[apparmor] [profile] Firefox: FS Broker and "DENIED" entries.

daniel curtis sidetripping at gmail.com
Wed Nov 8 17:26:04 UTC 2017 

Hello

On May 02, I've asked a question about various things and a couple of
"DENIED" entries. Everything was related to Firefox v53. Anyway, there was
a discussion about, among other things, 'ptrace' etc. (see [1]) Generally,
Mr Seth Arnold has proposed a rule, which should allow firefox to trace
itself:

✗ ptrace (trace) peer=@{profile_name},

He also mentioned, that he don't see similar errors for his Firefox. Of
course, I've added these rules to the existing, default profile. Everything
worked OK. A couple of days ago, I decided to check if this rule is really
needed, because I'm trying to make a Firefox profile more stricter. So, I
decided to remove already mentioned rule.

Firefox runs normally; e10s and Sandbox also. But, there are some "DENIED"
entries in a log files. (These messages appears about every two hours.) For
two days, I saw six maybe seven entries. These entries are different in
just one place: 'comm=' value. Note: 'requested_mask' and 'denied_mask'
contains "trace" in every message.

I decided to use aa-decode(8) utility to check these hex-encoded "comm"
strings. Here are the results

[~]$ sudo aa-decode comm_value
Decoded: FS Broker 2520

[~]$ sudo aa-decode comm_value
Decoded: FS Broker 3059

And so on. There are not much informations, on the internet about FS
Broker. I really don't know what it is. I have no idea. Does it have
something to do with a Firefox Sandbox and that "File broker will manage
read access to various areas of the system"? (see [2])
Probably, I'm wrong, but I haven't found any other information.

So, what should I do in such situation: without 'ptrace' rules, Firefox is
working great (e10s, Sandbox etc.) Also, Mr Seth Arnold mentioned, that he
don't saw similar issue. If everything is okay, then what to do? What is
your opinion? Is it secure to not use 'ptrace' rule?

If this rule is not needed, then how to "silence" logs messages? Can it be
done with 'deny'? Something like that:

✗ deny ptrace (trace) peer=@{profile_name},

It is the same rule, suggested by Mr Seth Arnold, but with 'deny' at the
beginning. What is your suggestions? What is a better solution, from a
security point of view?

Firefox v56.0
Release: 16.04.3 LTS

Thanks, best regards.
_____________________
[1] https://lists.ubuntu.com/archives/apparmor/2017-May/010739.html
[2] https://wiki.mozilla.org/Security/Sandbox/Deny_Filesystem_Access
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171108/2f94cc16/attachment.html>

More information about the AppArmor mailing list