You are not logged in.

#1 2024-11-18 11:49:32

alessandro_mo
Member
Registered: 2024-11-17
Posts: 16

Unconfined firefox processes with apparmor

I enabled apparmor and when I check for the status, it says

8 processes are unconfined but have a profile defined.
   /usr/lib/firefox/firefox (111319) firefox
   /usr/lib/firefox/firefox (111394) firefox
   /usr/lib/firefox/firefox (111409) firefox
   /usr/lib/firefox/firefox (111452) firefox
   /usr/lib/firefox/firefox (111495) firefox
   /usr/lib/firefox/firefox (111516) firefox
   /usr/lib/firefox/firefox (111519) firefox
   /usr/lib/firefox/firefox (111539) firefox

Offline

#2 2024-11-18 18:10:18

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 23,289

Re: Unconfined firefox processes with apparmor

https://wiki.archlinux.org/title/AppArmor#Configuration -- pay special and proper attention to all the manpage links for the distinct tools.

If I'm going to be honest.  if this is your level of troubleshooting you should stop trying to set this up or get much much more comfortable with learning about how to use these things  before trying to apply them, you'll only shoot yourself in the foot at marginal wins.

Last edited by V1del (2024-11-18 18:31:47)

Offline

#3 2024-11-18 18:46:53

alessandro_mo
Member
Registered: 2024-11-17
Posts: 16

Re: Unconfined firefox processes with apparmor

V1del wrote:

https://wiki.archlinux.org/title/AppArmor#Configuration -- pay special and proper attention to all the manpage links for the distinct tools.

If I'm going to be honest.  if this is your level of troubleshooting you should stop trying to set this up or get much much more comfortable with learning about how to use these things  before trying to apply them, you'll only shoot yourself in the foot at marginal wins.

Can you be more specific about these man page links?
Be honest and let me know how you expect me to learn something better without trying to apply it and possibly failing in the process.

Offline

#4 2024-11-18 19:58:05

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 23,289

Re: Unconfined firefox processes with apparmor

read the page, click on the links mentioned there, read through them, read more generic apparmor tutorials. You are struggling with the absolute basics here and are basically asking people to spoonfeed you tutorials.

Offline

#5 2024-11-19 06:18:24

alessandro_mo
Member
Registered: 2024-11-17
Posts: 16

Re: Unconfined firefox processes with apparmor

So for a newbie who tries to learn, but fail while applying things and ask for help in the newbie section on the official forum, the moderator of that section suggest him to give up or learn better?

Offline

#6 2024-11-19 09:35:30

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 23,289

Re: Unconfined firefox processes with apparmor

This isn't a topic one can handwave away with easy steps - there's no one size fits all solution, properly setting this up requires a good understanding of what you intend to do, we can't do your reading for you. Did you read the existing profile? Do you agree with what it does? If so, you can enable the policy with aa-enforce if you so want to.

Last edited by V1del (2024-11-19 10:39:52)

Offline

#7 2024-11-20 06:50:13

alessandro_mo
Member
Registered: 2024-11-17
Posts: 16

Re: Unconfined firefox processes with apparmor

I naively thought it would grant at the very least some protection with pre-configured profiles, like hardened kernel gives you security benefits out of the box.
However firefox still shouldn't be in unconfined state:

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

Last edited by alessandro_mo (2024-11-20 06:51:37)

Offline

#8 2024-11-22 21:39:21

sekret
Member
Registered: 2013-07-22
Posts: 289

Re: Unconfined firefox processes with apparmor

You can use the apparmor.d-git package, which includes many profiles. But it's possible they aren't set the way you want them to be.

Offline

#9 2024-11-23 13:42:49

loqs
Member
Registered: 2014-03-06
Posts: 18,067

Re: Unconfined firefox processes with apparmor

sekret wrote:

You can use the apparmor.d-git package, which includes many profiles. But it's possible they aren't set the way you want them to be.

The apparmor package already includes a firefox profile as V1del stated. alessandro_mo has not enabled it from the posted output.

Offline

#10 2024-11-23 14:35:56

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 23,289

Re: Unconfined firefox processes with apparmor

And as we noticed that profile is not configured at all by default. If you want a preconfigured and "decisions made for you" apparmor configuration you'd have to opt for a different distribution. Which is why I'm giving such a generic ansxwer, I don't know what you want to protect your system from. E.g. especially browser do a lot of sandboxing of their own already. If you think you need more protection than what they are already doing you need to be able to define what you want to protect from, how you want to protect from it and these are usually very individual answers.

Afaik firejail comes with a bunch of preconfigs but we often have threads were people's expected functionality starts to break because of a too tightly configured sandbox setup in some form.

Offline

Board footer

Powered by FluxBB