-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AppArmor and Firefox: Error message #3226
Comments
@adrelanos some time ago pointed us to https://gitlab.com/apparmor/apparmor/issues/50, and I still wonder if that solution could make everyone happy in the end. The only remaining issue would be
That's probably because you have a symbolic link /usr/local/bin/firefox -> /usr/bin/firejail, and one time you started the sandbox as
I think it tries to tell you that seccomp is (partially) broken. You can confirm this by running |
Sorry, just realize that actually you cannot. Anyway, it is rather important to give access to |
Thanks, I have to read that thoroughly.
Okay, I added back |
First compile https://github.com/netblue30/firejail/blob/master/src/tools/extract_seccomp.c and run it like |
Firefox render processes always have one seccomp filter extra, which is the built-in Firefox sandbox. Just in case you wonder. |
Thanks for this explanation and providing those tools! When executing
Starting it with sudo worked, though. Now I have to analyze the output ... |
Actually it is not necessary to understand the output, by just counting the filters it should be evident there is one less. |
This and most other issues should've been fixed by https://gitlab.com/apparmor/apparmor/-/merge_requests/345 @curiosityseeker can you confirm the line I'm not sure if it is a good idea to expose the Firejail binary itself, which is setuid-root after all, in all AppArmor profiles. |
Sorry, I had actually forgotten about this. I'll do that once I find the time. |
No, that line is present in abstractions/base:
|
I'm sorry, I confused the paths. The base abstraction doesn't grant access to Proposal for a
|
I think that's a good idea as it would make it easier to add those rules to one's own AppArmor profiles. Note that I have in my Thunderbird profile the following rule: So some of above rules might be hardened be modifying them to owner conditional rules. Another aspect - discussed here - is that obviously the (EDIT: I found this info about I wonder if those flags are needed for all AA profiles in combination with Firejail. But they can't be added by an abstraction anyhow. Btw - a probably crazy idea (not really related to this discussion) comes to my mind: Would it be feasible to create an AA profile for /usr/bin/firejail that allows everything needed but restricts/blocks all operations related to the risk of firejail being a SUID executable? |
There is some
Writing an AppArmor profile for Firejail itself is certainly possible. But as Firejail requires very broad permissions (only think of blacklisting and whitelisting), I doubt you would end up with a meaningful restriction. What might make sense though is to have dedicated AppArmor profiles for Firejail's various helper programs (for example |
Thanks! I updated the comment accordingly. |
Anything left here? |
Btw, would it be useful at all to let users set their own AppArmor profiles (instead of |
That's already possible by adding
I doubt that's feasible. If such an AA profile should not break an application the rules therein must be rather unspecific to take account of, e.g., various DE's. I'm not sure if such an AA profile offers real added value. And if it's specific enough users have to learn AA syntax and logic as well to unbreak applications. I'm afraid we would have considerably more support issues her. |
I don't think so. However, I must admit that I'm no longer terribly interested in this issue. The reason is that - after countless tries - I no longer use Firejail for Thunderbird, Firefox and Cherrytree but run those applications in AA profiles. Simply because I wasn't able to execute helper applications (like Okular, Gwenview and LibreOffice) running in their own sandbox or, at least, in their own AA profile. This problem was already discussed at length in this issue. E.g., when I click a PDF attachment in Thunderbird I've managed to open it in Okular - unfortunately it's not running in its own sandbox but within the Thunderbird sandbox (which means that Okular has access to everything in ~/.thunderbird). If I combine Firejail with AppArmor I'm only able to execute those helper applications in ix mode (with the same result as above). Ths is even true if the Firejail profile only contains That's why I wrote my own strict AA profiles for those helper applications. Now I can execute them from, e.g., (unfirejailed) Thunderbird in Px mode which means that the helper application runs in its own profile with zero access to ~./thunderbird. Perhaps I wasn't able to see the forest for the trees any more after countless unsuccessful tries but finally I gave up to find a working solution with Firejail. I think this problem is one of the most annoying weaknesses in Firejail. I guess it's caused by the namespaces used in Firejail, and I have no idea if there is a potential solution at all. |
Namespaces and seccomp have no notion of transitions between security domains. If we want these transitions (e.g. from an email client sandbox to a pdf viewer sandbox), we will have to work around the limitation by ourselves. It is not necessarily impossible, for example we could mount a tiny helper on top of the pdf viewer binary, and expose a simple service on the D-Bus session bus which does nothing but starting sandboxed pdf viewer instances. Then every attempt to start the viewer from inside the sandbox would be redirected to our service on the session bus. No idea how easy or difficult it would be to get it right, though. Transitions between security domains can be tricky, and AppArmor, just as a side note, is known to have its own set of unresolved problems, arising from incomplete sanitizing of the environment (an attacker in sandbox 1 can play creatively with environment variables like |
That's right, but being able to freely specify AppArmor profiles is still more flexible. There could be:
Currently there is no way from within Firejail to load a profile of category 3.
I've been wondering that, too. |
That's an interesting idea. I wonder if it were possible to apply that tiny helper not only to, e.g., a specific PDF viewer but to all kinds of applications ... I guess that helper would also need a ruleset for the applications it would be applied to.
Could you elaborate, please? I'm not sure what you mean exactly. Any sources or examples? |
This reminds me of the |
Originally reported in http:https://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html and tracked in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045985 . Nothing to be concerned about when transitioning to a more restrictive profile, there is an issue only when transitioning to something less restrictive. It was meant just as an illustration of the pitfalls that are luring here (admittedly somewhat unlucky, as this particular issue wouldn't affect Firejail).
Nice idea, access to the service could be controlled by write access to a directory. |
Thanks, interesting! However, when writing my own profiles I never ever use Ux (and certainly not ux), Pix or the Sanitized Helper. ;) |
While I agree in general, we have to answer some questions:
Does that claim still stand?
|
With SELinux it's possible to move between different domains with different rules, even more permissive, so I wonder why this would not possible with AA? There are no SELinux rules for Firejail yet, but I'm working on those. |
Yes, please! I'm definitely interested! |
Just adding that even using child profiles or named profile transitions do not work. I tried something like:
but to no avail. |
@curiosity-seeker Apologies for the late reply. I couldn't recover the old pastebin files, but I rewrote them from scratch. I put the files in two repositories: firejail-handler-http and firejail-handler-extra. Arch Linux users can try firejail-handler-http and/or firejail-handler-extra. Feel free to test and comment as you see fit. There is probably room for improvement, so any feedback is very much appreciated. |
@glitsj16 : Thanks a lot for this! I will try to test this in the coming days and will certainly report how it will go! |
add basic Firejail support to AppArmor base abstraction (#3226)
@smitsohu : Many thanks for adding this abstraction. As already mentioned in discussions, it works flawlessly with Firefox. EDIT: The previously mentioned error message for Brave and Thunderbird is pointless. However, in Thunderbird I can't open links in Firefox anymore. Now if you also find a solution to allow for profile transitions that would be fantastic :-) |
I'm aware of the warnings about using Firejail and AppArmor at the same time. In particular, I cannot confirm the following statement so far - at least, not for Firefox on Arch Linux:
When I created my Firefox AppArmor profile,
aa-logprof
suggested to add the following rules, indeed:At first, I added them - but now I removed those rules again without any noticeable side-effects. Firefox is confined by AppArmor and sandboxed by Firejail.
However, if I start Firefox in the console I'm seeing the following error message:
ERROR: ld.so: object '/run/firejail/lib/libpostexecseccomp.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
What does this error message mean? Is this something I should be concerned about?
The text was updated successfully, but these errors were encountered: