Mozilla Firefox

Merge lp://qastaging/~jdstrand/firefox/firefox-3.5-apparmor into lp://qastaging/firefox/3.5

  1. firefox-3.5-apparmor
  2. Merge into firefox-3.5.head
Proposed by Jamie Strandboge
Status: Merged
Merge reported by: Jamie Strandboge
Merged at revision: not available
Proposed branch: lp://qastaging/~jdstrand/firefox/firefox-3.5-apparmor
Merge into: lp://qastaging/firefox/3.5
Diff against target: None lines
To merge this branch: bzr merge lp://qastaging/~jdstrand/firefox/firefox-3.5-apparmor

This proposal supersedes a proposal from 2009-08-13.

To post a comment you must log in.
Revision history for this message
Alexander Sack (asac) wrote : Posted in a previous version of this proposal

seems you forgot to add the profile itself? While at it, consider to use same changelog format as we usually do.

review: Needs Resubmitting
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Posted in a previous version of this proposal

Files added and changelog updated.

lp://qastaging/~jdstrand/firefox/firefox-3.5-apparmor updated
460. By Jamie Strandboge

fix typo in changelog

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'debian/README.Debian.in'
2--- debian/README.Debian.in 1970-01-01 00:00:00 +0000
3+++ debian/README.Debian.in 2009-09-02 14:55:19 +0000
4@@ -0,0 +1,11 @@
5+Apparmor Profile
6+----------------
7+If your system uses AppArmor, please note that the shipped profile is disabled
8+by default. The profile can be enabled by performing:
9+
10+$ sudo aa-enforce /etc/apparmor.d/usr.bin.@APPNAME@
11+
12+This profile should work without modification for most plugins available in
13+Ubuntu, but may require adjusting for your environment. Please see
14+https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
15+software.
16
17=== modified file 'debian/apport/firefox-3.5.py'
18--- debian/apport/firefox-3.5.py 2009-08-08 14:58:53 +0000
19+++ debian/apport/firefox-3.5.py 2009-09-02 14:55:19 +0000
20@@ -84,6 +84,37 @@
21 summary += '''\n'''
22 return summary
23
24+def recent_kernlog(pattern):
25+ '''Extract recent messages from kern.log or message which match a regex.
26+ pattern should be a "re" object. '''
27+ lines = ''
28+ if os.path.exists('/var/log/kern.log'):
29+ file = '/var/log/kern.log'
30+ elif os.path.exists('/var/log/messages'):
31+ file = '/var/log/messages'
32+ else:
33+ return lines
34+
35+ for line in open(file):
36+ if pattern.search(line):
37+ lines += line
38+ return lines
39+
40+def recent_auditlog(pattern):
41+ '''Extract recent messages from kern.log or message which match a regex.
42+ pattern should be a "re" object. '''
43+ lines = ''
44+ if os.path.exists('/var/log/audit/audit.log'):
45+ file = '/var/log/audit/audit.log'
46+ else:
47+ return lines
48+
49+ for line in open(file):
50+ if pattern.search(line):
51+ lines += line
52+ return lines
53+
54+
55 def add_info(report):
56 '''adds hooked infor into the apport report.'''
57 config_dir = os.path.join(os.environ['HOME'], '.mozilla', 'firefox')
58@@ -136,6 +167,30 @@
59 print >> wbuffer, extension_summary
60 wbuffer.seek(0)
61 report['ExtensionSummary'] = wbuffer.read()
62+
63+ # Get apparmor stuff if the profile isn't disabled. copied from
64+ # source_apparmor.py until apport runs hooks via attach_related_packages
65+ apparmor_disable_dir = "/etc/apparmor.d/disable"
66+ add_apparmor = True
67+ if os.path.isdir(apparmor_disable_dir):
68+ for f in os.listdir(apparmor_disable_dir):
69+ if f.startswith("usr.bin.firefox"):
70+ add_apparmor = False
71+ break
72+ if add_apparmor:
73+ attach_related_packages(report, ['apparmor', 'libapparmor1',
74+ 'libapparmor-perl', 'apparmor-utils', 'auditd', 'libaudit0'])
75+
76+ attach_file(report, '/proc/version_signature', 'ProcVersionSignature')
77+ attach_file(report, '/proc/cmdline', 'ProcCmdline')
78+
79+ sec_re = re.compile('audit\(|apparmor|selinux|security', re.IGNORECASE)
80+ report['KernLog'] = recent_kernlog(sec_re)
81+
82+ if os.path.exists("/var/log/audit"):
83+ # this needs to be run as root
84+ report['AuditLog'] = recent_auditlog(sec_re)
85+
86 # debug (comment on production)
87 # return report
88
89
90=== modified file 'debian/changelog'
91--- debian/changelog 2009-08-10 15:06:32 +0000
92+++ debian/changelog 2009-09-02 14:55:19 +0000
93@@ -1,3 +1,21 @@
94+firefox-3.5 (3.5.2+nobinonly-0ubuntu3) UNRELEASED; urgency=low
95+
96+ [ Jamie Strandboge <jamie@ubuntu.com ]
97+ * add AppArmor profile (disabled by default) (LP: #382917)
98+ - debian/firefox-3.5.dirs: add etc/apparmor.d/disable
99+ - add debian/firefox-3.5.preinst.in: disable the profile on new installs
100+ and upgrades to this version
101+ - debian/firefox-3.5.postinst.in: reload profile
102+ - add debian/firefox-3.5.postrm.in: cleanup force-complain and disable
103+ directories
104+ - add debian/usr.bin.firefox.apparmor.in
105+ - debian/rules: install profile
106+ - add debian/README.Debian.in with note about AppArmor
107+ - debian/apport/firefox-3.5.py: add AppArmor information if the profile is
108+ not disabled
109+
110+ -- Jamie Strandboge <jamie@ubuntu.com> Thu, 13 Aug 2009 09:09:36 -0500
111+
112 firefox-3.5 (3.5.2+nobinonly-0ubuntu2) karmic; urgency=low
113
114 Firefox 3.5 by default upload
115
116=== modified file 'debian/firefox-3.5.dirs'
117--- debian/firefox-3.5.dirs 2009-03-18 01:10:51 +0000
118+++ debian/firefox-3.5.dirs 2009-08-13 16:15:27 +0000
119@@ -1,3 +1,4 @@
120+etc/apparmor.d/disable
121 usr/lib/firefox-addons/extensions
122 usr/lib/firefox-addons/plugins
123 usr/lib/firefox-addons/searchplugins
124
125=== modified file 'debian/firefox-3.5.postinst.in'
126--- debian/firefox-3.5.postinst.in 2009-07-18 18:30:27 +0000
127+++ debian/firefox-3.5.postinst.in 2009-09-02 14:55:19 +0000
128@@ -10,6 +10,12 @@
129 update-alternatives --install /usr/bin/x-www-browser \
130 x-www-browser /usr/bin/$APPNAME 40
131 touch $LIBDIR/.autoreg
132+
133+ # Reload AppArmor profile
134+ APP_PROFILE="/etc/apparmor.d/usr.bin.$APPNAME"
135+ if [ -f "$APP_PROFILE" ] && aa-status --enabled 2>/dev/null; then
136+ apparmor_parser -r "$APP_PROFILE" || true
137+ fi
138 fi
139
140 echo "Please restart all running instances of $APPNAME, or you will experience problems."
141
142=== added file 'debian/firefox-3.5.postrm.in'
143--- debian/firefox-3.5.postrm.in 1970-01-01 00:00:00 +0000
144+++ debian/firefox-3.5.postrm.in 2009-09-02 14:55:19 +0000
145@@ -0,0 +1,9 @@
146+#!/bin/sh
147+
148+set -e
149+
150+if [ "$1" = "purge" ]; then
151+ APP_PROFILE="usr.bin.@APPNAME@"
152+ rm -f /etc/apparmor.d/force-complain/$APP_PROFILE >/dev/null 2>&1 || true
153+ rm -f /etc/apparmor.d/disable/$APP_PROFILE >/dev/null 2>&1 || true
154+fi
155
156=== added file 'debian/firefox-3.5.preinst.in'
157--- debian/firefox-3.5.preinst.in 1970-01-01 00:00:00 +0000
158+++ debian/firefox-3.5.preinst.in 2009-09-02 14:55:19 +0000
159@@ -0,0 +1,18 @@
160+#!/bin/sh
161+
162+set -e
163+
164+APP_PROFILE="usr.bin.@APPNAME@"
165+APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE"
166+APP_DISABLE="/etc/apparmor.d/disable/$APP_PROFILE"
167+if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
168+ # Disable AppArmor profile on install or upgrade from earlier than when we
169+ # first shipped the profile if the user does not already have a profile
170+ # defined
171+ if dpkg --compare-versions "$2" lt 3.5.2+nobinonly-0ubuntu3 ; then
172+ if [ ! -e "$APP_CONFFILE" ]; then
173+ ln -sf $APP_CONFFILE $APP_DISABLE
174+ fi
175+ fi
176+fi
177+
178
179=== modified file 'debian/rules'
180--- debian/rules 2009-08-10 15:05:32 +0000
181+++ debian/rules 2009-09-02 14:55:19 +0000
182@@ -147,6 +147,10 @@
183 subst_files = \
184 debian/$(DEBIAN_NAME)-gnome-support.postinst \
185 debian/$(DEBIAN_NAME).postinst \
186+ debian/$(DEBIAN_NAME).postrm \
187+ debian/$(DEBIAN_NAME).preinst \
188+ debian/usr.bin.firefox.apparmor \
189+ debian/README.Debian \
190 debian/firefox.sh \
191 $(NULL)
192
193@@ -220,6 +224,7 @@
194 dh_link usr/share/myspell/dicts $(DEBIAN_FF3_DIR)/dictionaries
195 rm -f debian/$(DEBIAN_NAME)/$(DEBIAN_FF3_DIR)/chrome/browser-branding*
196 dh_install debian/distribution.ini $(DEBIAN_FF3_DIR)/distribution/
197+ cp debian/usr.bin.firefox.apparmor debian/$(DEBIAN_NAME)/etc/apparmor.d/usr.bin.$(DEBIAN_NAME)
198
199 binary-install/$(DEBIAN_NAME_OTHER)-branding::
200 dh_install -p$(DEBIAN_NAME_OTHER)-branding \
201
202=== added file 'debian/usr.bin.firefox.apparmor.in'
203--- debian/usr.bin.firefox.apparmor.in 1970-01-01 00:00:00 +0000
204+++ debian/usr.bin.firefox.apparmor.in 2009-09-02 14:55:19 +0000
205@@ -0,0 +1,162 @@
206+# vim:syntax=apparmor
207+# Last Modified: Tue Jun 9 07:32:13 2009
208+# Author: Jamie Strandboge <jamie@canonical.com>
209+
210+#include <tunables/global>
211+
212+/usr/lib/@APPNAME@.*/firefox {
213+ #include <abstractions/audio>
214+ #include <abstractions/base>
215+ #include <abstractions/cups-client>
216+ #include <abstractions/dbus>
217+ #include <abstractions/fonts>
218+ #include <abstractions/freedesktop.org>
219+ #include <abstractions/gnome>
220+ #include <abstractions/nameservice>
221+ #include <abstractions/user-tmp>
222+ #include <abstractions/X>
223+
224+ # for networking
225+ network inet stream,
226+ network inet6 stream,
227+ @{PROC}/[0-9]*/net/if_inet6 r,
228+ @{PROC}/[0-9]*/net/ipv6_route r,
229+
230+ # sounds
231+ /etc/sound/ r,
232+ /etc/sound/** r,
233+ /etc/wildmidi/wildmidi.cfg r,
234+
235+ # should maybe be in abstractions
236+ /etc/ r,
237+ /etc/gnome/defaults.list r,
238+ /etc/mime.types r,
239+ /etc/mailcap r,
240+ /usr/bin/dbus-launch ixr,
241+
242+ # firefox specific
243+ /etc/firefox-3.*/ r,
244+ /etc/firefox-3.*/** r,
245+ /etc/xulrunner-1.9*/ r,
246+ /etc/xulrunner-1.9*/** r,
247+ /etc/gre.d/ r,
248+ /etc/gre.d/* r,
249+
250+ # noisy
251+ deny /usr/lib/firefox-3.*/** w,
252+ deny /usr/lib/firefox-addons/** w,
253+ deny /usr/lib/xulrunner-addons/** w,
254+
255+ # These are needed when a new user starts firefox and firefox.sh is used
256+ /usr/lib/firefox-3.*/** ixr,
257+ /usr/bin/basename ixr,
258+ /sbin/killall5 ixr,
259+ /bin/which ixr,
260+ @{PROC}/ r,
261+ @{PROC}/[0-9]*/cmdline r,
262+ @{PROC}/[0-9]*/stat r,
263+ @{PROC}/[0-9]*/status r,
264+ @{PROC}/filesystems r,
265+ capability sys_ptrace,
266+
267+ /etc/mtab r,
268+ @{PROC}/[0-9]*/mounts r,
269+ @{PROC}/[0-9]*/maps r,
270+
271+ # allow access to documentation and other files the user may want to look
272+ # at in /usr
273+ /usr/ r,
274+ /usr/** r,
275+
276+ # so browsing directories works
277+ / r,
278+ /**/ r,
279+
280+ # allow read and write to all user's files, except explicitly denied ones
281+ @{HOME}/ r,
282+ @{HOME}/** rw,
283+ @{HOME}/Desktop/** rw,
284+ @{HOME}/Firefox_wallpaper* rw,
285+
286+ #include <abstractions/private-files>
287+ audit deny @{HOME}/.ssh/** mrwkl,
288+ audit deny @{HOME}/.gnome2_private/** mrwkl,
289+
290+ # comment this out if using gpg plugin/addons
291+ audit deny @{HOME}/.gnupg/** mrwkl,
292+
293+ # per-user firefox configuration
294+ @{HOME}/.mozilla/ rw,
295+ @{HOME}/.mozilla/** rw,
296+ @{HOME}/.mozilla/**/*.sqlite k,
297+ @{HOME}/.mozilla/**/.parentlock k,
298+
299+ # per-user common plugin configuration
300+ @{HOME}/.icedteaplugin/ rw,
301+ @{HOME}/.icedteaplugin/** rw,
302+ @{HOME}/.adobe/ rw,
303+ @{HOME}/.adobe/** rw,
304+ @{HOME}/.macromedia/ rw,
305+ @{HOME}/.macromedia/** rw,
306+ @{HOME}/.java/ rw,
307+ @{HOME}/.java/** rwk,
308+
309+ #
310+ # Plugins/helpers
311+ #
312+ @{PROC}/[0-9]*/fd/ r,
313+ /usr/lib/** rm,
314+ /bin/bash ixr,
315+ /bin/dash ixr,
316+ /bin/grep ixr,
317+ /bin/ps Uxr,
318+ /bin/uname Uxr,
319+ /usr/bin/m4 ixr,
320+ /usr/lib/nspluginwrapper/i386/linux/npviewer Uxr,
321+ /var/lib/ r,
322+ /var/lib/** mr,
323+ # noisy
324+ deny /usr/share/mozilla/extensions/**/ w,
325+ deny /usr/lib/mozilla/extensions/**/ w,
326+ deny /usr/lib/firefox-3.*/update.test w,
327+
328+ # for maximum plugin/helper compatibility
329+ #/usr/bin/* Uxr,
330+ #/usr/lib/*/** ixr,
331+
332+ #
333+ # For stricter access, comment out the 'maximum plugin/helper compatibility'
334+ # lines above and uncomment these
335+ #
336+
337+ # evince has its own profile, so change to it
338+ /usr/bin/evince PUxr,
339+
340+ # miscellaneous
341+ #/usr/bin/eog Uxr,
342+ /usr/bin/gedit Uxr,
343+ /usr/bin/gimp* Uxr,
344+ /usr/bin/file-roller Uxr,
345+ /usr/bin/ooffice Uxr,
346+ /usr/bin/oocalc Uxr,
347+ /usr/bin/oodraw Uxr,
348+ /usr/bin/ooimpress Uxr,
349+ /usr/bin/oowriter Uxr,
350+
351+ # totem
352+ /usr/lib/totem/** ixr,
353+ /usr/bin/totem-gstreamer Uxr,
354+ /usr/bin/totem-xine Uxr,
355+ /usr/bin/totem Uxr,
356+
357+ # mozplugger
358+ /etc/mozpluggerrc r,
359+ /usr/bin/mozplugger-helper Uxr,
360+ /usr/bin/mplayer Uxr,
361+
362+ # java
363+ /usr/lib/jvm/java-6-openjdk/jre/bin/java Uxr,
364+ /etc/java-*-sun/** r,
365+ /usr/lib/jvm/java-*-sun-1.*/jre/bin/java Uxr,
366+
367+}

Subscribers

People subscribed via source and target branches