AppArmorFirefoxProfile
|
Size: 2236
Comment:
|
Size: 2313
Comment: reorg
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from SecurityTeam/Specifications/AppArmorFirefoxProfile |
Launchpad Entry: security-karmic-firefox-profile
Created: 2009-06-02
Contributors: jdstrand, asac
Packages affected: firefox-3.5
Summary
Provide a means for administrators and users to opt into AppArmor confinement in firefox.
Impact
The end-user impact for users in default installations will be non-existent. The firefox package will ship in complain-mode during the development cycle and before release (or at some point in the cycle) be updated to be disabled. Users must opt-in to using the profile and therefore should know that AppArmor confinement could cause firefox to behave unexpectedly.
Rationale
Firefox is one of the most popular desktop applications in Ubuntu and is very popular outside of Ubuntu. It is an attractive target for security research and exploitation, having 58 CVEs patched in last 6 months.
Design
Read-write access to $HOME/.mozilla and explicit deny rules for sensitive files in $HOME, such as $HOME/.ssh. Plugins in Ubuntu should work by default (possibly excepting gnupg). Have commented sections in the profile to allow people to selectively enable certain plugins and addons. but provide a somewhat lenient policy to execute applications in /usr/bin.
Implementation
Binary currently uses version number as part of the path which makes upgrades tricky (eg, /usr/lib/firefox-3.5.1/firefox is confined, then upgrade to /usr/lib/firefox-3.5.2/firefox). To address this:
- path to binary in the profile should use globbing. Eg:
/usr/lib/firefox-3.5.*/firefox {- ship profile as a separate conffile
- handle profile reloading carefully by performing just an "add/replace" on the profile so the old version is not detached from running firefox processes
Test/Demo Plan
The following tests should be performed:
- on install, the profile is disabled if the profile doesn't already exist
- on upgrade from earlier than the version of firefox providing the profile, the profile is disabled if the profile doesn't already exist
- if profile exists and is different than the shipped profile, prompt
SecurityTeam/Specifications/Karmic/AppArmorFirefoxProfile (last edited 2010-03-21 02:41:39 by pool-71-123-4-188)