我运行的是 Ubuntu Mate 19.04。我想为 Firefox 启用 apparmor。我在 /etc/apparmor.d/usr.bin.firefox 中找到了一个现有的配置文件,我通过删除 /etc/apparmor.d/disable/usr.bin.firefox 来启用它。
它大部分工作正常,但我注意到一个问题。我无法从 Firefox 打开我的下载。我什至无法在下载时“打开包含的文件夹”。两者都询问我想使用什么应用程序来执行该操作。
以下是我运行 Firefox 时看到的错误。当我启动 Firefox 时,前 4 个 apparmor 错误就会发生。当我尝试打开下载时,会发生最后 3 个“无法启动”错误。
** (firefox:6062): WARNING **: 17:58:37.874: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.138" (uid=1000 pid=6062 comm="/usr/lib/firefox/firefox " label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
** (/usr/lib/firefox/firefox:6127): WARNING **: 17:58:38.319: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.140" (uid=1000 pid=6127 comm="/usr/lib/firefox/firefox -contentproc -childID 1 -" label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
** (/usr/lib/firefox/firefox:6184): WARNING **: 17:58:38.954: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.141" (uid=1000 pid=6184 comm="/usr/lib/firefox/firefox -contentproc -childID 2 -" label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
** (/usr/lib/firefox/firefox:6253): WARNING **: 17:58:40.358: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.142" (uid=1000 pid=6253 comm="/usr/lib/firefox/firefox -contentproc -childID 3 -" label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
** (firefox:6062): WARNING **: 17:58:51.217: Cannot launch default application: Failed to execute child process “/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop” (Permission denied)
** (firefox:6062): WARNING **: 17:58:51.227: Cannot launch default application: Failed to execute child process “/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop” (Permission denied)
** (firefox:6062): WARNING **: 17:58:54.538: Cannot launch default application: Failed to execute child process “/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop” (Permission denied)
这是我的完整政策:
# vim:syntax=apparmor
# Author: Jamie Strandboge <[email protected]>
# Declare an apparmor variable to help with overrides
@{MOZ_LIBDIR}=/usr/lib/firefox
#include <tunables/global>
# We want to confine the binaries that match:
# /usr/lib/firefox/firefox
# /usr/lib/firefox/firefox
# but not:
# /usr/lib/firefox/firefox.sh
/usr/lib/firefox/firefox{,*[^s][^h]} {
#include <abstractions/audio>
#include <abstractions/cups-client>
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
#include <abstractions/dconf>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/p11-kit>
#include <abstractions/ubuntu-unity7-base>
#include <abstractions/ubuntu-unity7-launcher>
#include <abstractions/dbus-accessibility-strict>
dbus (send)
bus=session
peer=(name=org.a11y.Bus),
dbus (receive)
bus=session
interface=org.a11y.atspi**,
dbus (receive, send)
bus=accessibility,
# for networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/arp r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/[0-9]*/net/wireless r,
dbus (send)
bus=system
path=/org/freedesktop/NetworkManager
member=state,
dbus (receive)
bus=system
path=/org/freedesktop/NetworkManager,
# should maybe be in abstractions
/etc/ r,
/etc/mime.types r,
/etc/mailcap r,
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
/etc/xfce4/defaults.list r,
/usr/share/xubuntu/applications/defaults.list r,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
/var/lib/snapd/desktop/applications/mimeinfo.cache r,
/var/lib/snapd/desktop/applications/*.desktop r,
owner /tmp/** m,
owner /var/tmp/** m,
owner /{,var/}run/shm/shmfd-* rw,
owner /{dev,run}/shm/org.{chromium,mozilla}.* rwk,
/tmp/.X[0-9]*-lock r,
/etc/udev/udev.conf r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
# let the shell know we launched something
dbus (send)
bus=session
interface=org.gtk.gio.DesktopAppInfo
member=Launched,
/etc/timezone r,
/etc/wildmidi/wildmidi.cfg r,
# firefox specific
/etc/firefox*/ r,
/etc/firefox*/** r,
/etc/xul-ext/** r,
/etc/xulrunner-2.0*/ r,
/etc/xulrunner-2.0*/** r,
/etc/gre.d/ r,
/etc/gre.d/* r,
# noisy
deny @{MOZ_LIBDIR}/** w,
deny /usr/lib/firefox-addons/** w,
deny /usr/lib/xulrunner-addons/** w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /var/cache/fontconfig/ w,
deny @{HOME}/.local/share/recently-used.xbel r,
# TODO: investigate
deny /usr/bin/gconftool-2 x,
# These are needed when a new user starts firefox and firefox.sh is used
@{MOZ_LIBDIR}/** ixr,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/pwd ixr,
/sbin/killall5 ixr,
/bin/which ixr,
/usr/bin/tr ixr,
@{PROC}/ r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/mountinfo r,
@{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
@{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
@{PROC}/sys/vm/overcommit_memory r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/platform/**/uevent r,
/sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
/sys/devices/pci*/**/{,subsystem_}device r,
/sys/devices/pci*/**/{,subsystem_}vendor r,
/sys/devices/system/node/node[0-9]*/meminfo r,
owner @{HOME}/.cache/thumbnails/** rw,
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter
owner @{PROC}/[0-9]*/environ r,
owner @{PROC}/[0-9]*/auxv r,
/etc/lsb-release r,
/usr/bin/expr ix,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
# about:memory
owner @{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/smaps r,
# Needed for container to work in xul builds
/usr/lib/xulrunner-*/plugin-container ixr,
# allow access to documentation and other files the user may want to look
# at in /usr and /opt
/usr/ r,
/usr/** r,
/opt/ r,
/opt/** r,
# so browsing directories works
/ r,
/**/ r,
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
owner @{HOME}/ r,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
# per-user firefox configuration
owner @{HOME}/.{firefox,mozilla}/ rw,
owner @{HOME}/.{firefox,mozilla}/** rw,
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
owner @{HOME}/.gnome2/firefox* rwk,
owner @{HOME}/.cache/mozilla/{,firefox/} rw,
owner @{HOME}/.cache/mozilla/firefox/** rw,
owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
owner @{HOME}/.config/dconf/user w,
owner /{,var/}run/user/*/dconf/user w,
dbus (send)
bus=session
path=/org/gnome/GConf/Server
member=GetDefaultDatabase
peer=(label=unconfined),
dbus (send)
bus=session
path=/org/gnome/GConf/Database/*
member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}
peer=(label=unconfined),
dbus (send)
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo
peer=(label=unconfined),
# gnome-session
dbus (send)
bus=session
path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={Inhibit,Uninhibit}
peer=(label=unconfined),
# unity screen API
dbus (send)
bus=system
interface="org.freedesktop.DBus.Introspectable"
path="/com/canonical/Unity/Screen"
member="Introspect"
peer=(label=unconfined),
dbus (send)
bus=system
interface="com.canonical.Unity.Screen"
path="/com/canonical/Unity/Screen"
member={keepDisplayOn,removeDisplayOnRequest}
peer=(label=unconfined),
# freedesktop.org ScreenSaver
dbus (send)
bus=session
path=/{,org/freedesktop/,org.gnome/}Screen{s,S}aver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit,SimulateUserActivity}
peer=(label=unconfined),
# gnome, kde and cinnamon screensaver
dbus (send)
bus=session
path=/{,ScreenSaver}
interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver}
member=SimulateUserActivity
peer=(label=unconfined),
# UPower
dbus (send)
bus=system
path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(label=unconfined),
#
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.mozilla/**/extensions/** mixr,
deny @{MOZ_LIBDIR}/update.test w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /usr/share/mozilla/ w,
# Miscellaneous (to be abstracted)
# Ideally these would use a child profile. They are all ELF executables
# so running with 'Ux', while not ideal, is ok because we will at least
# benefit from glibc's secure execute.
/usr/bin/mkfifo Uxr, # investigate
/bin/ps Uxr,
/bin/uname Uxr,
/usr/bin/lsb_release Cxr -> lsb_release,
profile lsb_release {
#include <abstractions/base>
#include <abstractions/python>
/usr/bin/lsb_release r,
/bin/dash ixr,
/usr/bin/dpkg-query ixr,
/usr/include/python2.[4567]/pyconfig.h r,
/etc/lsb-release r,
/etc/debian_version r,
/usr/share/distro-info/*.csv r,
/var/lib/dpkg/** r,
/usr/local/lib/python3.[0-6]/dist-packages/ r,
/usr/bin/ r,
/usr/bin/python3.[0-6] mr,
# file_inherit
deny /tmp/gtalkplugin.log w,
}
# Addons
#include <abstractions/ubuntu-browsers.d/firefox>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.firefox>
}
我尝试自己允许这些 ListNames 方法,但我真的不知道我在做什么。我还尝试使用 aa-genprof 运行 firefox,但我在执行此操作时从未看到这些违规行为弹出。
有任何想法吗?
答案1
最初,我回答这个问题时假设您的个人资料条目中没有下载目录规范。我现在看到你有。
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
我确实注意到您没有在摘要中提供下载。尝试在 /etc/apparmor.d/abstractions 中检查用户下载文件,并包含它而不是下载位置条目。尝试将条目重新分配到较粗略的允许(在指定确切的子目录、库等之前,编辑或尝试创建配置文件可以从粗略的开始中受益)。
我在运行 Apparmor 时也遇到过一些这种奇怪的情况。影响应用程序的卸载配置文件,即使使用拆卸和重新启动来重新加载现在设置为抱怨的配置文件,也会继续影响应用程序(例如 apt-get)。尽管允许对所需的任何库等进行极其粗粒度的访问,但一些应用程序也被证明难以分析,这仍然会在抱怨日志中显示为拒绝。
你的例子并不鼓舞人心。
我不能代表控制台否认,尽管我习惯于将一些 Gtk 错误视为标准,但我认为这些错误实际上不应该存在(错误的窗口消息);由于我理所当然地阻止写入 dconf 文件,因此如果我费心从该术语运行,这些文件总是会打印为抱怨。
如果可以的话,我还建议根据正在运行的 firejail 配置文件检查配置文件中的允许。 Firejail 比 Apparmor 更加简化和粗粒度,但我的工作 firefox-portable 配置文件不包含 dbus 津贴,所以我很惊讶地看到它为(诚然不同)安装的应用程序指定。
我当前的问题是显然无法让 Firefox 在 apparmor 配置文件下运行扩展,并且无论使用多少 lsof、strace 或配置文件都无法解决问题。
我正处于放弃 apparmor 的边缘,而只是使用 SELinux,这是一个更简单的配置文件模型。 apparmor 几乎没有真正的工作配置文件,它甚至没有与 Debian 中的操作配置文件捆绑在一起,而且我还使用便携式版本的 Firefox。 Apparmor 非常精细,需要丰富的应用程序系统知识。