Mozilla Firefox

Firefox profile has too much access

Bug #1609439 reported by Vincas Dargis
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mozilla Firefox
New
Undecided
Unassigned

Bug Description

usr.bin.firefox in Kubuntu 16.04.1 profile has some fine grained rules defined concerning home directory, such as:

  owner @{HOME}/ r,
  ...
  owner @{HOME}/.{firefox,mozilla}/ rw,
  owner @{HOME}/.{firefox,mozilla}/** rw,
  owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
  owner @{HOME}/.{firefox,mozilla}/**/plugins/** mr,
  owner @{HOME}/.{firefox,mozilla}/plugins/** mr,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  ...

It *looks* strict at first sight, but I still can read some arbitrary files from my home (sub)directory, such as
/home/vincas/talkless.pqi
/home/vincas/code/something...

It *does* protect .ssh/id_rsa.pub and such, for example, so denies kinda works from "private-files-strict" include.

I've checked apparor_parser -d -d, I can see some @{HOME}/** rw... rules, though it looks like it should belong to browser_java, browser_openjdk subprofiles, but it looks like if they are "leaking" somehow for main process.

I'm attaching apparmor_parser -d -d and -p outputs.

Revision history for this message
Vincas Dargis (talkless) wrote :
Revision history for this message
Vincas Dargis (talkless) wrote :
Revision history for this message
Simon Déziel (sdeziel) wrote :

This comes from the inclusion of abstractions/ubuntu-browsers.d/firefox that in turn includes /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:

  # Allow read to all files user has DAC access to and write access to all
  # files owned by the user in $HOME.
  @{HOME}/ r,
  @{HOME}/** r,
  owner @{HOME}/** w,

Revision history for this message
Vincas Dargis (talkless) wrote :

Thanks Simon, now I did some changes in "user-files":

  # Allow read to all files user has DAC access to and write access to all
  # files owned by the user in $HOME.
  @{HOME}/ r,

  #Changed by me, do not allow free access to whole home!
  #@{HOME}/** r,
  #owner @{HOME}/** w,

  # For uploading files from Desktop:
  owner @{HOME}/Desktop/ r,
  owner @{HOME}/Desktop/** r,

  # For downloading:
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/** rwk,

Now Firefox is confined enough, for my taste at least.

So it's like.. no a bug, it's by design? Though these explicit real rules in usr.bin.firefox looks very misleading in this case.

Revision history for this message
Vincas Dargis (talkless) wrote :

explicit real = explicit read, sorry for typo.

Revision history for this message
Simon Déziel (sdeziel) wrote : Re: [Bug 1609439] Re: Firefox profile has too much access

On 2016-08-05 11:59 AM, Vincas Dargis wrote:
> So it's like.. no a bug, it's by design? Though these explicit real
> rules in usr.bin.firefox looks very misleading in this case.

I agree with you, the profile should be tighten up. Since the profile is
disabled by default, I think the regression potential is rather low and
the security benefits are high.

I'd like to hear from other users of the profile though.

Simon Déziel (sdeziel)
affects: apparmor-profiles → firefox
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.