[apparmor] [profile] Firefox: DENIED "m" access to /home/user/.nv folder.
Seth Arnold
seth.arnold at canonical.com
Mon Feb 6 20:49:45 UTC 2017
On Sun, Feb 05, 2017 at 07:26:58PM +0100, daniel curtis wrote:
> Today (based on your opinion, see 1.), I've added "lsb_release" child
> profile to the Firefox existing profile. I had to make a few small changes, due
> to the version of Python etc. Your "lsb_release" child contains - for
> example - rule related to the python3.[0-4] version, which is not available
> on my system and so on.
Hi Daniel,
Don't forget that 12.04 LTS runs out of support in about two months. The
/usr/bin/lsb_release on 14.04 LTS and 16.04 LTS uses /usr/bin/python3. So
it's probably best to leave python3 references in place. :)
> However, it seems that everything is okay. After adding "lsb_release" child
> profile, using apparmor_parser(8) to load a "new" Firefox profile into the
> kernel, restart AppArmor via '/etc/init.d/', there was not DENIED message
> about "/usr/bin/lsb_release" and requested_mask="x" denied_mask="x", which
> I saw earlier after every first Firefox start etc. (see 2.)
>
> Anyway, could You check if "my" version of "lsb_release" child profile is
> okay? Here it's:
>
> /usr/bin/lsb_release Cxr -> lsb_release,
> profile lsb_release {
> #include <abstractions/base>
> #include <abstractions/python>
> /usr/bin/lsb_release r,
> /bin/dash ixr,
> /usr/bin/dpkg-query ixr,
>
> # THERE IS ONLY "python-2.7" FOLDER ON MY SYSTEM
> # USE JUST: "/usr/include/python2.7/pyconfig.h r," RULE?
> /usr/include/python2.[4567]/pyconfig.h r,
I'm not sure it matters to lock this down much further. It might be more
visually appealing to have only the 2.7 rule, but if the other paths
don't exist then AppArmor won't be queried about them anyway.
> /etc/lsb-release r,
> /etc/debian_version r,
> /var/lib/dpkg/** r,
>
> ##/usr/local/lib/python3.[0-4]/dist-packages/ r,
> # THERE IS "python-2.7" FOLDER ON MY SYSTEM. USE THIS:
> #/usr/local/lib/python2.[0-7]/dist-packages/ r,
> # OR THIS RULE? (FOR NOW, I'M USING THIS ONE):
> /usr/local/lib/python2.7/dist-packages/ r,
This is fine for 12.04 LTS but when you upgrade in the next two months
you'll probably need to revisit this.
> /usr/bin/ r,
>
> # THERE ARE: "python python2 python2.7" ON MY SYSTEM
> # IT'S OKAY?
> /usr/bin/python2.[0-7] r,
>
> # file_inherit
> deny /tmp/gtalkplugin.log w,
> }
>
It's otherwise fine :)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170206/1a570545/attachment.pgp>
More information about the AppArmor
mailing list