilla}/**/plugins/** mr,
owner @{HOME}/.{firefox,mozilla}/plugins/** mr,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
...
It *looks* strict at first sight, but I still can read some arbitrary files from my home (sub)directory, such as
/home/vincas/talkless.pqi
/home/vincas/code/something...
It *does* protect .ssh/id_rsa.pub and such, for example, so denies
kinda works from "private-files-strict" include.
I've checked apparor_parser -d -d, I can see some @{HOME}/** rw...
rules, though it looks like it should belong to browser_java,
browser_openjdk subprofiles, but it looks like if they are "leaking"
somehow for main process.
I'm attaching apparmor_parser -d -d and -p outputs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor-profiles/+bug/1609439/+subscriptions
More information about the AppArmor
mailing list