[Bug 592121] Re: grossly negligent apparmor settings

Jamie Strandboge jamie at ubuntu.com
Thu Jun 10 14:32:38 UTC 2010 

Thank you for using Ubuntu and reporting a bug.

First off, in a standard Ubuntu install, PDFs are handled by evince,
which is covered by an AppArmor profile and if the firefox profile is
enabled it will run evince confined.

Second, if the firefox profile is enabled and is configured to use
nspluginwrapper, when flash content is processed, firefox transitions to
unconfined. Depending on the vulnerability, it may or may not be
confined by the profile. If the user installs acroread and configures
firefox to use it instead of evince, the same thing will happen if there
is a vulnerability in acroread. As an aside, this is generally not the
case for addons and extensions since they execute within the firefox
context rather than a separate exec.

Keep in mind a couple of things:
1. The goal of the firefox apparmor profile is not to protect the user from herself, but instead to add a layer of protection against *firefox* executing code and launching other attacks. Due to a number of factors, not least of which usability and development time, the firefox profile will run many helper applications unconfined.

2. Users expect to be able to download and upload files, as well as access those files on removable media. Also, these lines apply to directories only:
  / r,
  /**/ r,

3. The profile explicitly denies read/write access to sensitive files
via the priate abstraction and write access to ~/bin (which is in the
user's PATH).

All of these things combined does improve the security stance of
firefox, by effectively making it run within a sandbox. That said, it is
recognized that security minded people and enterprise users will want to
make the profile less general purpose and further restrict firefox,
which is why the profile is shipped in /etc as a configuration file. It
is planned that Ubuntu 10.10 will make it easier to fine browser
profiles.

For more information on the design of the profile, please see
https://wiki.ubuntu.com/SecurityTeam/Specifications/Karmic/AppArmorFirefoxProfile

** Changed in: firefox (Ubuntu)
       Status: New => Invalid

** Summary changed:

- grossly negligent apparmor settings
+ firefox apparmor profile is too lenient

** Tags added: apparmor
** Tags removed: apport-bug i386 lucid

-- 
firefox apparmor profile is too lenient
https://bugs.launchpad.net/bugs/592121
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in ubuntu.

More information about the Ubuntu-mozillateam-bugs mailing list