<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Hello</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">On May 02, I've asked a question about various things and a couple of "DENIED" entries. Everything was related to Firefox v53. Anyway, there was a discussion about, among other things, 'ptrace' etc. (see [1]) Generally, Mr Seth Arnold has proposed a rule, which should allow firefox to trace itself: <br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">✗ ptrace (trace) peer=@{profile_name},</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">He also mentioned, that he don't see similar errors for his Firefox. Of course, I've added these rules to the existing, default profile. Everything worked OK. A couple of days ago, I decided to check if this rule is really needed, because I'm trying to make a Firefox profile more stricter. So, I decided to remove already mentioned rule. <br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Firefox runs normally; e10s and Sandbox also. But, there are some "DENIED" entries in a log files. (These messages appears about every two hours.) For two days, I saw six maybe seven entries. <span id="result_box" class="short_text" lang="en"><span class="">These entries are different in just one place: 'comm=' value. Note: </span></span><span id="result_box" class="short_text" lang="en"><span class="">'requested_mask' and 'denied_mask' contains "trace" in every message. <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class=""><br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class="">I decided to use aa-decode(8) utility to check these hex-encoded "comm" strings. </span></span><span id="result_box" class="short_text" lang="en"><span class=""><span id="result_box" class="short_text" lang="en"><span class="">Here are the results</span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">[~]$ sudo aa-decode comm_value <br>Decoded: FS Broker 2520 <br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">[~]$ sudo aa-decode comm_value <br>Decoded: FS Broker 3059 <br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">And so on. <span id="result_box" class="" lang="en"><span class="">There are not much informations, on the internet about FS Broker. I really don't know what it is. I have no idea. Does it have something to do with a Firefox Sandbox and that "File broker will manage read access to various areas of the system"? (see [2]) <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class="">Probably, I'm wrong, but I haven't found any other information. <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class=""><br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class="">So, what should I do in such situation: without 'ptrace' rules, Firefox is working great (e10s, Sandbox etc.) Also, Mr Seth Arnold mentioned, that he don't saw similar issue. If everything is okay, then what to do? What is your opinion? Is it secure to not use 'ptrace' rule? <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class=""></span></span><br><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class="">If this rule is not needed, then how to "silence" logs messages? Can it be done with 'deny'? Something like that: <br></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class=""><br></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class="">✗ deny ptrace (trace) peer=@{profile_name}, <br></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class=""><br></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class="">It is the same rule, suggested by Mr Seth Arnold, but with 'deny' at the beginning. What is your suggestions? What is a better solution, from a security</span></span></span></span><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class=""> point of view</span></span></span></span>? <br></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class=""><br></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class="">Firefox v56.0 <br></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class="">Release: 16.04.3 LTS <br></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="" lang="en"><span class=""><br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif">Thanks, best regards. <br></div><div class="gmail_default" style="font-family:verdana,sans-serif">_____________________</div><div class="gmail_default" style="font-family:verdana,sans-serif">[1] <a href="https://lists.ubuntu.com/archives/apparmor/2017-May/010739.html">https://lists.ubuntu.com/archives/apparmor/2017-May/010739.html</a> <br></div><div class="gmail_default" style="font-family:verdana,sans-serif">[2] <a href="https://wiki.mozilla.org/Security/Sandbox/Deny_Filesystem_Access">https://wiki.mozilla.org/Security/Sandbox/Deny_Filesystem_Access</a> <br></div></div>