AppArmor Profiles

Syntax Error in Firefox Profile Generation makes Firefox-ESR run unconfined although Profile is enforced

Bug #1800789 reported by X
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor Profiles
New
Undecided
Unassigned

Bug Description

First of all I'd like to apologize in advance if this is the wrong place to report this, since I don't know where the "usr.bin.firefox-esr" apparmor-profile stems from and if I should report this to the apparmor-profiles Launchpad or Gitlab repository or the official Mozilla Firefox-ESR PPA. If this is the wrong place, feel free to close this issue. I also posted this bug on the Gitlab repository: (https://gitlab.com/apparmor/apparmor-profiles/issues/3).

System Information:

    - Up-to-date stable release of Ubuntu 18.10 (Problem also persisted in 18.04 LTS)
    - Newest stable release of Firefox-ESR from the official Mozilla PPA (https://launchpad.net/~mozillateam/+archive/ubuntu/ppa)
    - apparmor, apparmor-utils and apparmor-profiles installed

Description of Problem:

Firefox-ESR is succesfully set to enforce mode with "$ sudo aa-enforce usr.bin.firefox-esr". By checking "$ sudo aa-status" and looking under "X profiles are in enforce mode" you see the enforced profiles for Firefox and Firefox-ESR (Firefox was also set to enforce-mode):

   /usr/lib/firefox-esr/firefox{,*[^s][^h]}
   /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_java
   /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_openjdk
   /usr/lib/firefox-esr/firefox{,*[^s][^h]}//lsb_release
   /usr/lib/firefox-esr/firefox{,*[^s][^h]}//sanitized_helper
   /usr/lib/firefox/firefox{,*[^s][^h]}
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
   /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release
   /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper

But if you run Firefox-ESR you don't see its process(es) listed under "X processes are in enforce mode". Also the perceivable start-up slow-down due to apparmor is missing. Saving files in custom defined forbidden file paths is also possible. Firefox-ESR is apparently running without apparmor enforced.

Possible Solution of the Problem:

If you compare the apparmor-profiles under "/etc/apparmor.d/" of Firefox and Firefox-ESR you notice that they are very similar:

Firefox

# We want to confine the binaries that match:
# /usr/lib/firefox/firefox
# /usr/lib/firefox/firefox
# but not:
# /usr/lib/firefox/firefox.sh
/usr/lib/firefox/firefox{,*[^s][^h]} {

Firefox-ESR

# We want to confine the binaries that match:
# /usr/lib/firefox-esr/firefox-esr
# /usr/lib/firefox-esr/firefox
# but not:
# /usr/lib/firefox-esr/firefox.sh
/usr/lib/firefox-esr/firefox{,*[^s][^h]} {

If you check "/usr/lib/firefox/" you will find the "firefox" application file and the "firefox.sh" script. But if you check "/usr/lib/firefox-esr/" you will find the application file is named "firefox-esr" not "firefox", but the script is still "firefox.sh".

Therefore line 14 "/usr/lib/firefox-esr/firefox{,*[^s][^h]} {" in "usr.bin.firefox-esr" isn't working, since it should be "/usr/lib/firefox-esr/firefox-esr{,*[^s][^h]} {" or even just "/usr/lib/firefox-esr/firefox-esr {".

By manually correcting the apparmor profile and reinforcing it, Firefox-ESR successfully runs in enforced mode and its process(es) are listed under "X processes are in enforce mode". Everything seems to be working correctly.

Checking "X profiles are in enforce mode" again shows the old and new profile enforced simultaneously:

   /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}
   /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_java
   /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_openjdk
   /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//lsb_release
   /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//sanitized_helper
   /usr/lib/firefox-esr/firefox{,*[^s][^h]}
   /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_java
   /usr/lib/firefox-esr/firefox{,*[^s][^h]}//browser_openjdk
   /usr/lib/firefox-esr/firefox{,*[^s][^h]}//lsb_release
   /usr/lib/firefox-esr/firefox{,*[^s][^h]}//sanitized_helper
   /usr/lib/firefox/firefox{,*[^s][^h]}
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
   /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release
   /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper

After setting Firefox-ESR to complain-mode and then again to enforce-mode the old enforced profile is removed:

   /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}
   /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_java
   /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//browser_openjdk
   /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//lsb_release
   /usr/lib/firefox-esr/firefox-esr{,*[^s][^h]}//sanitized_helper
   /usr/lib/firefox/firefox{,*[^s][^h]}
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
   /usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release
   /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper

See original description
X (amnesiac-kid)
description: updated
X (amnesiac-kid)
description: updated
Seth Arnold (seth-arnold)
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.