Ubuntu
firefox package

Apparmour profile to sandbox firefox?

Asked by meow

Hi

It it possible to use apparmour to sandbox firefox? Also is it possible to virtualise the entire ubuntu hard drive like you can in windows?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu firefox Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Vikram Dhillon (dhillon-v10) said : 		#1

Please elaborate more on what you are saying, apparmour already has a
profile for firefox and what do you mean by virtualising the hard
drive. If you can elaborate more than you receive more help :D

--
Regards,
Vikram Dhillon

~~~
There are lots of Linux users who don't care how the kernel works, but
only want to use it. That is a tribute to how good Linux is.
-- Linus Torvalds

On Thu, Dec 31, 2009 at 6:25 PM, meow
<email address hidden> wrote:
> New question #95804 on firefox in ubuntu:
> https://answers.edge.launchpad.net/ubuntu/+source/firefox/+question/95804
>
> Hi
>
> It it possible to use apparmour to sandbox firefox? Also is it possible to virtualise the entire ubuntu hard drive like you can in windows?
>
> --
> You received this question notification because you are an answer
> contact for Ubuntu.
>

Revision history for this message
Soul-Sing (soulzing) said : 		#2

in ubuntu version 9.10 firefox has its one profile:
sudo apt-get install apparmor-profiles
sudo enforce firefox
sudo apparmor_parser -r /etc/apparmor.d/firefox or
etc/init.d/apparmor restart

Revision history for this message
meow (accessdeniedno) said : 		#3

Instead of making my own firefox profile via trial and error is there a way to manually to copy and use this profile http://bodhizazen.net/aa-profiles/bodhizazen/ubuntu-9.10/usr.bin.firefox-3.5 ?

Revision history for this message
Soul-Sing (soulzing) said : 		#4

meow 9.10 comes afaik with a standard profile, but i could be wrong. and yes you could make your one profile and use a profile made by another member. but......some members run a server others dont, take a look at the profiles, and restrict access to your "home", imo the best way to enforce, harden your browser and system.
please run: sudo /etc/init.d/apparmor status is there a profile for firefox available?

Revision history for this message
meow (accessdeniedno) said : 		#5

leoquant i ran sudo and this is what i got:

shinji@shinji-laptop:~$ sudo /etc/init.d/apparmor status
[sudo] password for shinji:
/usr/sbin/traceroute (complain)
/usr/sbin/tcpdump (enforce)
/usr/sbin/smbd (complain)
/usr/sbin/nscd (complain)
/usr/sbin/nmbd (complain)
/usr/sbin/mdnsd (complain)
/usr/sbin/identd (complain)
/usr/sbin/dovecot (complain)
/usr/sbin/dnsmasq (complain)
/usr/sbin/cupsd (enforce)
/usr/lib/cups/backend/cups-pdf (enforce)
/usr/sbin/avahi-daemon (enforce)
/usr/lib/firefox-3.5.6/firefox.sh (complain)
/usr/lib/firefox-3.5.6/firefox.sh//null-26 (complain)
/usr/lib/dovecot/pop3-login (complain)
/usr/lib/dovecot/pop3 (complain)
/usr/lib/dovecot/managesieve-login (complain)
/usr/lib/dovecot/imap-login (complain)
/usr/lib/dovecot/imap (complain)
/usr/lib/dovecot/dovecot-auth (complain)
/usr/lib/dovecot/deliver (complain)
/usr/lib/firefox-3.5.*/firefox (enforce)
/usr/bin/evince-thumbnailer (enforce)
/usr/bin/evince-previewer (enforce)
/usr/bin/evince (enforce)
/sbin/syslogd (complain)
/sbin/syslog-ng (complain)
/sbin/klogd (complain)
/usr/lib/connman/scripts/dhclient-script (enforce)
/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
/sbin/dhclient3 (enforce)
/usr/share/gdm/guest-session/Xsession (enforce)
/bin/ping (complain)

I used to have firefox 3.5.5 but im using firefox 3.5.6 now. Is it safe to delete profile for 3.5.5?

Also what is /usr/lib/firefox-3.5.*/firefox (enforce) -some sort of general profile for all firefox installations?

Revision history for this message
Soul-Sing (soulzing) said : 		#6

Also what is /usr/lib/firefox-3.5.*/firefox (enforce) -some sort of general profile for all firefox installations?
yes as i said 9.10 comes with a general firefox profile and this 3.5.*( which means all versions of 3.5)profile is in the enforced mode. you dont have to delete a profile. IF you want this, set enforced into complain mode.....
so it is clear that version 9.10 has made a great improvement regarding security.( not even mentioned the possibility to encrypt your entire "home".)

Revision history for this message
meow (accessdeniedno) said : 		#7

Ok sorry to beat around the bush here but is this general firefox profile -/usr/lib/firefox-3.5.*/firefox (enforce)- configured by default with any security in mind-or do i have to set the profile myself?

Why is there additional firefox profiles for updated versions when there is already this general profile?

Revision history for this message
Soul-Sing (soulzing) said : 		#8

meow you could always replace the default firefox profile by another profile, and then enforce the new profile.
but the default profile will work with/on firefox.

Revision history for this message
meow (accessdeniedno) said : 		#9

For the time being im going to leave the firefox 3.5.6. profile as complain-what protection if any does the default general firefox profile provide?

I couldnt help but notice that the first time i checked the status of apparmor that many of the profiles were already set to enforced-where can i find specific information on what these default enforced profiles do?

Revision history for this message
Soul-Sing (soulzing) said : 		#10

no, i dont no where to find detailled information over what these profiles do.
generally i do, they harden your "apps"/progs, and your system.

Can you help with this problem?

Provide an answer of your own, or ask meow for more information if necessary.

To post a message you must log in.