Apparmor and Firefox
Long ago, I had the idea to restrict Firefox, as the most dangerous application on the desktop, and the news about the appearance of the Jinx cross-platform exploit (http://www.opennet.ru/opennews/art.shtml?num=17217) only strengthened my desires . I already use apparmor to restrict skype and scripts on servers, today I decided to increase the security of the workstation by reducing access rights for Firefox.
I ran firefox through the apparmor profiler (genprof), edited it a bit and got the following rules:
')
We save these rules in /etc/apparmor.d/usr.lib.firefox-3.0.1.firefox.sh, reboot apparmor and firefox only has access to the files it needs to work. You can save files only in the / tmp directory. Who is used to add downloaded files to other places - can add a line with the necessary directory to the file with the rules.
I ran firefox through the apparmor profiler (genprof), edited it a bit and got the following rules:
# Last Modified: Tue Aug 12 12:48:50 2008
#include <tunables / global>
/usr/lib/firefox-3.0.1/firefox.sh {
#include <abstractions / base>
#include <abstractions / fonts>
#include <abstractions / gnome>
#include <abstractions / nameservice>
capability sys_ptrace,
/ bin / dash ixr,
/ bin / grep ixr,
/ bin / ps ixr,
/ dev / shm / r,
/ dev / shm / * rw,
/etc/firefox-3.0/** r,
/ etc / fstab r,
/etc/gnome/defaults.list r,
/etc/gre.d/ r,
/etc/gre.d/* r,
/etc/mime.types r,
/ etc / mtab r,
/etc/pulse/client.conf r,
@ {HOME} /. ICEauthority r,
@ {HOME} /. Xauthority r,
@ {HOME} /. Adobe / ** / r,
@ {HOME} /. Config / * r,
@ {HOME} /. Config / gtk-2.0 / * rw,
@ {HOME} /. Fonts.conf r,
@ {HOME} /. Icons / r,
@ {HOME} /. Local / share / applications / r,
@ {HOME} /. Local / share / applications / * r,
@ {HOME} /. Local / share / icons / r,
@ {HOME} /. Local / share / mime / mime.cache r,
@ {HOME} /. Macromedia / ** rw,
@ {HOME} /. Mozilla / ** krw,
@ {HOME} /. Pulse-cookie krw,
@ {PROC} / * / cmdline r,
@ {PROC} / * / maps r,
@ {PROC} / * / mounts r,
@ {PROC} / * / stat r,
@ {PROC} / * / status r,
@ {PROC} / cpuinfo r,
@ {PROC} / meminfo r,
@ {PROC} / stat r,
@ {PROC} / sys / kernel / pid_max r,
@ {PROC} / tty / drivers r,
@ {PROC} / uptime r,
@ {PROC} / version r,
/usr/lib/firefox-3.0.1/firefox ixr,
/usr/lib/firefox-3.0.1/firefox.sh mr,
/ usr / local / share / applications / r,
/ usr / local / share / applications / * r,
/usr/local/share/mime/mime.cache r,
/ usr / share / applications / r,
/ usr / share / applications / * r,
/ usr / share / gdm / applications / r,
/ usr / share / gdm / applications / * r,
/ usr / share / locale-langpack / ** r,
/ usr / share / mime / ** r,
/ usr / share / myspell / ** r,
/ usr / share / ubufox / ** r,
/ usr / share / xine / desktop / * r,
/ var / run / dbus / system_bus_socket w,
}
')
We save these rules in /etc/apparmor.d/usr.lib.firefox-3.0.1.firefox.sh, reboot apparmor and firefox only has access to the files it needs to work. You can save files only in the / tmp directory. Who is used to add downloaded files to other places - can add a line with the necessary directory to the file with the rules.
Source: https://habr.com/ru/post/36746/
All Articles