Syntax Error in Firefox Profile Generation makes Firefox-ESR run unconfined although Profile is enforced
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor Profiles |
New
|
Undecided
|
Unassigned |
Bug Description
First of all I'd like to apologize in advance if this is the wrong place to report this, since I don't know where the "usr.bin.
System Information:
- Up-to-date stable release of Ubuntu 18.10 (Problem also persisted in 18.04 LTS)
- Newest stable release of Firefox-ESR from the official Mozilla PPA (https:/
- apparmor, apparmor-utils and apparmor-profiles installed
Description of Problem:
Firefox-ESR is succesfully set to enforce mode with "$ sudo aa-enforce usr.bin.
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
But if you run Firefox-ESR you don't see its process(es) listed under "X processes are in enforce mode". Also the perceivable start-up slow-down due to apparmor is missing. Saving files in custom defined forbidden file paths is also possible. Firefox-ESR is apparently running without apparmor enforced.
Possible Solution of the Problem:
If you compare the apparmor-profiles under "/etc/apparmor.d/" of Firefox and Firefox-ESR you notice that they are very similar:
Firefox
# We want to confine the binaries that match:
# /usr/lib/
# /usr/lib/
# but not:
# /usr/lib/
/usr/lib/
Firefox-ESR
# We want to confine the binaries that match:
# /usr/lib/
# /usr/lib/
# but not:
# /usr/lib/
/usr/lib/
If you check "/usr/lib/firefox/" you will find the "firefox" application file and the "firefox.sh" script. But if you check "/usr/lib/
Therefore line 14 "/usr/lib/
By manually correcting the apparmor profile and reinforcing it, Firefox-ESR successfully runs in enforced mode and its process(es) are listed under "X processes are in enforce mode". Everything seems to be working correctly.
Checking "X profiles are in enforce mode" again shows the old and new profile enforced simultaneously:
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
After setting Firefox-ESR to complain-mode and then again to enforce-mode the old enforced profile is removed:
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
description: | updated |
description: | updated |
information type: | Private Security → Public |