Thursday, September 27, 2012

Custom Firefox AppArmor Profile For Ubuntu 12.04

In my last post I described what a MAC is and why you should take advantage of the LSM included in the Linux kernel.  Today I want to share an AppArmor profile for a few popular applications in Ubuntu 12.04 which should increase the security of those applications rather dramatically.




In this post, I will only cover Firefox.  However, in order to profile Firefox effectively, I needed to create profiles for some separate apps that Firefox interacts with.  Thus I will also include some peripheral profiles (things such as mplayer, transmission, etc.).    All of these profiles have been tested on Ubuntu 12.04 with the latest version of Firefox.  If you're using another distro or using Kubuntu/Xubuntu, etc., then you may have to tweak them a bit.

So let's get to it.

Firefox

The default installation already comes with a Firefox profile (that's disabled) but I feel my profile is more secure and restrictive.

My goal with profiling Firefox was to make it so that it was as locked down and restrictive as possible without breaking functionality.  I feel I have achieved that fairly well.  My second goal was to make sure that every binary that the browser called had either a separate profile or a child profile (Px, Cx) and that there were no Ux (unconfined execute) processes anywhere.  Ux processes can be very dangerous as outlined here.  I have accomplished that as well.  The default Firefox profile in Ubuntu has several holes in it that allow other binaries to execute unconfined.  I feel I have fixed that problem as well as can be done.

What this Firefox profile allows the browser to do is:
  • Play Flash videos without issue.
  • Play other video and audio formats without issue (Windows Media, Quicktime, RealMedia, Divx, etc.) 
  • Be able to open video files directly into Totem or Mplayer (both of which are also protected).
  • Open .PDF files directly from the browser with Evince (which also has its own profile).
  • Open .torrent files directly to Transmission (while still having Transmission protected).
  • Utilize Java applets in the browser (while still having Java profiled).

(NOTE: This profile will support both the Totem plugin and the Mplayer (Gecko) plugin.  I have separate profiles for both.  If you only use one plugin or the other, then its fine to only use the profile you need).

To achieve the level of protection I set out for requires several profiles.  Therefore, before I provide the Firefox profile itself, I will start with the other profiles first (since they are required to make the Firefox profile work).

Before I list any profiles, let me explain how this works (for those not familiar with AppArmor).  I will list the name of the file as well as the exact directory it goes in.  Simply copy the text of the profile, save it, and place it in that directory.  You will need root (sudo) to do this.  One way to do this is to open a terminal and type:

cd /etc/apparmor.d/
sudo touch filename
gksudo gedit filename

From there copy my profile into that blank file.
Save the profile to the proper directory (which I will define) and exit.

Some of these files will go into another sub-directory, so be sure to look exactly at which directory they go in.  With that said, let's get started.

Totem plugin-viewer

First up is the totem plugin-viewer.  This profile is activated when you come across a video file on the web that needs totem to play.  This profile has full functionality and will allow you to pop the video out into a separate player if you wish.  You can take screenshots and save them to either /Desktop or /Wallpaper.  The same goes for downloading the video (it can go in either of those two places).  If you use Mplayer (Gecko) instead, then you can ignore this profile and just use the Mplayer profile, which I will list shortly.

Name of file: usr.lib.totem.totem-plugin-viewer
Directory to put it: /etc/apparmor.d
Profile:

# Last Modified: Thu Sep 27 06:35:40 2012
#include <tunables/global>

/usr/lib/totem/totem-plugin-viewer {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/fonts>

  network inet dgram,
  network inet stream,
  network inet6 stream,

  
  /etc/apt/apt.conf.d/ r,
  /etc/apt/apt.conf.d/* r,
  /etc/fstab r,
  /etc/gai.conf r,
  /etc/gnome/defaults.list r,
  /etc/gtk-3.0/settings.ini r,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/pkcs11/modules/ r,
  /etc/pkcs11/modules/gnome-keyring-module r,
  /etc/python2.7/sitecustomize.py r,
  /etc/resolv.conf r,
  /etc/udev/udev.conf r,
  /etc/wildmidi/wildmidi.cfg r,
  /etc/xml/catalog r,
  /home/*/ r,
  /home/*/.ICEauthority r,
  /home/*/.Xauthority r,
  /home/*/.cache/dconf/user rw,
  /home/*/.config/dconf/user r,
  /home/*/.config/ibus/bus/ w,
  /home/*/.config/totem/state.ini* rw,
  /home/*/.config/user-dirs.dirs r,
  /home/*/.config/yelp/ w,
  /home/*/.gstreamer-*/registry.* rw,
  /home/*/.gtk-bookmarks r,
  /home/*/.icons/ r,
  /home/*/.local/share/applications/mime*.* r,
  /home/*/.local/share/gvfs-metadata/* r,
  /home/*/.local/share/icons/ r,
  /home/*/.local/share/icons/** r,
  /home/*/.local/share/mime/mime.cache r,
  /home/*/.local/share/recently-used.xbel* rw,
  /home/*/.local/share/webkit/icondatabase/WebpageIcons.db rwk,
  /home/*/.mozilla/firefox/*.default/Cache/** r,
  /home/*/Desktop/ r,
  /home/*/Desktop/* r,
  /home/*/Desktop/Screenshot-* w,
  /proc/[0-9]*/auxv r,
  /proc/[0-9]*/fd/ r,
  /proc/[0-9]*/mountinfo r,
  /proc/[0-9]*/mounts r,
  /run/resolvconf/resolv.conf r,
  /run/udev/data/* r,
  /sys/devices/system/cpu/online r,
  /sys/devices/virtual/block/*/uevent r,
  /tmp/.com.google.Chrome.* r,
  /tmp/.goutputstream-* rw,
  /tmp/orcexec.* mrw,
  /tmp/totem-* rw,
  /tmp/totem-screenshot-*/ w,
  /tmp/totem-screenshot-*/** w,
  /usr/bin/gst-install rix,
  /usr/bin/totem rix,
  /usr/bin/yelp rix,
  /usr/include/python2.7/pyconfig.h r,
  /usr/lib/frei0r-1/ r,
  /usr/lib/gstreamer-*/ r,
  /usr/lib/gstreamer-*/libgst*.so* mr,
  /usr/lib/libgmime-*.so.* mr,
  /usr/lib/libtotem*.so** mr,
  /usr/lib/python2.7/** mr,
  /usr/lib/totem/totem-plugin-viewer r,
  /usr/lib/x86_64-linux-gnu/gstreamer-*/ r,
  /usr/lib/x86_64-linux-gnu/gstreamer-*/libgst*.so* mr,
  /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner rix,
  /usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/im-ibus.so mr,
  /usr/lib/x86_64-linux-gnu/pango/*/modules/*.so mr,
  /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so mr,
  /usr/local/lib/python2.7/dist-packages/ r,
  /usr/share/applications/gnome-mplayer.desktop r,
  /usr/share/applications/mimeinfo.cache r,
  /usr/share/applications/totem.desktop r,
  /usr/share/applications/yelp.desktop r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome/help/totem/** r,
  /usr/share/gvfs/remote-volume-monitors/ r,
  /usr/share/gvfs/remote-volume-monitors/*.monitor r,
  /usr/share/icons/ r,
  /usr/share/icons/** r,
  /usr/share/libquvi-scripts/lua/util/ r,
  /usr/share/libquvi-scripts/lua/website/ r,
  /usr/share/libquvi-scripts/lua/website/** r,
  /usr/share/midi/freepats/** r,
  /usr/share/mime/mime.cache r,
  /usr/share/pixmaps/ r,
  /usr/share/pyshared/** r,
  /usr/share/themes/ r,
  /usr/share/themes/** r,
  /usr/share/totem/ r,
  /usr/share/totem/** r,
  /usr/share/yelp-xsl/** r,
  /usr/share/yelp/** r,
  /var/cache/apt-xapian-index/** r,
  /var/lib/apt-xapian-index/index r,
  /var/lib/dbus/machine-id r,

}

Next up is the Gecko plugin which uses Mplayer.  If you use Totem and not Mplayer, then you can skip this profile (personally I use them both).

Name of file: usr.bin.gnome-mplayer
Directory: /etc/apparmor.d
Profile:

# Last Modified: Tue Sep 25 13:47:05 2012
# Author: rookcifer@gmail.com
#include <tunables/global>

/usr/bin/gnome-mplayer {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/nvidia>
  #include <abstractions/p11-kit>

  network inet dgram,
  network inet stream,
  network inet6 stream,


  deny /etc/apparmor.d/** r,

  /etc/fstab r,
  /etc/gtk-3.0/settings.ini r,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/mplayer/* r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/resolv.conf r,

  /home/*/** r,
  /home/*/.config/ibus/bus/ w,
  /home/*/.cache/dconf/user rw,
  /home/*/.local/share/recently-used.xbel rw,
  /home/*/.local/share/recently-used.xbel.* rw,
  /home/*/Downloads/ r,
  /home/*/Downloads/** rw,
  
  /media/** r,

  /opt/google/chrome/chrome r,
  /opt/google/chrome/google-chrome r,

  /run/resolvconf/resolv.conf r,

  /proc/[0-9]*/auxv r,
  /proc/[0-9]*/fd/ r,
  /proc/[0-9]*/mounts r,
  /proc/[0-9]*/status r,

  /sys/devices/system/cpu/ r,

  /tmp/mplayer* rw,

  /usr/bin/gnome-mplayer mr,
  /usr/bin/mencoder rix,
  /usr/bin/mplayer rix,
  /usr/lib/codecs/*.so mr,
  /usr/lib/x86_64-linux-gnu/gtk-3.0/*/immodules/*.so mr,
  /usr/lib/x86_64-linux-gnu/pango/*/modules/pango-*.so mr,
  /usr/share/X11/XErrorDB r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gvfs/remote-volume-monitors/ r,
  /usr/share/gvfs/remote-volume-monitors/* r,
  /usr/share/icons/ r,
  /usr/share/icons/** r,
  /usr/share/mime/mime.cache r,
  /usr/share/pixmaps/ r,
  /usr/share/terminfo/u/unknown r,
  /usr/share/themes/** r,

  owner /{run,dev}/shm/pulse-shm* rk,
  /{run,dev}/shm/pulse-shm* w,

}

Next up is Transmission for torrent files.  Even if you don't need to use Transmission from Firefox, this profile will work on its own for Transmission separately.  If you don't use Transmission at all, then skip this profile.

NOTE: This profile allows torrents to be downloaded to /Downloads and uploaded from /Public (you can also seed from /Downloads).  If you need to use other directories, then you must add them yourself.

Name of file: usr.bin.transmission-gtk
Directory: /etc/apparmor.d
Profile:

# Last Modified: Wed Sep 26 04:29:24 2012
# Author: Rookcifer@gmail.com
#include <tunables/global>

/usr/bin/transmission-gtk {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>
  #include <abstractions/p11-kit>

  
  /etc/gnome/defaults.list r,
  /etc/gtk-3.0/settings.ini r,  
  
  /home/ r,
  /home/*/ r,
  /home/*/.ICEauthority r,
  /home/*/.Xauthority r,
  /home/*/.bash_history r,
  /home/*/.bash_logout r,
  /home/*/.bashrc r,
  /home/*/.cache/dconf/user rw,
  /home/*/.cache/event-sound-cache** rwk,
  /home/*/.cache/transmission/** rw,
  /home/*/.config/dconf/user r,
  /home/*/.config/ibus/bus/ w,
  /home/*/.config/transmission/** rw,
  /home/*/.config/user-dirs.dirs r,
  /home/*/.conkyrc r,
  /home/*/.devede r,
  /home/*/.dmrc r,
  /home/*/.fontconfig/* r,
  /home/*/.gksu.lock r,
  /home/*/.goutputstream** r,
  /home/*/.gtk-bookmarks r,
  /home/*/.icons/ r,
  /home/*/.local/share/* rw,
  /home/*/.local/share/Trash/** rw,
  /home/*/.local/share/applications/mimeapps.list r,
  /home/*/.local/share/applications/mimeinfo.cache r,
  /home/*/.local/share/gvfs-metadata/* r,
  /home/*/.local/share/icons/ r,
  /home/*/.local/share/icons/**/ r,
  /home/*/.local/share/mime/* r,
  /home/*/.nvidia-settings-rc r,
  /home/*/.profile r,
  /home/*/.pulse-cookie rwk,
  /home/*/.xboardrc r,
  /home/*/.xsession-errors r,
  /home/*/Downloads/ r,
  /home/*/Downloads/** rw,
  /home/*/Public/ r,
  /home/*/Public/** r,

  /run/resolvconf/resolv.conf r,

  /proc/*/auxv r,
  /proc/*/fd/ r,
  /proc/*/net/route r,    
  /proc/sys/kernel/random/uuid r,
  
  /tmp/* r,

  /usr/bin/canberra-gtk-play rix,
  /usr/bin/transmission-gtk mr,

  /usr/lib/x86_64-linux-gnu/gtk-3.0/*/immodules/*.so mr,
  /usr/lib/gtk-3.0/3.0.0/menuproxies/libappmenu.so mr,
  /usr/lib/gtk-3.0/3.0.0/theming-engines/*.so mr,  
  /usr/lib/x86_64-linux-gnu/pango/*/modules/pango-basic-fc.so mr,
  /usr/lib/x86_64-linux-gnu/pango/*/module-files.d/ r,
  /usr/lib/x86_64-linux-gnu/pango/*/module-files.d/libpango*.modules r,
  /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs*.so mr,
  
  /usr/share/applications/mimeinfo.cache r,
  /usr/share/applications/transmission-gtk.desktop r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gvfs/remote-volume-monitors/ r,
  /usr/share/gvfs/remote-volume-monitors/* r,
  /usr/share/icons/ r,
  /usr/share/icons/** r,  
  /usr/share/mime/mime.cache r,
  /usr/share/pixmaps/ r,
  /usr/share/themes/** r,

  owner /{run,dev}/shm/pulse-shm* k,
  /{run,dev}/shm/pulse-shm* rw,

}

Next up we need to add an abstraction for Java.  As you probably have heard, there are various serious Java exploits in the wild right now. Java is cross-platform which means Linux machines are just as vulnerable as Windows machines to such attacks. It would be trivial for an attacker to modify his Windows Java code to exploit Java on Linux.  Thus having a strong MAC policy for Java in the browser is imperative.

Ubuntu comes with its own Java browser profile, but I feel it has a few shortcomings, so I made my own.  There are a few things you need to note and take into consideration with this profile:


  • This profile will only work for OpenJDK (and IcedTea) and *not* Oracle's Java.  OpenJDK comes with Ubuntu, so if you are using the defaults, then you will be fine here.  

  • This only works with OpenJDK-7.  If you use v. 6 for some odd reason, then you will need to replace all the 7's in the profile.  

  • IMPORTANT: There is one thing with this profile you need to edit manually. Where you see /tmp/username, change the "username" to the name of the user on your system. Why am I bothering with this? Because I feel it is important to restrict writes to /tmp as much as possible. A lot of the Java exploits will download payloads to /tmp then try to execute them. If you can limit where it writes to /tmp there is a good chance it won't be able to even download the payload. This is important, so don't forget to do it!


Name of file:  browser_openjdk
Directory: /etc/apparmor.d/abstractions
Profile:

# vim:syntax=apparmor
# Author: 

  owner @{HOME}/.java/deployment/deployment.properties k,  

  /usr/lib/jvm/java-7-openjdk*/jre/lib/*/IcedTeaPlugin.so mr,
  /usr/lib/jvm/java-7-openjdk/jre/bin/java rCx -> browser_openjdk,
  /usr/lib/jvm/java-7-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java rCx -> browser_openjdk,    
  /usr/lib/jvm/java-7-openjdk-*/jre/bin/java rCx -> browser_openjdk,

  profile browser_openjdk {
    #include <abstractions/base>
    #include <abstractions/private-files-strict>

    network inet stream,
    network inet dgram,
    network inet6 stream,

    /usr/lib/jvm/java-7-openjdk-*/jre/lib/ r,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/** r,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/*.so mr,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/*/*.so mr,
        
    /usr/lib/jvm/java-7-openjdk-*/jre/bin/java r,
    /usr/lib/jvm/java-7-openjdk-*/jre/lib/*/jvm.cfg-default r,

    /usr/lib/x86_64-linux-gnu/jni/libatk-wrapper.so.* mr,
    /usr/lib/x86_64-linux-gnu/gconv/SJIS.so mr,

    deny /usr/bin/gconftool-2 x,
    deny /anon_hugepage//deleted r,

    /etc/fonts/fonts.conf r,
    /etc/fonts/conf.d/ r,
    /etc/fonts/conf.d/** r,
    /etc/fonts/conf.avail/ r,
    /etc/fonts/conf.avail/** r,
    /etc/hosts r,
    /etc/host.conf r,
    /etc/passwd r,
    /etc/ssl/certs/java/cacerts r,
    /etc/java-7-openjdk/ r,
    /etc/java-7-openjdk/** r,    
    /etc/lsb-release r,
    /etc/ld.so.cache r,    
    /etc/nsswitch.conf r,
    /etc/resolv.conf r,
    /etc/timezone r,

    /home/ r,
    /home/*/ r,
    /home/*/.cache/dconf/user rw,
    /home/*/.config/dconf/user r,
    /home/*/.config/ibus/bus/ w,
    /home/*/.fontconfig/ r,
    /home/*/.fontconfig/** r,
    /home/*/.fonts/ r,
    /home/*/.fonts/** r,
    /home/*/.java/fonts/ r,
    /home/*/.java/fonts/** rw,
    /home/*/.mozilla/firefox/profiles.ini r,
    /home/*/.icedtea/ r,
    /home/*/.icedtea/** r,
    /home/*/.icedtea/cache/** rwk,
    /home/*/.Xauthority r,

    /proc/[0-9]*/ r,
    /proc/[0-9]*/cmdline r,
    /proc/filesystems r,
    /proc/stat r,
    /proc/[0-9]*/coredump_filter rw,
    /proc/cpuinfo r,
    /proc/[0-9]*/maps r,
    /proc/[0-9]*/net/if_inet6 r,
    /proc/[0-9]*/net/ipv6_route r,
    /proc/meminfo r,

    /run/resolvconf/resolv.conf r,
    /usr/share/glib-2.0/schemas/gschemas.compiled r,

    /usr/lib/x86_64-linux-gnu/pango/*/modules/pango*.so m,
    /usr/lib/x86_64-linux-gnu/gtk-2.0/*/immodules/im-ibus.so mr,

    /usr/share/icedtea-web/ r,
    /usr/share/icedtea-web/** r,
    /usr/share/java/ r,
    /usr/share/java/** r,

    # For fonts, icons, themes, etc.  No abstractions here
    /usr/share/fonts/ r,
    /usr/share/fonts/** r,
    /usr/share/texmf/fonts/ r,
    /usr/share/texmf/fonts/** r,
    /usr/share/icons/ r,
    /usr/share/icons/** r,
    /usr/share/themes/ r,
    /usr/share/themes/** r,

    /usr/share/X11/locale/ r,
    /usr/share/X11/locale/** r,

    /usr/share/javazi r,
    /usr/share/javazi/** r,
    /usr/share/zoneinfo/ r,
    /usr/share/zoneinfo/** r,

   # /tmp stuff.  Again no abstractions
    /tmp/ r,
    /tmp/username/ rw,
    /tmp/username/** rw,
    /var/tmp/ r,
    /tmp/hsperfdata_*/ rw,
    /tmp/hsperfdata_*/** rw,    
    /tmp/icedteaplugin-*/* r,
    /tmp/icedteaplugin-*/[0-9]*-icedteanp** rw,
    /tmp/*/netx/locks/netx_running rwk,
    
    /sys/devices/system/cpu/ r,
    /sys/devices/system/cpu/online r,

    /var/cache/fontconfig/ rw,
    /var/cache/fontconfig/** rw,

    /var/lib/dbus/machine-id r,
    /usr/lib/jvm/java-7-openjdk*/jre/bin/java ix,
    /usr/lib/jvm/java-7-openjdk*/jre/lib/i386/client/classes.jsa m,
    /usr/lib/jvm/java-7-openjdk-amd64/bin/java ix,      

}


That does it for all the peripheral profiles.  Now we can move onto Firefox itself, which will have two profiles.  Why two?  Because Firefox calls /usr/lib/firefox/firefox.sh before it starts.  This is a shell script and shell scripts can be dangerous.  For this reason I have created a profile just for the shell script which cannot touch the profile for the binary itself.

Nme of file: usr.lib.firefox.firefox.sh
Directory: /etc/apparmor.d/
Profile:


# Author: rookcifer@gmail.com
#include <tunables/global>

/usr/lib/firefox/firefox.sh {
  #include <abstractions/base>

  /bin/dash rix,
  /bin/which rix,
  /usr/lib/firefox/firefox Px,
  /usr/lib/firefox/firefox.sh r,

}


The next profile is for the binary itself.

Name of file: usr.lib.firefox.firefox
Directory: /etc/apparmor.d/
Profile:

# Last Modified: Tue Sep 25 13:17:29 2012
# Author: rookcifer@gmail.com
#include <tunables/global>

/usr/lib/firefox/firefox {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/browser_openjdk>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/nvidia>

  network inet dgram,
  network inet stream,
  network inet6 stream,


  /bin/dash rix,
  /bin/grep rix,

  # Put /bin/ps in a child profile for extra security.
  /bin/ps Cx,

  # config files.  Most are for the network
  /etc/adobe/mms.cfg r,
  /etc/firefox/syspref.js r,
  /etc/gai.conf r,
  /etc/gnome-vfs-2.0/modules/ r,
  /etc/gnome-vfs-2.0/modules/* r,
  /etc/gnome/defaults.list r,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/lsb-release r,
  /etc/mailcap r,
  /etc/mime.types r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/resolv.conf r,
  /etc/xul-ext/ubufox.js r,
  /run/resolvconf/resolv.conf r,
  /sys/devices/system/cpu/present r,

  # Be strict with /tmp writes
  /tmp/ r,
  /tmp/* mrwk,
  /tmp/icedteaplugin-*/ w,
  /tmp/icedteaplugin-*/[0-9]*-icedteanp** rw,
  /tmp/orbit-*/ w,
  /tmp/plugtmp/ rw,
  /tmp/plugtmp/* w,

  # Evince, gnome-mplayer, transmission, and totem have their own profiles.  
  /usr/bin/evince Px,
  /usr/bin/gnome-mplayer Px,
  /usr/lib/totem/totem-plugin-viewer Px,
  /usr/bin/transmission-gtk Px,
  

  /usr/lib/firefox/plugin-container rix,  
  /usr/lib{,32,64}/** mrwk,

  /usr/share/ r,
  /usr/share/applications/*.desktop r,
  /usr/share/applications/mimeinfo.cache r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/hunspell/ r,
  /usr/share/icons/ r,
  /usr/share/icons/** r,
  /usr/share/libthai/* r,
  /usr/share/mime/ r,
  /usr/share/mime/** r,
  /usr/share/mozilla/extensions/*/ r,
  /usr/share/pixmaps/ r,
  /usr/share/themes/** r,
  /usr/share/xul-ext/ubufox/ r,
  /usr/share/xul-ext/ubufox/** r,

  /var/tmp/ r,

  owner /{run,dev}/shm/pulse-shm* k,
  /{run,dev}/shm/pulse-shm* rw,

  @{HOME}/.ICEauthority r,
  @{HOME}/.Xauthority r,
  owner @{HOME}/.adobe/Flash_Player/* w,
  @{HOME}/.adobe/Flash_Player/AssetCache/ r,
  @{HOME}/.adobe/Flash_Player/AssetCache/** rw,
  @{HOME}/.cache/dconf/user rw,
  owner @{HOME}/.cache/gnome-mplayer/plugin/gecko-mediaplayer* rw,
  @{HOME}/.config/dconf/user r,
  @{HOME}/.config/ibus/bus/ w,
  @{HOME}/.fontconfig/* r,
  @{HOME}/.icons/ r,
  @{HOME}/.local/share/ r,
  @{HOME}/.local/share/applications/mimeapps.list r,
  @{HOME}/.local/share/applications/mimeinfo.cache r,
  @{HOME}/.local/share/icons/ r,
  @{HOME}/.local/share/icons/**/ r,
  @{HOME}/.local/share/mime/ r,
  @{HOME}/.local/share/mime/** r,
  owner @{HOME}/.local/share/recently-used.xbel* rw,
  @{HOME}/.macromedia/Flash_Player/#SharedObjects/ r,
  owner @{HOME}/.macromedia/Flash_Player/#SharedObjects/** rw,
  @{HOME}/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/** r,
  @{HOME}/.mozilla/** r,
  owner @{HOME}/.mozilla/firefox/*.default/** rw,
  @{HOME}/.nv/GLCache/ r,
  @{HOME}/.nv/GLCache/** rwk,
  @{HOME}/.pulse-cookie rwk,
  owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* rwk,

  # Allow downloading files to /Download and uploading from /Public
  @{HOME}/Downloads/ r,
  @{HOME}/Downloads/** rw,
  @{HOME}/Public/ r,
  @{HOME}/Public/** r,

  @{PROC}/[0-9]*/cmdline r,
  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/[0-9]*/mountinfo r,
  @{PROC}/[0-9]*/mounts r,
  @{PROC}/[0-9]*/net/dev r,
  @{PROC}/[0-9]*/status r,


  profile /bin/ps {
    deny capability sys_ptrace,


    /bin/ps r,
    /dev/tty r,
    /etc/ld.so.cache r,
    /lib/libproc-*.so mr,
    /lib/x86_64-linux-gnu/ld-*.so r,
    /lib/x86_64-linux-gnu/libc-*.so mr,
    /sys/devices/system/cpu/online r,
    /usr/lib/locale/** r,
    /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
    @{PROC}/ r,
    @{PROC}/[0-9]*/cmdline r,
    @{PROC}/[0-9]*/stat r,
    @{PROC}/[0-9]*/status r,
    @{PROC}/[0-9]/cmdline r,
    @{PROC}/[0-9]/stat r,
    @{PROC}/[0-9]/status r,
    @{PROC}/meminfo r,
    @{PROC}/stat r,
    @{PROC}/sys/kernel/pid_max r,
    @{PROC}/tty/drivers r,
    @{PROC}/uptime r,
    @{PROC}/version r,

  }
}


All done.  The last step, once you have all these profiles named correctly and placed in the proper directories, is to enforce them.  To do that, open a terminal and:

cd /etc/apparmor.d
sudo aa-enforce usr.lib.firefox* usr.bin.transmission-gtk usr.bin.gnome-mplayer usr.lib.totem.totem-plugin-viewer


I suggest also watching /var/log/syslog for a little bit after running Firefox.  This is to make sure it works properly with your configuration.  I have an Nvidia card, so if you don't, then you may have to make slight modifications.

Good luck and hopefully you will be more secure in Firefox.


3 comments:

  1. Please write a profile for Firefox / Ubuntu 14.04. The default profile is ineffective.
    Apparmor is too tough for me so I am searching for a profile which will allow FF read or write access to only those parts of / without which it cannot function and leaving that to ~/Downloads.

    ReplyDelete
  2. Great tips and detailed guide for a newbie in Ubuntu! I will definitely use them going forward. May i know what are the other sources you want to recommend for similar stuff.

    ReplyDelete