[Bug 1662501] Re: AppArmor profile for ubuntu-browsers allows too much read access

Jamie Strandboge jamie at ubuntu.com
Tue Feb 7 14:37:45 UTC 2017 

Thank you for using Ubuntu and filing a bug!

While /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files is
shipped by apparmor, it is actually /etc/apparmor.d/abstractions/ubuntu-
browsers.d/firefox that #include's it, and this file is managed by the
firefox package, so moving this bug there.

As for what the profile is intended to protect against and why it works
the way it does, please see
https://wiki.ubuntu.com/SecurityTeam/FAQ#Firefox_AppArmor_profile

This issue was discussed on IRC with the reporter. Here is the summary:
- the firefox profile is disabled by default
- the firefox profile aims for 'usable security' such that if the profile is enabled, the browser is expected to generally work in the manner that people would expect
- the firefox profile can be adjusted to remove the user-files abstraction either by editing /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox or using 'aa-update-browser'

In Ubuntu, we aim for 'usable security' because we don't want people to
turn AppArmor off. The intent of the profile is that when enabled,
people get some protections (eg, code execution) but can access their
files using normal browser workflows. Security-minded individuals can
then fine-tune the profile to make it more strict.

Vlad made the point in that if the profile is turned off by default,
then it can be made very strict with people adding to the profile what
they want. As such, adjusting the bug description and marking as
Wishlist.

Note: IMHO snaps will be the way forward with browsers. Upstream is
committing to shipping firefox as a snap and that snap will have
stricter confinement than the AppArmor profile in the firefox package of
Ubuntu currently (eg, stricter AppArmor policy, seccomp, etc). Of
course, Mozilla will also want usable security and they will use the
transitional 'home' interface which grants access to files in a similar
fashion as the 'user-files' abstraction, but security-minded individuals
can use 'snap disconnect firefox:home' to further restrict it. The long
term goal is that the snap will used on Ubuntu Personal or other
distributions and use mir or wayland instead of X and with file choosers
that understand the sandbox limitations and work with the OS to avoid
using the transitional 'home' interface to provide a very secure usable
browsing experience.

** Package changed: apparmor (Ubuntu) => firefox (Ubuntu)

** Changed in: firefox (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: firefox (Ubuntu)
       Status: New => Triaged

** Summary changed:

- AppArmor profile for ubuntu-browsers allows too much read access
+ since the apparmor profile is disabled by default, please make the apparmor policy strict  with option to make less strict

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1662501

Title:
  since the apparmor profile is disabled by default, please make the
  apparmor policy strict  with option to make less strict

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions

More information about the Ubuntu-mozillateam-bugs mailing list