since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firefox (Ubuntu) |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
The default Firefox AppArmor profile (package: firefox) allows read access to all files in the system:
# in /etc/apparmor.
/**/ r
This allows browsing all directory contents on the system which violates Least Privilege Principle and allows malware to explore what's on the system (even though there are additional deny rules that protect most sensitive files, a default read all is still unacceptable).
In addition (package: apparmor) :
# in /etc/apparmor.
@{HOME}/** r,
owner @{HOME}/** w,
Which allows read write to ALL USER FILES, and read to ALL OTHER USER FILES because default chmod on user dirs is o+rx. Granted, access to ~/.ssh is explicitly denied, but there are things like documents and other user files that should NOT be readable to Firefox at all.
This is, IMHO, a vulnerability.
The profile should allow read/write ONLY to dirs like ~/Downloads or ~/Public. In addition the above two lines that allow unconfined rw access to HOME/**, should be commented out and explained what it means to enable them if the user really wants that kind of convenience.
Modern malware is not just about code execution and modifying local or system files. Modern malware is also very much so about data and identity theft against which the current default AppArmor profile does NOT protect.
Take for example password managers like KeePassX. The default profile on ubuntu-browsers would allow unfettered access to the very much sensitive passwords database.
Sure, users can override and expand the profile with their local modifications, but this "vulnerability" is not documented or communicated to users and gives a false sense of security ("Oh, I have AppArmor profile on Firefox, I'm safe").
Unfortunately, proper security is not in the domain of casual computer usage and I understand that Ubuntu has to balance between convenience and security but IMHO it is possible to make this more secure AND at the same time inform the user where to DISABLE (rather than enable) those stricter rules.
If Ubuntu is not willing to sacrifice the convenience for PROPER security (shame on Ubuntu if that's the case), then AT THE VERY LEAST the user should be informed that the default AppArmor profile, when they install a browser, is biased toward convenience and users SHOULD take additional actions to protect themselves.
I'm sure this all applies to more than just the browsers, but browsers are my primary concern here, which are the most vulnerable component in a modern system.
summary: |
- Firefox' AppArmor profile allows too much read access + AppArmor profile for ubuntu-browsers allows too much read access |
description: | updated |
12:54 <rbasak> I believe that's by design.
12:54 <rbasak> Restricting Firefox makes sense, but it destroys considerable functionality. So there's a trade-off.
12:54 <rbasak> If various functional parts of Firefox don't work by default because the profile is too restrictive, then users wouldn't use Ubuntu.
12:55 <rbasak> AFAIK, the profile is not enabled by default anyway for this reason.
12:55 <rbasak> Also the bug is against the wrong package. It's the firefox package that ships the AppArmor profile, not apparmor.
12:55 <rbasak> So I'll move it and flag it as security as that's your concern, and the security team can triage it.
12:56 <rbasak> We have a better way of containing browsers BTW. Use a snap instead. I don't know if there's one for Firefox yet.
12:57 <rbasak> https:/ /blog.mozilla. org/futurerelea ses/2016/ 04/21/firefox- default- browser- for-linux- users-ubuntu- new-snap- format- coming- soon/
12:57 <rbasak> "Firefox is the default browser for Linux users on Ubuntu, new snap format coming soon"
12:58 <blackflow> rbasak: no the report is against AppArmor, because the real issue is in the ubuntu-browsers abstraction
12:58 <blackflow> if the profile is not enabled by default, then all the more reason to make it stricter and those users who are aware and explicitly enable it, will have saner defaults
12:58 <rbasak> Oh, fair enough.
12:59 <rbasak> But really, if you care about this stuff, you should look into snaps.