[ubuntu-hardened] AppArmor profile for a plugin-container process.
Seth Arnold
seth.arnold at canonical.com
Thu Dec 12 00:53:24 UTC 2013
Hello Daniel,
On Wed, Dec 11, 2013 at 04:28:30PM +0100, Daniel Curtis wrote:
> Okay, I will try to add a rule mentioned by you to a Firefox
> profile. I mean this one: '/usr/lib/firefox/plugin-container Px,'.
>
> I'm using a default Firefox profile shipped with Xubuntu 12.04,
> but there is something, that makes me feel amazed. Sorry for a
> little off-topic, but it's related with Firefox and AppArmor
> profile.
Not at all, that's why we're here. :)
> Today, Firefox update (to a new 26. version) was available.
> During update process via 'update-manager' and a moment of
> 'Setting up firefox...', there appeared a question about config
> file from '/etc/apparmor.d/' directory ('usr.bin.firefox' file).
> It looked this way:
>
> Configuration file `/etc/apparmor.d/usr.bin.firefox'
> ==> Modified (by you or by a script) since installation.
> ==> Package distributor has shipped an updated version.
> What would you like to do about it ? Your options are:
> Y or I : install the package maintainer's version
> N or O : keep your currently-installed version
> D : show the differences between the versions
> Z : start a shell to examine the situation
> The default action is to keep your current version.
> *** usr.bin.firefox (Y/I/N/O/D/Z) [default=N] ? y
> Installing new version of config file /etc/apparmor.d/usr.bin.firefox
> Installing new version of config file /etc/apport/blacklist.d/firefox
>
> 'update-manager' asked me about the source of a file (Firefox
> profile?) and suggested that I should choose 'change' option if
> I'm not sure. Honestly, I don't know what to do in a similar
> situations.
This is unfortunate. We've kicked around ideas on how to improve this
behavior but nothing is so much obviously better than status quo that it's
been left as-is.
What you can do today, to work around this annoyance, is to use the
local/usr.bin.firefox piece near the end of the profile:
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.firefox>
Basically, you add '/usr/lib/firefox/plugin-container Px, to your
/etc/apparmor.d/local/usr.bin.firefox file, remove the line from your
/etc/apparmor.d/usr.bin.firefox file, reload policy, and it -should- stay
the same. The local/ version of the file isn't managed by any packages, so
it'll always be left alone. If the package provides an update to the
'main' profile, it'll just overwrite the old one as normal.
The next upgrade, of course, is liable to notice that the config
/etc/apparmor.d/usr.bin.firefox has been changed, and ask this question
_again_, but if you select "Y", it shouldn't ask again in the future...
Once you get through the next upgrade, it'll go more smoothly. :)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20131211/955238a2/attachment.pgp>
More information about the ubuntu-hardened
mailing list