[apparmor] [profile] Evince: the lack of "private-files-strict" and a lenient, dangerous rules related to @{HOME} folder.
daniel curtis
sidetripping at gmail.com
Sat Dec 2 15:40:52 UTC 2017
Hello Seth
Thank You for an answer and sorry for my naive, stupid questions and other
things.
>> Strictly speaking, even if you remove the ~/** rw, kinds of
>> rules from firefox's profile, you'll still be able to download to
>> any writable location in the profile. Doing any different would
>> require modifications to Firefox.
OK, I understand. Fortunately with Firefox v57 there is a number of various
technological improvements. For example: "Notably, it is no longer possible
to read private information in the home directory or the Firefox user
profile, even if Firefox were to be compromised" and so on.
I'm especially thinking about the "security.sandox.content.level" knob. Now
default value is "3", which means that "adds blocking of (most) reading
from the filesystem". (For more informations, please see [1])
Referring to all these Firefox "sandboxing improvements" in Linux, I think,
that making additional changes in a Firefox profile is also a good idea
etc. ;- )
Thank you, once again.
______________________
[1] http://www.morbo.org/2017/11/linux-sandboxing-improvements-in.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171202/13851c26/attachment.html>
More information about the AppArmor
mailing list