[apparmor] [Bug 1609439] Re: Firefox profile has too much access
Simon Déziel
1609439 at bugs.launchpad.net
Fri Aug 5 18:55:37 UTC 2016
** Project changed: apparmor-profiles => firefox
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bugs.launchpad.net/bugs/1609439
Title:
Firefox profile has too much access
Status in Mozilla Firefox:
New
Bug description:
usr.bin.firefox in Kubuntu 16.04.1 profile has some fine grained rules
defined concerning home directory, such as:
owner @{HOME}/ r,
...
owner @{HOME}/.{firefox,mozilla}/ rw,
owner @{HOME}/.{firefox,mozilla}/** rw,
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{firefox,mozilla}/**/plugins/** mr,
owner @{HOME}/.{firefox,mozilla}/plugins/** mr,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
...
It *looks* strict at first sight, but I still can read some arbitrary files from my home (sub)directory, such as
/home/vincas/talkless.pqi
/home/vincas/code/something...
It *does* protect .ssh/id_rsa.pub and such, for example, so denies
kinda works from "private-files-strict" include.
I've checked apparor_parser -d -d, I can see some @{HOME}/** rw...
rules, though it looks like it should belong to browser_java,
browser_openjdk subprofiles, but it looks like if they are "leaking"
somehow for main process.
I'm attaching apparmor_parser -d -d and -p outputs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1609439/+subscriptions
More information about the AppArmor
mailing list