[apparmor] [Bug 1800789] Re: Syntax Error in Firefox Profile Generation makes Firefox-ESR run unconfined although Profile is enforced
Seth Arnold
1800789 at bugs.launchpad.net
Fri Nov 2 01:18:16 UTC 2018
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bugs.launchpad.net/bugs/1800789
Title:
Syntax Error in Firefox Profile Generation makes Firefox-ESR run
unconfined although Profile is enforced
Status in AppArmor Profiles:
New
Bug description:
First of all I'd like to apologize in advance if this is the wrong
place to report this, since I don't know where the "usr.bin.firefox-
esr" apparmor-profile stems from and if I should report this to the
apparmor-profiles Launchpad or Gitlab repository or the official
Mozilla Firefox-ESR PPA. If this is the wrong place, feel free to
close this issue. I also posted this bug on the Gitlab repository:
(https://gitlab.com/apparmor/apparmor-profiles/issues/3).
System Information:
- Up-to-date stable release of Ubuntu 18.10 (Problem also persisted in 18.04 LTS)
- Newest stable release of Firefox-ESR from the official Mozilla PPA (https://launchpad.net/~mozillateam/+archive/ubuntu/ppa)
- apparmor, apparmor-utils and apparmor-profiles installed
Description of Problem:
Firefox-ESR is succesfully set to enforce mode with "$ sudo aa-enforce
usr.bin.firefox-esr". By checking "$ sudo aa-status" and looking under
"X profiles are in enforce mode" you see the enforced profiles for
Firefox and Firefox-ESR (Firefox was also set to enforce-mode):
/usr/lib/firefox-esr/firefox{,*[^s][^h]}
/usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_java
/usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_openjdk
/usr/lib/firefox-esr/firefox{,*[^s][^h]}//lsb_release
/usr/lib/firefox-esr/firefox{,*[^s][^h]}//sanitized_helper
/usr/lib/firefox/firefox{,*[^s][^h]}
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
/usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper
But if you run Firefox-ESR you don't see its process(es) listed under
"X processes are in enforce mode". Also the perceivable start-up slow-
down due to apparmor is missing. Saving files in custom defined
forbidden file paths is also possible. Firefox-ESR is apparently
running without apparmor enforced.
Possible Solution of the Problem:
If you compare the apparmor-profiles under "/etc/apparmor.d/" of
Firefox and Firefox-ESR you notice that they are very similar:
Firefox
# We want to confine the binaries that match:
# /usr/lib/firefox/firefox
# /usr/lib/firefox/firefox
# but not:
# /usr/lib/firefox/firefox.sh
/usr/lib/firefox/firefox{,*[^s][^h]} {
Firefox-ESR
# We want to confine the binaries that match:
# /usr/lib/firefox-esr/firefox-esr
# /usr/lib/firefox-esr/firefox
# but not:
# /usr/lib/firefox-esr/firefox.sh
/usr/lib/firefox-esr/firefox{,*[^s][^h]} {
If you check "/usr/lib/firefox/" you will find the "firefox"
application file and the "firefox.sh" script. But if you check
"/usr/lib/firefox-esr/" you will find the application file is named
"firefox-esr" not "firefox", but the script is still "firefox.sh".
Therefore line 14 "/usr/lib/firefox-esr/firefox{,*[^s][^h]} {" in
"usr.bin.firefox-esr" isn't working, since it should be "/usr/lib
/firefox-esr/firefox-esr{,*[^s][^h]} {" or even just "/usr/lib
/firefox-esr/firefox-esr {".
By manually correcting the apparmor profile and reinforcing it,
Firefox-ESR successfully runs in enforced mode and its process(es) are
listed under "X processes are in enforce mode". Everything seems to be
working correctly.
Checking "X profiles are in enforce mode" again shows the old and new
profile enforced simultaneously:
/usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}
/usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_java
/usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_openjdk
/usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//lsb_release
/usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//sanitized_helper
/usr/lib/firefox-esr/firefox{,*[^s][^h]}
/usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_java
/usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_openjdk
/usr/lib/firefox-esr/firefox{,*[^s][^h]}//lsb_release
/usr/lib/firefox-esr/firefox{,*[^s][^h]}//sanitized_helper
/usr/lib/firefox/firefox{,*[^s][^h]}
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
/usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper
After setting Firefox-ESR to complain-mode and then again to enforce-
mode the old enforced profile is removed:
/usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}
/usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_java
/usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_openjdk
/usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//lsb_release
/usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//sanitized_helper
/usr/lib/firefox/firefox{,*[^s][^h]}
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
/usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor-profiles/+bug/1800789/+subscriptions
More information about the AppArmor
mailing list