| 2007-09-28 22:27:00 |
Philippe Baumgart |
bug |
|
|
added bug |
| 2007-09-28 22:27:48 |
Philippe Baumgart |
description |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enabled access to the filesystem in:
rw for /home/*/** (ie ability to save file inside your home directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
The profile is below, I'm looking for feedbacks and suggestions !
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/** (ie ability to save file inside your home directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
The profile is below, I'm looking for feedbacks and suggestions !
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
|
| 2007-09-28 22:27:48 |
Philippe Baumgart |
title |
apparmor Firefox flash enabled Profile include |
apparmor Firefox flash enable Profile include |
|
| 2007-09-28 22:37:48 |
Philippe Baumgart |
description |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/** (ie ability to save file inside your home directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
The profile is below, I'm looking for feedbacks and suggestions !
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/** (ie ability to save file inside your home directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Test case: No error should appears in the log file during a basic web session (this exclude Firefox extension installation for the moment)
The profile is below, I'm looking for feedbacks and suggestions !
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
|
| 2007-09-28 22:37:48 |
Philippe Baumgart |
title |
apparmor Firefox flash enable Profile include |
Firefox flash enable Profile include |
|
| 2007-09-28 23:01:35 |
Philippe Baumgart |
description |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/** (ie ability to save file inside your home directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Test case: No error should appears in the log file during a basic web session (this exclude Firefox extension installation for the moment)
The profile is below, I'm looking for feedbacks and suggestions !
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/** (ie ability to save file inside your home directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Test case: No error should appears in the log file during a basic web session (this exclude Firefox extension installation for the moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin 9.0.48.0ubuntu11
The profile is below, I'm looking for feedbacks and suggestions !
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
|
| 2007-09-28 23:02:32 |
Philippe Baumgart |
description |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/** (ie ability to save file inside your home directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Test case: No error should appears in the log file during a basic web session (this exclude Firefox extension installation for the moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin 9.0.48.0ubuntu11
The profile is below, I'm looking for feedbacks and suggestions !
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/** (ie ability to save file inside your home directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Expected Result: No error should appears in the log file during a basic web session (this exclude Firefox extension installation for the moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin 9.0.48.0ubuntu11
The profile is below, I'm looking for feedbacks and suggestions !
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
|
| 2007-09-28 23:03:14 |
Philippe Baumgart |
description |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/** (ie ability to save file inside your home directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Expected Result: No error should appears in the log file during a basic web session (this exclude Firefox extension installation for the moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin 9.0.48.0ubuntu11
The profile is below, I'm looking for feedbacks and suggestions !
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/** (ie ability to save file inside your home directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Expected Result: No error should appears in the apparmor audit log file during a basic web session (this exclude Firefox extension installation for the moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin 9.0.48.0ubuntu11
The profile is below, I'm looking for feedbacks and suggestions !
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
|
| 2007-10-01 21:14:00 |
Philippe Baumgart |
bug |
|
|
added attachment 'usr.lib.firefox.firefox' (firefox with flash enable apparmor profile) |
| 2007-10-01 21:20:07 |
Philippe Baumgart |
description |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/** (ie ability to save file inside your home directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Expected Result: No error should appears in the apparmor audit log file during a basic web session (this exclude Firefox extension installation for the moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin 9.0.48.0ubuntu11
The profile is below, I'm looking for feedbacks and suggestions !
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/Desktop/** (ie ability to save file in your Desktop directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Expected Result: No error should appears in the apparmor audit log file during a basic web session (this exclude Firefox extension installation for the moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin 9.0.48.0ubuntu11
The profile is attached , I'm looking for feedbacks and suggestions !
Please use the attachment with the latest version of the profile and enjoy a Apparmor secured browsing !
The content below is outdated but left here for history only:
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
|
| 2007-10-01 21:20:33 |
Philippe Baumgart |
description |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/Desktop/** (ie ability to save file in your Desktop directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Expected Result: No error should appears in the apparmor audit log file during a basic web session (this exclude Firefox extension installation for the moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin 9.0.48.0ubuntu11
The profile is attached , I'm looking for feedbacks and suggestions !
Please use the attachment with the latest version of the profile and enjoy a Apparmor secured browsing !
The content below is outdated but left here for history only:
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
Binary package hint: apparmor
Purpose: restrict firefox with flashplugin-nonfree enable access to the filesystem in:
rw for /home/*/Desktop/** (ie ability to save file in your Desktop directory)
rw for /tmp/** (ie abilty to open temp file within firefox like PDF files ect ...)
and r or rx access rights for other essentials binaries.
Prerequisites: have already installed the flashplugin-nonfree because the profile will not allow you to install it
Test plan: While watching the /var/log/messages, I launch firefox using the icon from the gnome panel then I go to youtube.com and try to play a video, finally I try to save a web page to my home folder.
Expected Result: No error should appears in the apparmor audit log file during a basic web session (this exclude Firefox extension installation for the moment)
Test env: Ubuntu 7.10 Firefox 2.0.0.6+2-0ubuntu4 Flash plugin 9.0.48.0ubuntu11
The profile is attached , I'm looking for feedbacks and suggestions !
Please use the attachment with the latest version of the profile and enjoy a Apparmor secured browsing !
The content below is outdated but left here for history purpose only:
# Last Modified: Wed Sep 26 04:09:58 2007
#include <tunables/global>
/usr/lib/firefox/firefox flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/ r,
/bin/dash ixr,
/bin/grep ixr,
/bin/ls ixr,
/bin/ps ixr,
/bin/pwd ixr,
/bin/sed ixr,
/bin/which ixr,
/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/timer r,
/dev/tty r,
/etc/firefox/pref/ r,
/etc/firefox/pref/firefox.js r,
/etc/fonts/** r,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/default-modules.conf r,
/etc/gnome-vfs-2.0/modules/extra-modules.conf r,
/etc/gnome-vfs-2.0/modules/font-method.conf r,
/etc/gnome-vfs-2.0/modules/mapping-modules.conf r,
/etc/gnome-vfs-2.0/modules/theme-method.conf r,
/etc/gnome/defaults.list r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/python2.5/site.py r,
/home/ r,
/home/*/ r,
/home/*/** krw,
/proc/ r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/*/stat r,
/proc/*/status r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/tmp/ r,
/tmp/** rw,
/usr/bin/apturl r,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/eog ixr,
/usr/bin/gedit ixr,
/usr/bin/gksu ixr,
/usr/bin/python2.5 ixr,
/usr/bin/sudo ixr,
/usr/bin/totem ixr,
/usr/lib/** mr,
/usr/lib/firefox/firefox ixr,
/usr/lib/firefox/firefox-bin ixr,
/usr/lib/firefox/run-mozilla.sh ixr,
/usr/lib/gamin/gam_server ixr,
/usr/local/lib/python2.5/site-packages/ r,
/usr/local/share/applications/ r,
/usr/local/share/applications/mimeinfo.cache r,
/usr/local/share/icons/ r,
/usr/sbin/synaptic ixr,
/usr/share/X11/XKeysymDB r,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/firefox/** r,
/usr/share/fonts/** r,
/usr/share/gdm/applications/ r,
/usr/share/gdm/applications/mimeinfo.cache r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/mime/** r,
/usr/share/myspell/*/ r,
/usr/share/myspell/dicts/* r,
/usr/share/pixmaps/ r,
/usr/share/pycentral/apturl/site-packages/AptUrl/Parser.py r,
/usr/share/pycentral/apturl/site-packages/AptUrl/__init__.py r,
/usr/share/pycentral/python-cairo/site-packages/cairo/__init__.py r,
/usr/share/pycentral/python-gst0.10/site-packages/pygst.pth r,
/usr/share/pycentral/python-numeric/site-packages/Numeric.pth r,
/usr/share/python-support/python-apport/apport_python_hook.py r,
/usr/share/python-support/python-gobject/* r,
/usr/share/python-support/python-gobject/gtk-2.0/** r,
/usr/share/python-support/python-gtk2/** r,
/usr/share/themes/Default/gtk-2.0-key/gtkrc r,
/usr/share/themes/Human/gtk-2.0/* r,
/usr/share/ubuntu-artwork/* r,
/usr/share/ubuntu-artwork/home/* r,
/usr/share/ubuntu-artwork/img/* r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/* r,
/var/tmp/ r,
} |
|
| 2007-10-02 20:53:41 |
Mathias Gug |
apparmor: importance |
Undecided |
Wishlist |
|
| 2007-10-11 13:21:27 |
Hinnerk |
bug |
|
|
added attachment 'usr.lib.firefox.firefox' (apparmor firefox profile) |
| 2009-10-07 23:34:39 |
Kees Cook |
apparmor (Ubuntu): status |
New |
Triaged |
|
| 2009-10-08 12:10:34 |
Jamie Strandboge |
affects |
apparmor (Ubuntu) |
firefox-3.5 (Ubuntu) |
|
| 2009-10-08 12:10:34 |
Jamie Strandboge |
firefox-3.5 (Ubuntu): status |
Triaged |
Fix Released |
|
