# should maybe be in abstractions
/etc/ r,
/etc/mime.types r,
/etc/mailcap r,
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
/usr/share/xubuntu/applications/defaults.list r,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
owner /tmp/** m,
owner /var/tmp/** m,
/tmp/.X[0-9]*-lock r,
/etc/udev/udev.conf r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
# Miscellaneous (to be abstracted)
# Ideally these would use a child profile. They are all ELF executables
# so running with 'Ux', while not ideal, is ok because we will at least
# benefit from glibc's secure execute.
/usr/bin/mkfifo Uxr, # investigate
/bin/ps Uxr,
/bin/uname Uxr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.firefox>
}
Testing this out, forcing a firefox crash without the amendment to the profile gives a warning that a crash dump couldn't be generated and a message in /syslog, with the amendment there is a crash report generated and no warning in /syslog.
A firefox crash can be forced by entering the following in a scratchpad instance with the environment set to "browser"
Cu.import("resource://gre/modules/ctypes.jsm");
let zero = new ctypes.intptr_t(8);
let badptr = ctypes.cast(zero, ctypes.PointerType(ctypes.int32_t));
badptr.contents;
I'm going to mess around with this a bit further and see if there's a better more inclusive way to go about allowing ptrace, eventually will put a patch together.
A quick and dirty way to fix it is to just add someting along the lines of
#New ptrace rules require something like this
ptrace (read),
to our profile for firefox (/etc/apparmor. d/usr.bin. firefox) and then reload the profile (sudo apparmor_parser -r /etc/apparmor. d/usr.bin. firefox)
Here's the full text of my firefox profile
# vim:syntax=apparmor
# Author: Jamie Strandboge <email address hidden>
# Declare an apparmor variable to help with overrides =/usr/lib/ firefox
@{MOZ_LIBDIR}
#include <tunables/global>
# We want to confine the binaries that match: firefox/ firefox firefox/ firefox firefox/ firefox. sh firefox/ firefox{ ,*[^s][ ^h]} { audio> cups-client> dbus-accessibil ity> dbus-session> gnome> nameservice> p11-kit>
# /usr/lib/
# /usr/lib/
# but not:
# /usr/lib/
/usr/lib/
#include <abstractions/
#include <abstractions/
# TODO: finetune this for required accesses
#include <abstractions/dbus>
#include <abstractions/
#include <abstractions/
#include <abstractions/
#include <abstractions/ibus>
#include <abstractions/
#include <abstractions/
# Addons ubuntu- browsers. d/firefox>
#include <abstractions/
# for networking /[0-9]* /net/if_ inet6 r, /[0-9]* /net/ipv6_ route r, /[0-9]* /net/dev r, /[0-9]* /net/wireless r,
network inet stream,
network inet6 stream,
@{PROC}
@{PROC}
@{PROC}
@{PROC}
# should maybe be in abstractions xdg/*buntu/ applications/ defaults. list r, # for all derivatives share/xubuntu/ applications/ defaults. list r, /.local/ share/applicati ons/defaults. list r, /.local/ share/applicati ons/mimeapps. list r, /.local/ share/applicati ons/mimeinfo. cache r, .X[0-9] *-lock r, udev/udev. conf r,
/etc/ r,
/etc/mime.types r,
/etc/mailcap r,
/etc/
/usr/
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner /tmp/** m,
owner /var/tmp/** m,
/tmp/
/etc/
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
/etc/timezone r, wildmidi/ wildmidi. cfg r,
/etc/
# firefox specific xulrunner- 2.0*/ r, xulrunner- 2.0*/** r,
/etc/firefox*/ r,
/etc/firefox*/** r,
/etc/xul-ext/** r,
/etc/
/etc/
/etc/gre.d/ r,
/etc/gre.d/* r,
# noisy firefox- addons/ ** w, xulrunner- addons/ ** w, xulrunner- */components/ *.tmp w, fontconfig/ w, /.local/ share/recently- used.xbel r,
deny @{MOZ_LIBDIR}/** w,
deny /usr/lib/
deny /usr/lib/
deny /usr/lib/
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /var/cache/
deny @{HOME}
# TODO: investigate gconftool- 2 x,
deny /usr/bin/
#Ptrace seems to need something like this
ptrace (read),
# These are needed when a new user starts firefox and firefox.sh is used /[0-9]* /cmdline r, /[0-9]* /mountinfo r, /[0-9]* /stat r, /[0-9]* /task/[ 0-9]*/stat r, /[0-9]* /status r, /filesystems r, devices/ pci[0-9] */**/uevent r, /.thumbnails/ */*.png r,
@{MOZ_LIBDIR}/** ixr,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/pwd ixr,
/sbin/killall5 ixr,
/bin/which ixr,
/usr/bin/tr ixr,
@{PROC}/ r,
@{PROC}
@{PROC}
@{PROC}
owner @{PROC}
@{PROC}
@{PROC}
/sys/
owner @{HOME}
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter /[0-9]* /environ r, devices/ system/ cpu/ r, devices/ system/ cpu/** r,
owner @{PROC}
owner @{PROC}/[0-9]*/auxv r,
/etc/lsb-release r,
/usr/bin/expr ix,
/sys/
/sys/
# about:memory /[0-9]* /statm r, /[0-9]* /smaps r,
owner @{PROC}
owner @{PROC}
# Needed for container to work in xul builds lib/xulrunner- */plugin- container ixr,
/usr/
# allow access to documentation and other files the user may want to look
# at in /usr and /opt
/usr/ r,
/usr/** r,
/opt/ r,
/opt/** r,
# so browsing directories works
/ r,
/**/ r,
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
owner @{HOME}/ r,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
# per-user firefox configuration /.{firefox, mozilla} / rw, /.{firefox, mozilla} /** rw, /.{firefox, mozilla} /**/*.{ db,parentlock, sqlite} * k, /.{firefox, mozilla} /plugins/ ** rm, /.{firefox, mozilla} /**/plugins/ ** rm, /.gnome2/ firefox* -bin-* rw, /.cache/ mozilla/ {,firefox/ } rw, /.cache/ mozilla/ firefox/ ** rw, /.cache/ mozilla/ firefox/ **/*.sqlite k,
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
# .../extensions/ ... is already covered by '/usr/** r', above. /.mozilla/ **/extensions/ ** mixr,
# Extensions
# /usr/share/
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}
deny @{MOZ_LIBDIR} /update. test w, mozilla/ extensions/ **/ w, xulrunner- addons/ extensions/ **/ w, mozilla/ extensions/ **/ w,
deny /usr/lib/
deny /usr/lib/
deny /usr/share/
deny /usr/share/mozilla/ w,
# Miscellaneous (to be abstracted)
# Ideally these would use a child profile. They are all ELF executables
# so running with 'Ux', while not ideal, is ok because we will at least
# benefit from glibc's secure execute.
/usr/bin/mkfifo Uxr, # investigate
/bin/ps Uxr,
/bin/uname Uxr,
# Site-specific additions and overrides. See local/README for details. usr.bin. firefox>
#include <local/
}
Testing this out, forcing a firefox crash without the amendment to the profile gives a warning that a crash dump couldn't be generated and a message in /syslog, with the amendment there is a crash report generated and no warning in /syslog.
A firefox crash can be forced by entering the following in a scratchpad instance with the environment set to "browser"
Cu.import( "resource: //gre/modules/ ctypes. jsm"); PointerType( ctypes. int32_t) );
let zero = new ctypes.intptr_t(8);
let badptr = ctypes.cast(zero, ctypes.
badptr.contents;
I'm going to mess around with this a bit further and see if there's a better more inclusive way to go about allowing ptrace, eventually will put a patch together.