[apparmor] [profile] Firefox: aa-profile(8) - multiple results; audit all unexpected shadow or passwd read/writes.

daniel curtis sidetripping at gmail.com
Wed Dec 14 18:44:18 UTC 2016


Hi

Since Firefox has been updated to the version 49/50 and since e10s is
enabled - "the two major advantages of this model are security and
performance. Security improvements are accomplished through security
sandboxing (...)" etc. - I've noticed, that 'apparmor_status' command shows
two informations about Firefox and, for example, it looks like:

[~] sudo apparmor_status
(...)
/usr/lib/firefox/firefox{,*[^s][^h]} (2838)
/usr/lib/firefox/firefox{,*[^s][^h]} (2887)

However, if Firefox is running via a new clean profile (`firefox -P`
command) the result seems to be... normal:

[~] sudo apparmor_status
(...)
/usr/lib/firefox/firefox{,*[^s][^h]} (2667)

Is it normal, or something need to be changed in, for example, Firefox
profile? What do you think? Now, the second question - blueprints for a
Firefox profile [1] Under *Misc we can find an interesting thing:

* general rule to audit all unexpected shadow or passwd read/writes

This blueprints has been registered by Mr Kees Cook on 2009-04-27; long
time ago, so maybe it's not necessary at all? Anyway, I thought about it
and I would like to ask if there is a reason to add, for example, these two
rules:

audit deny /etc/shadow rw,
audit deny /etc/passwd rw,

I don't see any 'audit deny' rules in a Firefox profile shipped with a
default Ubuntu installation (at least to 12.04 LTS release). There are also
'passwd-' and 'shadow-' files, right? If above rules are OK, does these
last two files also should be added?

Best regards.
_____________
[1]
https://blueprints.launchpad.net/ubuntu/+spec/security-karmic-firefox-profile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161214/1b4c74f9/attachment.html>


More information about the AppArmor mailing list