Thank you for using Ubuntu and filing a bug! While /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files is shipped by apparmor, it is actually /etc/apparmor.d/abstractions/ubuntu- browsers.d/firefox that #include's it, and this file is managed by the firefox package, so moving this bug there.
As for what the profile is intended to protect against and why it works the way it does, please see https://wiki.ubuntu.com/SecurityTeam/FAQ#Firefox_AppArmor_profile This issue was discussed on IRC with the reporter. Here is the summary: - the firefox profile is disabled by default - the firefox profile aims for 'usable security' such that if the profile is enabled, the browser is expected to generally work in the manner that people would expect - the firefox profile can be adjusted to remove the user-files abstraction either by editing /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox or using 'aa-update-browser' In Ubuntu, we aim for 'usable security' because we don't want people to turn AppArmor off. The intent of the profile is that when enabled, people get some protections (eg, code execution) but can access their files using normal browser workflows. Security-minded individuals can then fine-tune the profile to make it more strict. Vlad made the point in that if the profile is turned off by default, then it can be made very strict with people adding to the profile what they want. As such, adjusting the bug description and marking as Wishlist. Note: IMHO snaps will be the way forward with browsers. Upstream is committing to shipping firefox as a snap and that snap will have stricter confinement than the AppArmor profile in the firefox package of Ubuntu currently (eg, stricter AppArmor policy, seccomp, etc). Of course, Mozilla will also want usable security and they will use the transitional 'home' interface which grants access to files in a similar fashion as the 'user-files' abstraction, but security-minded individuals can use 'snap disconnect firefox:home' to further restrict it. The long term goal is that the snap will used on Ubuntu Personal or other distributions and use mir or wayland instead of X and with file choosers that understand the sandbox limitations and work with the OS to avoid using the transitional 'home' interface to provide a very secure usable browsing experience. ** Package changed: apparmor (Ubuntu) => firefox (Ubuntu) ** Changed in: firefox (Ubuntu) Importance: Undecided => Wishlist ** Changed in: firefox (Ubuntu) Status: New => Triaged ** Summary changed: - AppArmor profile for ubuntu-browsers allows too much read access + since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1662501 Title: since the apparmor profile is disabled by default, please make the apparmor policy strict with option to make less strict Status in firefox package in Ubuntu: Triaged Bug description: The default Firefox AppArmor profile (package: firefox) allows read access to all files in the system: # in /etc/apparmor.d/usr.bin.firefox: /**/ r This allows browsing all directory contents on the system which violates Least Privilege Principle and allows malware to explore what's on the system (even though there are additional deny rules that protect most sensitive files, a default read all is still unacceptable). In addition (package: apparmor) : # in /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files: @{HOME}/** r, owner @{HOME}/** w, Which allows read write to ALL USER FILES, and read to ALL OTHER USER FILES because default chmod on user dirs is o+rx. Granted, access to ~/.ssh is explicitly denied, but there are things like documents and other user files that should NOT be readable to Firefox at all. This is, IMHO, a vulnerability. The profile should allow read/write ONLY to dirs like ~/Downloads or ~/Public. In addition the above two lines that allow unconfined rw access to HOME/**, should be commented out and explained what it means to enable them if the user really wants that kind of convenience. Modern malware is not just about code execution and modifying local or system files. Modern malware is also very much so about data and identity theft against which the current default AppArmor profile does NOT protect. Take for example password managers like KeePassX. The default profile on ubuntu-browsers would allow unfettered access to the very much sensitive passwords database. Sure, users can override and expand the profile with their local modifications, but this "vulnerability" is not documented or communicated to users and gives a false sense of security ("Oh, I have AppArmor profile on Firefox, I'm safe"). Unfortunately, proper security is not in the domain of casual computer usage and I understand that Ubuntu has to balance between convenience and security but IMHO it is possible to make this more secure AND at the same time inform the user where to DISABLE (rather than enable) those stricter rules. If Ubuntu is not willing to sacrifice the convenience for PROPER security (shame on Ubuntu if that's the case), then AT THE VERY LEAST the user should be informed that the default AppArmor profile, when they install a browser, is biased toward convenience and users SHOULD take additional actions to protect themselves. I'm sure this all applies to more than just the browsers, but browsers are my primary concern here, which are the most vulnerable component in a modern system. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1662501/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
