[apparmor] [profile] Firefox: put /bin/ps in a Child Profile for an extra security?

Wed Aug 30 19:40:32 UTC 2017

Hello

I would like to ask a question about creating a Child Profile for an
utility to reporting a snapshot of the current processes - ps(1). My main
reason for doing something like this one, is to create a stricter Firefox
profile.

Let's see; default Firefox profile, for example shipped with 16.04 LTS
Release, contain such rule (I suppose, that earlier versions of Ubuntu,
also contain this rule):

✓ /bin/ps Uxr,

As we can see, there is an "Ux" mode used for this rule. This mode is not
secure and users should avoid running programs with Ux/ux mode for security
reason, because a program running in this mode is totally unprotected by
AppArmor, right?

There is also a comment saying, that: "(...) so running with 'Ux', while
not ideal, is ok because we will at least benefit from glibc's secure
execute." So it should not be so bad and dangerous. And most interesting
part for me: "Ideally these would use a child profile."

So, what do you thing about creating a Child Profile for "/bin/ps" to
achieve an extra security? Is it sensible to do this? If yes, I would like
to know if my way of doing this is right. Generally, I thought about
something like:

Firstly; setting "/bin/ps" in a Child Profile by doing small change:

✗ /bin/ps Uxr,
✓ /bin/ps Cx,

Secondly; simply adding a needed rules, to a Child Profile to work OK. I
would like, for example, use "@{multiarch}" for a directory like:
"/lib/x86_64-linux-gnu/*", also change "@{PROC}/[0-9]*/" to use a newer
syntax: "@{PROC}/@{pid}". I'm thinking also about apply "UsrMerge" rules,
if it will be possible etc.

The subprofile structure for "/bin/ps", according to me, should looks this
way:

profile /bin/ps {

    [NEEDED RULES]

    }

}

The "/bin/ps" child profile structure is straightforward, but I'm wondering
whether is it OK? I'm asking just to be one hundred percent sure. Nothing
more, nothing less. (Of course, the last curly bracket is for "close" the
main Firefox profile.) In generall, there should not be much rules (I mean
for "/bin/ps" Child Profile), but I have to do some more tests.

What do you think about such idea - an idea of creating a Child Profile for
"/bin/ps" utility? Could it make a Firefox more secure? (My opinion, mainly
refers to the comment: "Ideally these would use a child profile." See
above.)

Thanks, best regards.
.
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170830/9f203bc3/attachment.html>