Walking moon
If it is working I would use the default profile for firefox.
I would encourage people to at least install and enable apparmor
If you wish to investigate and learn apparmor beyond that, more power to you.Code:sudo apt-get install apparmor-profiles sudo aa-enforce /etc/apparmor.d/*
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
Staff Emeritus
Thanks! I think I may give it a try and see what happens. When I installed 9.10 I saw that AppArmor is installed and 10 profiles are enabled with default settings (I assume this is normal?).
Anyway, I will continue reading and trying to learn.
Dark Roasted Ubuntu
TBH, you probably don't need it, especially if you keep Firefox up to date. However,it can be a good learning experience and a nice introduction into the world of Mandatory Access Controls. It will prepare you for really complicated systems like SELinux (which make AppArmor look like a freshman CS project). However, being simple is probably the greatest strength of AA.Originally Posted by Rubi1200
Staff Emeritus
I do keep Firefox updated as well as watching where I go on the web, but I am interested in Linux security. I have not enabled the profile yet because I am still reading about AppArmor and what it is all about. Do you think the average Ubuntu user should be using profiles like this or just stick with the default installation?
There seems to be a ton of information on the web, mostly dealing with security in Linux. On the one hand, I am fascinated by the subject, but I also realize how easy it would be to mess up my install. On the other hand, curiosity...
Thanks.
Add-on Developer
Only you can decide what is good for you. I don't use AppArmor for Firefox because it gave me too many warnings I couldn't understand. Besides, I upgrade every six months with a clean install, keep everything up-to-date and use these security extensions. Never had a problem. But that's me. I'm willing to sacrifice "a bit" of security to gain convenience. If you use AppArmor you will be certainly better protected.I do keep Firefox updated as well as watching where I go on the web, but I am interested in Linux security. I have not enabled the profile yet because I am still reading about AppArmor and what it is all about. Do you think the average Ubuntu user should be using profiles like this or just stick with the default installation?
There seems to be a ton of information on the web, mostly dealing with security in Linux. On the one hand, I am fascinated by the subject, but I also realize how easy it would be to mess up my install. On the other hand, curiosity...
Thanks.
Dark Roasted Ubuntu
Go ahead and enable it and play around with it. If it gives you problems, just disable it again (or put it in complain mode). It wont break your system.I do keep Firefox updated as well as watching where I go on the web, but I am interested in Linux security. I have not enabled the profile yet because I am still reading about AppArmor and what it is all about. Do you think the average Ubuntu user should be using profiles like this or just stick with the default installation?
There seems to be a ton of information on the web, mostly dealing with security in Linux. On the one hand, I am fascinated by the subject, but I also realize how easy it would be to mess up my install. On the other hand, curiosity...
Thanks.
Staff Emeritus
Thanks rookcifer and lovinglinux, I appreciate the feedback. I think I will try it out after reading a bit more first. Security is something I take seriously and AppArmor seems to be a tool at the forefront of Linux security. Additionally, the default install of Karmic already came with 10 profiles enabled and since it is easy to turn off again, I see no reason not to add this extra layer of security to the install.
Thanks again to you both.
Walking moon
IMO, apparmor, and similar tools, are not in common use because people have been secure enough without these tools enabled. Linux is very secure by default and although you can find examples of compromised systems, such events are very rare, so people do not feel the need to learn / use apparmor.
Not to single anyone out, but if lovinglinux found s/he was compromised by his or her firefox practices, I would imagine the interest in learning apparmor would increase rapidly.
lovinglinux: If you need help with apparmor, ask in a support thread. I would imagine you could lock down firefox in short order (because you already understand much more the the average user about how firefox works).
If there comes a time when linux exploits become more common place, tools such as apparmor will be more and more popular.
As they become more popular they will become more usable (default profiles available for all network aware applications, gui tools, etc).
IMO apparmor makes sense, it does take a few hours to learn, but, really, once you learn to use it you can write and customize profiles in a few minutes.
Firefox is not a good one to start with as firefox is a large application and interacts with many system files. In addition there are hundreds if not thousands of user customizations so a default profile that works for everyone is difficult.
Start small, say something like privoxy or the gnome weather applet.
Tools such as apparmor and selinux are more of a consideration on servers.
SELinux is a bit more mature and more complex, but there are better tools to manage selinux and the documentation is better. I have been using both selinux and apparmor for some time and can write a policy or profile for many applications within what I consider a reasonable time frame.
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
Add-on Developer
Thanks, but I'm doing a lot of FF development recently and most of the time I need full access for testing and debugging. So probably it would be disable 99% of the time anyway. I'm already going crazy trying to figure out why the new version of one of my extensions is not working on a VM, while it works perfectly on my machine
BTW I'm a "he"
5 Cups of Ubuntu
[QUOTE=Rubi1200;9172716]Secondly, I don't understand what the default profile is doing; a brief explanation about what it protects/prevents would be nice.
Well if fiefox is exploited someone may want to read the password files on the system using a Firefox exploit in attempts to crack them and gain access to your system. Skype for instance does this by default, the skype software is programmed to probe all of the sensitive areas on your system, however I found that the apparmor extra profile that is supposed to keep skype in line renders the current version of skype unusable. Looks like i will have to actually make my own profile. In short the firefox profile puts restrictions on what firefox can do. I am not sure of the exact details yet since i havent got too deep into apparmor yet. I heard through the grapevine that canonical intends to abandon apparmor for selinux. Not sure if I should be spending a lot of time on learning apparmor.
Adv Reply
Bookmarks