Setting up Apparmor to protect firefox

Hi there. I’m a relatively new linux user and would like some help using
yast to set up apparmor protection for firefox.

I have read some articles on how to do this from various sources,
however, every time I get to a particular point in the process what
actually happens deviates from what I was told would happen.

Essentially, I understand I have to create a profile for both firefox
and firefox.sh

When I go to make the profile through yast I get to the point where I
have run firefox for a few minutes - I do some browsing, watch some
youtube etc. Then when I get back to yast and I’m running the rest of
the configuration process I get lost. The articles I read told me that
all I would have to do for each privilege or file firefox accessed was
push “Allow” or “Deny” or something to that affect.

In reality I had several options to choose from at each turn. For every
privilege or file accessed, I had to choose from about six options,
including “Inherit” or even to create a whole new profile for the file
itself. It became very confusing. Would it be a good or bad idea to
click “inherit” for each item? Probably not I assume.

Secondly, most of the literature I have read on apparmor states that
while you are creating a new profile on an application, you should make
an attack impossible. Well, how can I do this when I’m profiling firefox
and therefore have to access the internet with it in order for apparmor
to profile it - thus making it to some extent vulnerable to attack,
especially considering I’m running root privileges through yast at the
time?

Sorry, if I have not made myself very clear. If someone has the
patience to help me out with this one, it would be greatly appreciated.
I really wish firefox was set up by default in apparmor - although I
realise there is probably a good reason it is not.


steve_2

steve_2’s Profile: http://forums.opensuse.org/member.php?userid=15212
View this thread: http://forums.opensuse.org/showthread.php?t=404681

I think the reason that Firefox is not set up as default in apparmor is
that it is not really necessary.
Very difficult to attack Linux via Firefox. Firstly there is no activex
and it is run as a normal user and therefor cannot execute programs. I
actually remove apparmor on my system.
I googled for Firefox and apparmor i didn’t find anything.

Didn’t answer your question but as i said not needed IMHO

/Geoff


Core 2 Duo 3.16GHz 4GB DDR2 2.5 TB GeForce 7600 GS OS 11.1 x86_64
KDE4.2 beta2 ‘Smolt specs’ (http://tinyurl.com/9hgxhl)

geoffro’s Profile: http://forums.opensuse.org/member.php?userid=75
View this thread: http://forums.opensuse.org/showthread.php?t=404681

I think the reason that Firefox is not set up as default in apparmor is
that it is not really necessary.
Very difficult to attack Linux via Firefox. Firstly there is no activex
and it is run as a normal user and therefor cannot execute programs. I
actually remove apparmor on my system.
I googled for Firefox and apparmor i didn’t find anything.

Didn’t answer your question but as i said not needed IMHO

/Geoff


Core 2 Duo 3.16GHz 4GB DDR2 2.5 TB GeForce 7600 GS OS 11.1 x86_64
KDE4.2 beta2 ‘Smolt specs’ (http://tinyurl.com/9hgxhl)

geoffro’s Profile: http://forums.opensuse.org/member.php?userid=75
View this thread: http://forums.opensuse.org/showthread.php?t=404681

geoffro schreef:

> and it is run as a normal user and therefor cannot execute programs.

You’re saying normal users can’t execute programs?
I don’t think so.
And the files a user has acces to happen to be the files he or she cares
about.

Saying a user can’t do any harm is wrong, it only easyer to get the harm
undone IF you make backups.

Firefox is pretty safe to use i’m sure, it’s the trillion extensions you
should be carefull with.

Chris Maaskant