[Bug 592121] Re: firefox apparmor profile is too lenient

Thu Jun 10 15:40:28 UTC 2010

I'll put your personal attack aside and address your point as I think
your main question is valid. I would appreciate it if you would
discontinue these attacks.

I did not miss your point. The browser is supposed to be able to read and write files from the user's directory. This is *by design* of the browser, in particular firefox. How else is someone supposed to download a file? To upload their presentation to the company webserver? If the AppArmor profile denied these actions by default, what would the regular user who knows nothing of AppArmor do? 
 * If we were lucky, they would only turn off only the firefox profile (which, I might add is *opt in* only right now). This action would weaken the security stance of firefox since it would now be running totally unconfined.
 * If we were more unlucky, the user would turn off all of AppArmor (this has been seen occasionally with AppArmor but famously with SELinux). The result would be that CUPS, dhclient, evince, the guest-session and other profiles in Ubuntu would be disabled.
 * If we were most unlucky, the user would become frustrated with Ubuntu and use another OS, likely complaining to everyone they know about it. Considering all of Ubuntu's proactive security features (including, but in no way limited to AppArmor) and depending on what OS they choose, this could greatly decrease the security stance for the user.

The browser is arguably the most important application a regular user
uses. If we are cavalier about breaking the most used application on the
Desktop, then from the user's point of view the Desktop and OS are
broken. We must carefully weigh usability requirements against security
protections in all cases, otherwise it leads to frustration and the
security feature being turned off.

AppArmor can protect against many things. The firefox profile protects against execution of arbitrary code by the browser and reading/writing of files you do not own (eg /etc/passwd), reading/writing sensitive files like the user's gnome-keyring, ssh keys, gnupg keys, history files, swp, backup files, rc files and to files in the standard PATH. It also confines add-ons and extensions to the above. Firefox is integrated into the Desktop and so it must be allowed to open helper programs and access the user's data. The profile is by default *general purpose* with the design being:
 * when enabled, it significantly improves the security of firefox as is
 * it provides a starting point for people to confine firefox how they want to
 * the implementation gives the user the ability to fine-tune it to be as strict as desired

Of course firefox can be locked down more to protect the user's data. We
could make it so that it could only write to ~/Downloads and read from
~/Public. However, this deviates from upstream's design, would likely
put Ubuntu's Mozilla branding at stake, and most importantly frustrate
users. Is Ubuntu's profile a "violation of the idea of apparmor"? Of
course not -- it *is* protecting user's from various attacks and many
forms of information disclosure. It is a distribution requirement to
provide a functional browser. It is a distribution choice to not break
it with too-aggressive security protections. It is a
user's/administrator's choice to configure the profile for her
environment.

-- 
firefox apparmor profile is too lenient
https://bugs.launchpad.net/bugs/592121
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in ubuntu.