[apparmor] [profile] Firefox 50: unavailable websites and many DENIED "/run/shm/org.chromium.*" log entries.
Simon Deziel
simon.deziel at gmail.com
Fri Nov 25 20:09:40 UTC 2016
Hi Daniel,
On 2016-11-25 07:22 AM, daniel curtis wrote:
> Thanks for an answer. I would like to ask if AppArmor version:
> 2.7.102-0ubuntu3.10 is sufficient for entries mentioned/added by you to
> the "local/usr.bin.firefox" file? I'm asking because of e.g.:
>
> dbus receive
> bus=session
> path=/org/gtk/Private/RemoteVolumeMonitor
> interface=org.gtk.Private.RemoteVolumeMonitor
> member={VolumeAdded,VolumeRemoved},
>
> I just don't know if this AppArmor version will accept them etc. (If I
> remember correctly similar rules, wasn't accepted in the AppArmor
> profiles, which I've created some time ago.)
You are correct, dbus rules are not supported in Ubuntu 12.04 so you
would need to remove those. Or maybe you could upgrade to a more recent
version of Ubuntu? I personally enjoy the 16.04 release very much :)
> If not, should I leave two rules mentioned by me in my previous
> message?* I mean rules for: "/dev/nvidiactl" and
> "/run/shm/org.chromium.*". Are they secure enough? I just wonder if I
> should add an 'owner' (just as it's in your, local include for firefox),
> so it would look like:
>
> - /dev/shm/org.chromium.* rw,
> + owner /dev/shm/org.chromium.* rw,
>
> It's more secure?
Yes, a little.
> And what about "/dev/nvidiactl"?
You cannot use "owner" on this one, so I'd leave it as is.
Regards,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161125/eafebc38/attachment.pgp>
More information about the AppArmor
mailing list