AppArmor: Are multiple profiles per application (Firefox, Thunderbird) possible? Syntax?
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
Is there a way to create an AppArmor profile for each Firefox profile, when running multiple profiles off a single installation of Firefox? Or more generally for any application supporting multiple profiles, Thunderbird, etc. Generally all the AppArmor profiles I find for these apps only contain the whole app, unless I missed something.
Usually you launch a Firefox or Thunderbird with a command line argument to specify a different profile. However I can find nothing in the AppArmor profile syntax to match against app arguments.
I know libvirt does this somehow by creating an AppArmor profile for each virtual machine, so there must be some way.
linux firefox apparmor
migrated from security.stackexchange.com Jun 14 '15 at 6:41
This question came from our site for information security professionals.
add a comment |Â
up vote
3
down vote
favorite
Is there a way to create an AppArmor profile for each Firefox profile, when running multiple profiles off a single installation of Firefox? Or more generally for any application supporting multiple profiles, Thunderbird, etc. Generally all the AppArmor profiles I find for these apps only contain the whole app, unless I missed something.
Usually you launch a Firefox or Thunderbird with a command line argument to specify a different profile. However I can find nothing in the AppArmor profile syntax to match against app arguments.
I know libvirt does this somehow by creating an AppArmor profile for each virtual machine, so there must be some way.
linux firefox apparmor
migrated from security.stackexchange.com Jun 14 '15 at 6:41
This question came from our site for information security professionals.
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
Is there a way to create an AppArmor profile for each Firefox profile, when running multiple profiles off a single installation of Firefox? Or more generally for any application supporting multiple profiles, Thunderbird, etc. Generally all the AppArmor profiles I find for these apps only contain the whole app, unless I missed something.
Usually you launch a Firefox or Thunderbird with a command line argument to specify a different profile. However I can find nothing in the AppArmor profile syntax to match against app arguments.
I know libvirt does this somehow by creating an AppArmor profile for each virtual machine, so there must be some way.
linux firefox apparmor
Is there a way to create an AppArmor profile for each Firefox profile, when running multiple profiles off a single installation of Firefox? Or more generally for any application supporting multiple profiles, Thunderbird, etc. Generally all the AppArmor profiles I find for these apps only contain the whole app, unless I missed something.
Usually you launch a Firefox or Thunderbird with a command line argument to specify a different profile. However I can find nothing in the AppArmor profile syntax to match against app arguments.
I know libvirt does this somehow by creating an AppArmor profile for each virtual machine, so there must be some way.
linux firefox apparmor
linux firefox apparmor
asked Jun 12 '15 at 17:15
stereoclawmarks
1182
1182
migrated from security.stackexchange.com Jun 14 '15 at 6:41
This question came from our site for information security professionals.
migrated from security.stackexchange.com Jun 14 '15 at 6:41
This question came from our site for information security professionals.
add a comment |Â
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
2
down vote
accepted
AppArmor works by executable. It can't figure out that Firefox has loaded a different profile and so it should use a different AppArmor profile.
AppArmor does support change rules, which allow an application to change which profile applies to it. The intended use case is precisely to allow an application to switch to a more restrictive profile once it's finished initializing and figured out what it needs to access in this particular instance. So if Firefox was AppArmor-aware, it would be possible to give it change_profile
rule and have it apply the transition once it's figured out which profile to run as. As far as I know, this hasn't been done.
What you can do without programming is make multiple copies or hard links of the firefox-bin
executable, and define different profiles for each of them (AppArmor is based on the path to the executable, so different hard links need not use the same profile, unlike SELinux which is based on inodes). This requires root and isn't so convenient, which is why the change profile feature was added to AppArmor.
Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
â stereoclawmarks
Jun 21 '15 at 4:57
add a comment |Â
up vote
1
down vote
I'm not sure, but as I understand, I think: no.
Apparmor could make distinction between different
- application
- file-system path
- user / group
For having different apparmor behaviour against different application profile, you have to create different users for each apparmor behaviour.
Like android do for sandboxing all apps under different ``user''.
Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
â Gilles
Jun 14 '15 at 17:29
Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
â stereoclawmarks
Jun 21 '15 at 4:54
add a comment |Â
up vote
0
down vote
Very easy, my friend. Create a hard-link called firefox-(putProfileNameHere):
cd /data/usr/lib/firefox/
sudo ln firefox /usr/bin/firefox-default
sudo ln firefox /usr/bin/firefox-1b58iygj
#etc etc etc
Create multiple App Armor profiles:
cd /etc/apparmor.d
cp usr.bin.firefox usr.bin.firefox-default
cp usr.bin.firefox usr.bin.firefox-1b58iygj
#etc etc etc
Modify each profile as you wish.
Create different .desktop files in /usr//share/applications (or use a Menu manager like Alacarte or KDE ??) to launch the custom binaries + relevant profile:
firefox-default
firefox-1b58iygj --profile /home/<yourUserID>/.mozilla/firefox/1b58iygj
#etc etc etc
Have fun.
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
AppArmor works by executable. It can't figure out that Firefox has loaded a different profile and so it should use a different AppArmor profile.
AppArmor does support change rules, which allow an application to change which profile applies to it. The intended use case is precisely to allow an application to switch to a more restrictive profile once it's finished initializing and figured out what it needs to access in this particular instance. So if Firefox was AppArmor-aware, it would be possible to give it change_profile
rule and have it apply the transition once it's figured out which profile to run as. As far as I know, this hasn't been done.
What you can do without programming is make multiple copies or hard links of the firefox-bin
executable, and define different profiles for each of them (AppArmor is based on the path to the executable, so different hard links need not use the same profile, unlike SELinux which is based on inodes). This requires root and isn't so convenient, which is why the change profile feature was added to AppArmor.
Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
â stereoclawmarks
Jun 21 '15 at 4:57
add a comment |Â
up vote
2
down vote
accepted
AppArmor works by executable. It can't figure out that Firefox has loaded a different profile and so it should use a different AppArmor profile.
AppArmor does support change rules, which allow an application to change which profile applies to it. The intended use case is precisely to allow an application to switch to a more restrictive profile once it's finished initializing and figured out what it needs to access in this particular instance. So if Firefox was AppArmor-aware, it would be possible to give it change_profile
rule and have it apply the transition once it's figured out which profile to run as. As far as I know, this hasn't been done.
What you can do without programming is make multiple copies or hard links of the firefox-bin
executable, and define different profiles for each of them (AppArmor is based on the path to the executable, so different hard links need not use the same profile, unlike SELinux which is based on inodes). This requires root and isn't so convenient, which is why the change profile feature was added to AppArmor.
Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
â stereoclawmarks
Jun 21 '15 at 4:57
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
AppArmor works by executable. It can't figure out that Firefox has loaded a different profile and so it should use a different AppArmor profile.
AppArmor does support change rules, which allow an application to change which profile applies to it. The intended use case is precisely to allow an application to switch to a more restrictive profile once it's finished initializing and figured out what it needs to access in this particular instance. So if Firefox was AppArmor-aware, it would be possible to give it change_profile
rule and have it apply the transition once it's figured out which profile to run as. As far as I know, this hasn't been done.
What you can do without programming is make multiple copies or hard links of the firefox-bin
executable, and define different profiles for each of them (AppArmor is based on the path to the executable, so different hard links need not use the same profile, unlike SELinux which is based on inodes). This requires root and isn't so convenient, which is why the change profile feature was added to AppArmor.
AppArmor works by executable. It can't figure out that Firefox has loaded a different profile and so it should use a different AppArmor profile.
AppArmor does support change rules, which allow an application to change which profile applies to it. The intended use case is precisely to allow an application to switch to a more restrictive profile once it's finished initializing and figured out what it needs to access in this particular instance. So if Firefox was AppArmor-aware, it would be possible to give it change_profile
rule and have it apply the transition once it's figured out which profile to run as. As far as I know, this hasn't been done.
What you can do without programming is make multiple copies or hard links of the firefox-bin
executable, and define different profiles for each of them (AppArmor is based on the path to the executable, so different hard links need not use the same profile, unlike SELinux which is based on inodes). This requires root and isn't so convenient, which is why the change profile feature was added to AppArmor.
answered Jun 14 '15 at 17:28
Gilles
517k12410321560
517k12410321560
Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
â stereoclawmarks
Jun 21 '15 at 4:57
add a comment |Â
Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
â stereoclawmarks
Jun 21 '15 at 4:57
Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
â stereoclawmarks
Jun 21 '15 at 4:57
Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
â stereoclawmarks
Jun 21 '15 at 4:57
add a comment |Â
up vote
1
down vote
I'm not sure, but as I understand, I think: no.
Apparmor could make distinction between different
- application
- file-system path
- user / group
For having different apparmor behaviour against different application profile, you have to create different users for each apparmor behaviour.
Like android do for sandboxing all apps under different ``user''.
Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
â Gilles
Jun 14 '15 at 17:29
Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
â stereoclawmarks
Jun 21 '15 at 4:54
add a comment |Â
up vote
1
down vote
I'm not sure, but as I understand, I think: no.
Apparmor could make distinction between different
- application
- file-system path
- user / group
For having different apparmor behaviour against different application profile, you have to create different users for each apparmor behaviour.
Like android do for sandboxing all apps under different ``user''.
Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
â Gilles
Jun 14 '15 at 17:29
Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
â stereoclawmarks
Jun 21 '15 at 4:54
add a comment |Â
up vote
1
down vote
up vote
1
down vote
I'm not sure, but as I understand, I think: no.
Apparmor could make distinction between different
- application
- file-system path
- user / group
For having different apparmor behaviour against different application profile, you have to create different users for each apparmor behaviour.
Like android do for sandboxing all apps under different ``user''.
I'm not sure, but as I understand, I think: no.
Apparmor could make distinction between different
- application
- file-system path
- user / group
For having different apparmor behaviour against different application profile, you have to create different users for each apparmor behaviour.
Like android do for sandboxing all apps under different ``user''.
answered Jun 14 '15 at 6:55
F. Hauri
2,5791226
2,5791226
Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
â Gilles
Jun 14 '15 at 17:29
Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
â stereoclawmarks
Jun 21 '15 at 4:54
add a comment |Â
Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
â Gilles
Jun 14 '15 at 17:29
Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
â stereoclawmarks
Jun 21 '15 at 4:54
Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
â Gilles
Jun 14 '15 at 17:29
Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
â Gilles
Jun 14 '15 at 17:29
Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
â stereoclawmarks
Jun 21 '15 at 4:54
Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
â stereoclawmarks
Jun 21 '15 at 4:54
add a comment |Â
up vote
0
down vote
Very easy, my friend. Create a hard-link called firefox-(putProfileNameHere):
cd /data/usr/lib/firefox/
sudo ln firefox /usr/bin/firefox-default
sudo ln firefox /usr/bin/firefox-1b58iygj
#etc etc etc
Create multiple App Armor profiles:
cd /etc/apparmor.d
cp usr.bin.firefox usr.bin.firefox-default
cp usr.bin.firefox usr.bin.firefox-1b58iygj
#etc etc etc
Modify each profile as you wish.
Create different .desktop files in /usr//share/applications (or use a Menu manager like Alacarte or KDE ??) to launch the custom binaries + relevant profile:
firefox-default
firefox-1b58iygj --profile /home/<yourUserID>/.mozilla/firefox/1b58iygj
#etc etc etc
Have fun.
add a comment |Â
up vote
0
down vote
Very easy, my friend. Create a hard-link called firefox-(putProfileNameHere):
cd /data/usr/lib/firefox/
sudo ln firefox /usr/bin/firefox-default
sudo ln firefox /usr/bin/firefox-1b58iygj
#etc etc etc
Create multiple App Armor profiles:
cd /etc/apparmor.d
cp usr.bin.firefox usr.bin.firefox-default
cp usr.bin.firefox usr.bin.firefox-1b58iygj
#etc etc etc
Modify each profile as you wish.
Create different .desktop files in /usr//share/applications (or use a Menu manager like Alacarte or KDE ??) to launch the custom binaries + relevant profile:
firefox-default
firefox-1b58iygj --profile /home/<yourUserID>/.mozilla/firefox/1b58iygj
#etc etc etc
Have fun.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Very easy, my friend. Create a hard-link called firefox-(putProfileNameHere):
cd /data/usr/lib/firefox/
sudo ln firefox /usr/bin/firefox-default
sudo ln firefox /usr/bin/firefox-1b58iygj
#etc etc etc
Create multiple App Armor profiles:
cd /etc/apparmor.d
cp usr.bin.firefox usr.bin.firefox-default
cp usr.bin.firefox usr.bin.firefox-1b58iygj
#etc etc etc
Modify each profile as you wish.
Create different .desktop files in /usr//share/applications (or use a Menu manager like Alacarte or KDE ??) to launch the custom binaries + relevant profile:
firefox-default
firefox-1b58iygj --profile /home/<yourUserID>/.mozilla/firefox/1b58iygj
#etc etc etc
Have fun.
Very easy, my friend. Create a hard-link called firefox-(putProfileNameHere):
cd /data/usr/lib/firefox/
sudo ln firefox /usr/bin/firefox-default
sudo ln firefox /usr/bin/firefox-1b58iygj
#etc etc etc
Create multiple App Armor profiles:
cd /etc/apparmor.d
cp usr.bin.firefox usr.bin.firefox-default
cp usr.bin.firefox usr.bin.firefox-1b58iygj
#etc etc etc
Modify each profile as you wish.
Create different .desktop files in /usr//share/applications (or use a Menu manager like Alacarte or KDE ??) to launch the custom binaries + relevant profile:
firefox-default
firefox-1b58iygj --profile /home/<yourUserID>/.mozilla/firefox/1b58iygj
#etc etc etc
Have fun.
answered 9 mins ago
thebunnyrules
387210
387210
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f209510%2fapparmor-are-multiple-profiles-per-application-firefox-thunderbird-possible%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password