AppArmor: Are multiple profiles per application (Firefox, Thunderbird) possible? Syntax?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite












Is there a way to create an AppArmor profile for each Firefox profile, when running multiple profiles off a single installation of Firefox? Or more generally for any application supporting multiple profiles, Thunderbird, etc. Generally all the AppArmor profiles I find for these apps only contain the whole app, unless I missed something.



Usually you launch a Firefox or Thunderbird with a command line argument to specify a different profile. However I can find nothing in the AppArmor profile syntax to match against app arguments.



I know libvirt does this somehow by creating an AppArmor profile for each virtual machine, so there must be some way.










share|improve this question













migrated from security.stackexchange.com Jun 14 '15 at 6:41


This question came from our site for information security professionals.


















    up vote
    3
    down vote

    favorite












    Is there a way to create an AppArmor profile for each Firefox profile, when running multiple profiles off a single installation of Firefox? Or more generally for any application supporting multiple profiles, Thunderbird, etc. Generally all the AppArmor profiles I find for these apps only contain the whole app, unless I missed something.



    Usually you launch a Firefox or Thunderbird with a command line argument to specify a different profile. However I can find nothing in the AppArmor profile syntax to match against app arguments.



    I know libvirt does this somehow by creating an AppArmor profile for each virtual machine, so there must be some way.










    share|improve this question













    migrated from security.stackexchange.com Jun 14 '15 at 6:41


    This question came from our site for information security professionals.
















      up vote
      3
      down vote

      favorite









      up vote
      3
      down vote

      favorite











      Is there a way to create an AppArmor profile for each Firefox profile, when running multiple profiles off a single installation of Firefox? Or more generally for any application supporting multiple profiles, Thunderbird, etc. Generally all the AppArmor profiles I find for these apps only contain the whole app, unless I missed something.



      Usually you launch a Firefox or Thunderbird with a command line argument to specify a different profile. However I can find nothing in the AppArmor profile syntax to match against app arguments.



      I know libvirt does this somehow by creating an AppArmor profile for each virtual machine, so there must be some way.










      share|improve this question













      Is there a way to create an AppArmor profile for each Firefox profile, when running multiple profiles off a single installation of Firefox? Or more generally for any application supporting multiple profiles, Thunderbird, etc. Generally all the AppArmor profiles I find for these apps only contain the whole app, unless I missed something.



      Usually you launch a Firefox or Thunderbird with a command line argument to specify a different profile. However I can find nothing in the AppArmor profile syntax to match against app arguments.



      I know libvirt does this somehow by creating an AppArmor profile for each virtual machine, so there must be some way.







      linux firefox apparmor






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jun 12 '15 at 17:15









      stereoclawmarks

      1182




      1182




      migrated from security.stackexchange.com Jun 14 '15 at 6:41


      This question came from our site for information security professionals.






      migrated from security.stackexchange.com Jun 14 '15 at 6:41


      This question came from our site for information security professionals.






















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          AppArmor works by executable. It can't figure out that Firefox has loaded a different profile and so it should use a different AppArmor profile.



          AppArmor does support change rules, which allow an application to change which profile applies to it. The intended use case is precisely to allow an application to switch to a more restrictive profile once it's finished initializing and figured out what it needs to access in this particular instance. So if Firefox was AppArmor-aware, it would be possible to give it change_profile rule and have it apply the transition once it's figured out which profile to run as. As far as I know, this hasn't been done.



          What you can do without programming is make multiple copies or hard links of the firefox-bin executable, and define different profiles for each of them (AppArmor is based on the path to the executable, so different hard links need not use the same profile, unlike SELinux which is based on inodes). This requires root and isn't so convenient, which is why the change profile feature was added to AppArmor.






          share|improve this answer




















          • Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
            – stereoclawmarks
            Jun 21 '15 at 4:57

















          up vote
          1
          down vote













          I'm not sure, but as I understand, I think: no.



          Apparmor could make distinction between different



          • application

          • file-system path

          • user / group

          For having different apparmor behaviour against different application profile, you have to create different users for each apparmor behaviour.



          Like android do for sandboxing all apps under different ``user''.






          share|improve this answer




















          • Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
            – Gilles
            Jun 14 '15 at 17:29










          • Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
            – stereoclawmarks
            Jun 21 '15 at 4:54


















          up vote
          0
          down vote













          Very easy, my friend. Create a hard-link called firefox-(putProfileNameHere):



          cd /data/usr/lib/firefox/
          sudo ln firefox /usr/bin/firefox-default
          sudo ln firefox /usr/bin/firefox-1b58iygj
          #etc etc etc


          Create multiple App Armor profiles:



          cd /etc/apparmor.d
          cp usr.bin.firefox usr.bin.firefox-default
          cp usr.bin.firefox usr.bin.firefox-1b58iygj
          #etc etc etc


          Modify each profile as you wish.



          Create different .desktop files in /usr//share/applications (or use a Menu manager like Alacarte or KDE ??) to launch the custom binaries + relevant profile:



          firefox-default 
          firefox-1b58iygj --profile /home/<yourUserID>/.mozilla/firefox/1b58iygj
          #etc etc etc


          Have fun.





          share




















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f209510%2fapparmor-are-multiple-profiles-per-application-firefox-thunderbird-possible%23new-answer', 'question_page');

            );

            Post as a guest






























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            2
            down vote



            accepted










            AppArmor works by executable. It can't figure out that Firefox has loaded a different profile and so it should use a different AppArmor profile.



            AppArmor does support change rules, which allow an application to change which profile applies to it. The intended use case is precisely to allow an application to switch to a more restrictive profile once it's finished initializing and figured out what it needs to access in this particular instance. So if Firefox was AppArmor-aware, it would be possible to give it change_profile rule and have it apply the transition once it's figured out which profile to run as. As far as I know, this hasn't been done.



            What you can do without programming is make multiple copies or hard links of the firefox-bin executable, and define different profiles for each of them (AppArmor is based on the path to the executable, so different hard links need not use the same profile, unlike SELinux which is based on inodes). This requires root and isn't so convenient, which is why the change profile feature was added to AppArmor.






            share|improve this answer




















            • Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
              – stereoclawmarks
              Jun 21 '15 at 4:57














            up vote
            2
            down vote



            accepted










            AppArmor works by executable. It can't figure out that Firefox has loaded a different profile and so it should use a different AppArmor profile.



            AppArmor does support change rules, which allow an application to change which profile applies to it. The intended use case is precisely to allow an application to switch to a more restrictive profile once it's finished initializing and figured out what it needs to access in this particular instance. So if Firefox was AppArmor-aware, it would be possible to give it change_profile rule and have it apply the transition once it's figured out which profile to run as. As far as I know, this hasn't been done.



            What you can do without programming is make multiple copies or hard links of the firefox-bin executable, and define different profiles for each of them (AppArmor is based on the path to the executable, so different hard links need not use the same profile, unlike SELinux which is based on inodes). This requires root and isn't so convenient, which is why the change profile feature was added to AppArmor.






            share|improve this answer




















            • Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
              – stereoclawmarks
              Jun 21 '15 at 4:57












            up vote
            2
            down vote



            accepted







            up vote
            2
            down vote



            accepted






            AppArmor works by executable. It can't figure out that Firefox has loaded a different profile and so it should use a different AppArmor profile.



            AppArmor does support change rules, which allow an application to change which profile applies to it. The intended use case is precisely to allow an application to switch to a more restrictive profile once it's finished initializing and figured out what it needs to access in this particular instance. So if Firefox was AppArmor-aware, it would be possible to give it change_profile rule and have it apply the transition once it's figured out which profile to run as. As far as I know, this hasn't been done.



            What you can do without programming is make multiple copies or hard links of the firefox-bin executable, and define different profiles for each of them (AppArmor is based on the path to the executable, so different hard links need not use the same profile, unlike SELinux which is based on inodes). This requires root and isn't so convenient, which is why the change profile feature was added to AppArmor.






            share|improve this answer












            AppArmor works by executable. It can't figure out that Firefox has loaded a different profile and so it should use a different AppArmor profile.



            AppArmor does support change rules, which allow an application to change which profile applies to it. The intended use case is precisely to allow an application to switch to a more restrictive profile once it's finished initializing and figured out what it needs to access in this particular instance. So if Firefox was AppArmor-aware, it would be possible to give it change_profile rule and have it apply the transition once it's figured out which profile to run as. As far as I know, this hasn't been done.



            What you can do without programming is make multiple copies or hard links of the firefox-bin executable, and define different profiles for each of them (AppArmor is based on the path to the executable, so different hard links need not use the same profile, unlike SELinux which is based on inodes). This requires root and isn't so convenient, which is why the change profile feature was added to AppArmor.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jun 14 '15 at 17:28









            Gilles

            517k12410321560




            517k12410321560











            • Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
              – stereoclawmarks
              Jun 21 '15 at 4:57
















            • Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
              – stereoclawmarks
              Jun 21 '15 at 4:57















            Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
            – stereoclawmarks
            Jun 21 '15 at 4:57




            Hard links! So simple I couldn't think of it. I'll have to try that, thanks, though not ideal.
            – stereoclawmarks
            Jun 21 '15 at 4:57












            up vote
            1
            down vote













            I'm not sure, but as I understand, I think: no.



            Apparmor could make distinction between different



            • application

            • file-system path

            • user / group

            For having different apparmor behaviour against different application profile, you have to create different users for each apparmor behaviour.



            Like android do for sandboxing all apps under different ``user''.






            share|improve this answer




















            • Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
              – Gilles
              Jun 14 '15 at 17:29










            • Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
              – stereoclawmarks
              Jun 21 '15 at 4:54















            up vote
            1
            down vote













            I'm not sure, but as I understand, I think: no.



            Apparmor could make distinction between different



            • application

            • file-system path

            • user / group

            For having different apparmor behaviour against different application profile, you have to create different users for each apparmor behaviour.



            Like android do for sandboxing all apps under different ``user''.






            share|improve this answer




















            • Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
              – Gilles
              Jun 14 '15 at 17:29










            • Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
              – stereoclawmarks
              Jun 21 '15 at 4:54













            up vote
            1
            down vote










            up vote
            1
            down vote









            I'm not sure, but as I understand, I think: no.



            Apparmor could make distinction between different



            • application

            • file-system path

            • user / group

            For having different apparmor behaviour against different application profile, you have to create different users for each apparmor behaviour.



            Like android do for sandboxing all apps under different ``user''.






            share|improve this answer












            I'm not sure, but as I understand, I think: no.



            Apparmor could make distinction between different



            • application

            • file-system path

            • user / group

            For having different apparmor behaviour against different application profile, you have to create different users for each apparmor behaviour.



            Like android do for sandboxing all apps under different ``user''.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jun 14 '15 at 6:55









            F. Hauri

            2,5791226




            2,5791226











            • Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
              – Gilles
              Jun 14 '15 at 17:29










            • Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
              – stereoclawmarks
              Jun 21 '15 at 4:54

















            • Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
              – Gilles
              Jun 14 '15 at 17:29










            • Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
              – stereoclawmarks
              Jun 21 '15 at 4:54
















            Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
            – Gilles
            Jun 14 '15 at 17:29




            Actually AppArmor does support this (with reasonably recent versions), through change rules, but only with the cooperation of the application.
            – Gilles
            Jun 14 '15 at 17:29












            Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
            – stereoclawmarks
            Jun 21 '15 at 4:54





            Thanks... I was hoping to avoid further containment such as by user, but I can recognize it's also the traditional pattern for this...
            – stereoclawmarks
            Jun 21 '15 at 4:54











            up vote
            0
            down vote













            Very easy, my friend. Create a hard-link called firefox-(putProfileNameHere):



            cd /data/usr/lib/firefox/
            sudo ln firefox /usr/bin/firefox-default
            sudo ln firefox /usr/bin/firefox-1b58iygj
            #etc etc etc


            Create multiple App Armor profiles:



            cd /etc/apparmor.d
            cp usr.bin.firefox usr.bin.firefox-default
            cp usr.bin.firefox usr.bin.firefox-1b58iygj
            #etc etc etc


            Modify each profile as you wish.



            Create different .desktop files in /usr//share/applications (or use a Menu manager like Alacarte or KDE ??) to launch the custom binaries + relevant profile:



            firefox-default 
            firefox-1b58iygj --profile /home/<yourUserID>/.mozilla/firefox/1b58iygj
            #etc etc etc


            Have fun.





            share
























              up vote
              0
              down vote













              Very easy, my friend. Create a hard-link called firefox-(putProfileNameHere):



              cd /data/usr/lib/firefox/
              sudo ln firefox /usr/bin/firefox-default
              sudo ln firefox /usr/bin/firefox-1b58iygj
              #etc etc etc


              Create multiple App Armor profiles:



              cd /etc/apparmor.d
              cp usr.bin.firefox usr.bin.firefox-default
              cp usr.bin.firefox usr.bin.firefox-1b58iygj
              #etc etc etc


              Modify each profile as you wish.



              Create different .desktop files in /usr//share/applications (or use a Menu manager like Alacarte or KDE ??) to launch the custom binaries + relevant profile:



              firefox-default 
              firefox-1b58iygj --profile /home/<yourUserID>/.mozilla/firefox/1b58iygj
              #etc etc etc


              Have fun.





              share






















                up vote
                0
                down vote










                up vote
                0
                down vote









                Very easy, my friend. Create a hard-link called firefox-(putProfileNameHere):



                cd /data/usr/lib/firefox/
                sudo ln firefox /usr/bin/firefox-default
                sudo ln firefox /usr/bin/firefox-1b58iygj
                #etc etc etc


                Create multiple App Armor profiles:



                cd /etc/apparmor.d
                cp usr.bin.firefox usr.bin.firefox-default
                cp usr.bin.firefox usr.bin.firefox-1b58iygj
                #etc etc etc


                Modify each profile as you wish.



                Create different .desktop files in /usr//share/applications (or use a Menu manager like Alacarte or KDE ??) to launch the custom binaries + relevant profile:



                firefox-default 
                firefox-1b58iygj --profile /home/<yourUserID>/.mozilla/firefox/1b58iygj
                #etc etc etc


                Have fun.





                share












                Very easy, my friend. Create a hard-link called firefox-(putProfileNameHere):



                cd /data/usr/lib/firefox/
                sudo ln firefox /usr/bin/firefox-default
                sudo ln firefox /usr/bin/firefox-1b58iygj
                #etc etc etc


                Create multiple App Armor profiles:



                cd /etc/apparmor.d
                cp usr.bin.firefox usr.bin.firefox-default
                cp usr.bin.firefox usr.bin.firefox-1b58iygj
                #etc etc etc


                Modify each profile as you wish.



                Create different .desktop files in /usr//share/applications (or use a Menu manager like Alacarte or KDE ??) to launch the custom binaries + relevant profile:



                firefox-default 
                firefox-1b58iygj --profile /home/<yourUserID>/.mozilla/firefox/1b58iygj
                #etc etc etc


                Have fun.






                share











                share


                share










                answered 9 mins ago









                thebunnyrules

                387210




                387210



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f209510%2fapparmor-are-multiple-profiles-per-application-firefox-thunderbird-possible%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?