Results 1 to 3 of 3

Thread: Setting up Apparmor to protect firefox

  1. #1

    Default Setting up Apparmor to protect firefox

    Hi there. I'm a relatively new linux user and would like some help using yast to set up apparmor protection for firefox.

    I have read some articles on how to do this from various sources, however, every time I get to a particular point in the process what actually happens deviates from what I was told would happen.

    Essentially, I understand I have to create a profile for both firefox and firefox.sh

    When I go to make the profile through yast I get to the point where I have run firefox for a few minutes - I do some browsing, watch some youtube etc. Then when I get back to yast and I'm running the rest of the configuration process I get lost. The articles I read told me that all I would have to do for each privilege or file firefox accessed was push "Allow" or "Deny" or something to that affect.

    In reality I had several options to choose from at each turn. For every privilege or file accessed, I had to choose from about six options, including "Inherit" or even to create a whole new profile for the file itself. It became very confusing. Would it be a good or bad idea to click "inherit" for each item? Probably not I assume.

    Secondly, most of the literature I have read on apparmor states that while you are creating a new profile on an application, you should make an attack impossible. Well, how can I do this when I'm profiling firefox and therefore have to access the internet with it in order for apparmor to profile it - thus making it to some extent vulnerable to attack, especially considering I'm running root privileges through yast at the time?

    Sorry, if I have not made myself very clear. If someone has the patience to help me out with this one, it would be greatly appreciated. I really wish firefox was set up by default in apparmor - although I realise there is probably a good reason it is not.

  2. #2
    Join Date
    Mar 2008
    Location
    Vsters, Sweden ex. Highbury London UK
    Posts
    1,245

    Default Re: Setting up Apparmor to protect firefox

    I think the reason that Firefox is not set up as default in apparmor is that it is not really necessary.
    Very difficult to attack Linux via Firefox. Firstly there is no activex and it is run as a normal user and therefor cannot execute programs. I actually remove apparmor on my system.
    I googled for Firefox and apparmor i didn't find anything.

    Didn't answer your question but as i said not needed IMHO

    /Geoff
    Core 2 Duo 3.16GHz, 8GB DDR2, 3.5TB, GeForce 9600 GT, Amilo LCD 26", OS 11.1 x86_64, KDE4.2.4 (2)
    My wine tips & tricks

  3. #3
    Chris Maaskant NNTP User

    Default Re: Setting up Apparmor to protect firefox

    geoffro schreef:

    > and it is run as a normal user and therefor cannot execute programs.


    You're saying normal users can't execute programs?
    I don't think so.
    And the files a user has acces to happen to be the files he or she cares
    about.

    Saying a user can't do any harm is wrong, it only easyer to get the harm
    undone *IF* you make backups.

    Firefox is pretty safe to use i'm sure, it's the trillion extensions you
    should be carefull with.
    --
    Chris Maaskant


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •