Bug#805594: iceweasel: Need New AppArmor Profile
Ben Bailess
ben.bailess at gmail.com
Thu Nov 19 22:03:23 UTC 2015
Package: iceweasel
Version: 38.4.0esr-1~deb8u1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
I checked which packages had no apparmor profile specified as part of the apparmor-profiles package, and running aa-unconfined --paranoid yielded /usr/lib/iceweasel/iceweasel... so although it appears to be vaguely confined by ubuntu-browsers abstraction, I feel that this is insufficient and Iceweasel could benefit from having its own package.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I modified the firefox profile in apparmor-profiles-extra and modified at least the analogous profile paths in ubuntu to more closely match Debian paths, but it is crude and I am far from qualified to create an apparmor policy for a package as popular and with as much attack surface as Iceweasel.
* What was the outcome of this action?
It "works" but I am still getting some apparmor denials that I have not yet resolved with my custom policy. It would be best to have a policy suited specifically for the Debian-specific implementation of Iceweasel instead of maintaining a delta from upstream.
* What outcome did you expect instead?
I expected it to have a profile, but alas there was none :) I'm happy to post my hack-y profile, but under the assumption that I'm an apparmor novice compared to most...
-- Package-specific info:
-- Extensions information
Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled
-- Addons package information
ii gnome-shell 3.14.4-1~deb amd64 graphical shell for the GNOME des
ii iceweasel 38.4.0esr-1~ amd64 Web browser based on Firefox
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages iceweasel depends on:
ii debianutils 4.4+b1
ii fontconfig 2.11.0-6.3
ii libasound2 1.0.28-1
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-18+deb8u1
ii libcairo2 1.14.0-2.1
ii libdbus-1-3 1.8.20-0+deb8u1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-2
ii libffi6 3.1-2+b2
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-3+deb8u1
ii libgcc1 1:4.9.2-10
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u3
ii libglib2.0-0 2.42.1-1
ii libgtk2.0-0 2.24.25-3
ii libhunspell-1.3-0 1.3.3-3
ii libpango-1.0-0 1.36.8-3
ii libsqlite3-0 3.8.7.1-1+deb8u1
ii libstartup-notification0 0.12-4
ii libstdc++6 4.9.2-10
ii libx11-6 2:1.6.2-3
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxrender1 1:0.9.8-1+b1
ii libxt6 1:1.1.4-1+b1
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages iceweasel recommends:
ii gstreamer1.0-libav 1.4.4-2
ii gstreamer1.0-plugins-good 1.4.4-2
Versions of packages iceweasel suggests:
pn fonts-mathjax <none>
ii fonts-oflb-asana-math 000.907-6
ii fonts-stix [otf-stix] 1.1.1-1
ii libcanberra0 0.30-2.1
pn libgnomeui-0 <none>
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u1
pn mozplugger <none>
-- no debconf information
More information about the pkg-mozilla-maintainers
mailing list