Hello Reiner, On Thu, Jun 20, 2019 at 11:43 AM Reiner Herrmann <rei...@reiner-h.de> wrote: > On Thu, Jun 20, 2019 at 09:30:59AM +0200, Giuseppe Bilotta wrote: > > I came across this issue just now. This is an apparmor profile issue, > > since by default it's configured to prevent access to local files except > > for a small selection (it even fails to load the corret theme in my > > case). > > > > A temporary workaround until this is fixed is to put apparmor in > > complain mode for surf (`aa-complain /usr/bin/surf` as root should do > > it). > > Local files are intentionally not allowed to be accessed by the browser, > expect those needed for it to work properly.
While I appreciate the intent behind this restriction (prevent the usage of the browser as a remote attach vector), the downsides are too vast. It effectively prevents the use of that browser to browse/view local HTML files or SVG images, something which is actually pretty common. It also prevents explicit (user-controlled) requests to access local files, e.g. to upload them to a website (attachments to email with webmail, custom images for forum profiles and whatnot). I do not think the kind of security that this profile intends to provide can actually be provided by AppArmor profiles, because they get too restrictive; non-local access to local files is something that the browser must protect against in its own code, because the choice can only be made based on contextual information that is not available to AppArmor. > Which theme files does it fail to load? Here's the full audit log with surf in complain mode when I launch it from the command-line to view a local HTML file. [ +0.000002] audit: type=1400 audit(1561092652.194:52): apparmor="ALLOWED" operation="open" profile="/usr/bin/surf" name="/usr/share/themes/Breeze/gtk-3.20/gtk.css" pid=19839 comm="surf" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ +0.113718] audit: type=1400 audit(1561092652.306:53): apparmor="ALLOWED" operation="open" profile="/usr/bin/surf" name="/home/user/.Fontmatrix/Activated/.uuid" pid=19839 comm="surf" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [ +0.000004] audit: type=1400 audit(1561092652.306:54): apparmor="ALLOWED" operation="open" profile="/usr/bin/surf" name="/home/user/.Fontmatrix/Activated/" pid=19839 comm="surf" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [ +0.166007] audit: type=1400 audit(1561092652.474:55): apparmor="ALLOWED" operation="open" profile="/usr/bin/surf" name="/usr/share/themes/Breeze/gtk-3.20/gtk.css" pid=19847 comm="WebKitWebProces" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ +0.049100] audit: type=1400 audit(1561092652.522:56): apparmor="ALLOWED" operation="open" profile="/usr/bin/surf" name="/home/user/.Fontmatrix/Activated/.uuid" pid=19847 comm="WebKitWebProces" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [ +0.000006] audit: type=1400 audit(1561092652.522:57): apparmor="ALLOWED" operation="open" profile="/usr/bin/surf" name="/home/user/.Fontmatrix/Activated/" pid=19847 comm="WebKitWebProces" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [ +0.043384] audit: type=1400 audit(1561092652.566:58): apparmor="ALLOWED" operation="open" profile="/usr/bin/surf" name="/home/user/path/file.html" pid=19848 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [ +0.023214] audit: type=1400 audit(1561092652.586:59): apparmor="ALLOWED" operation="open" profile="/usr/bin/surf" name="/home/user/path/file.css" pid=19848 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [ +0.000088] audit: type=1400 audit(1561092652.586:60): apparmor="ALLOWED" operation="open" profile="/usr/bin/surf" name="/home/user/path/otherfile.css" pid=19848 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [ +0.000457] audit: type=1400 audit(1561092652.590:61): apparmor="ALLOWED" operation="open" profile="/usr/bin/surf" name="/home/user/path/image.png" pid=19848 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 (Sorry for the line wrap, this is being sent from gmail.) -- Giuseppe "Oblomov" Bilotta
