2

I am currently re-setting up the apparmor profile for Firefox 19.0.2 on Ubuntu 12.04 and I am slightly confused. I must of had Firefox 7.01 last time I used this and if I do apparmor_status then regarding firefox I get

..profiles are in enforce mode.
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper
..profiles are in complain mode
/usr/lib/firefox-7.0.1/firefox.sh
/usr/lib/firefox/firefox{,*[^s][^h]}
/usr/lib/firefox/firefox{,*[^s][^h]}//null-34
/usr/lib/firefox/firefox{,*[^s][^h]}//null-34//null-35
..processes are in complain mode.
/usr/lib/firefox/firefox{,*[^s][^h]} (3818) 
/usr/lib/firefox/firefox{,*[^s][^h]} (17960) 
/usr/lib/firefox/firefox{,*[^s][^h]} (21817) 
/usr/lib/firefox/firefox{,*[^s][^h]}//null-34 (3819) 
/usr/lib/firefox/firefox{,*[^s][^h]}//null-34//null-35 (3823)

Now in the dir /etc/apparmor.d/ the profiles I have in relation to firefox are usr.bin.firefox and usr.lib.firefox-7.0.1.firefox.sh. Regarding the location of the firefox exec itself on my system - /usr/bin/firefox is a sym link to /usr/lib/firefox/firefox.sh i.e. there is no version number.

Are these profiles in enforce mode some how sub profiles that are inheriting the parent profile and still in enforce mode despite the parent being in complain? Why is the profile shown in the status of the form /usr/lib/firefox/firefox not 1/usr/lib/firefox/firefox-7.01`?

Finally I thought messages were supposed to go to /var/log/messages yet this file does not exist for me, despite processes being left in complain mode for some time...

Improve this question
2
  • 1
    I'm really not sure I understand what your question is... Commented Mar 17, 2013 at 23:40
  • @Seth there are a few questions, 1)Given my firefox profile is in complain mode what are these profiles with things like //browser_java and what does this notation mean? (Is it some kind of sub profile/process of the firefox profile?). 2) From my directory structure, names and location of firefox, it looks like in Ubuntu 12.04 one no longer needs to add the firefox version number to the profile, is this correct? 3) Why are my apparmor messages not going to var/log/messages ? (I've since discovered them in kern.log) Commented Mar 18, 2013 at 4:25

1 Answer 1

Reset to default
1

These are "lenient" profiles for processes launched by firefox. The profile sanitized_helpers is defined in /etc/apparmor.d/abstractions/ubuntu_helpers. There are others in /etc/apparmor.d/abstractions/ubuntu-browsers.d/ If the firefox profile contains this:

/path/to/executable cx,

then a child or local profile is used to confine "executable". The global profile for "executable" is used if the firefox profile contains this:

/path/to/executable px,

Yes, firefox version is not needed now.

If you install the apparmor-notify package, you will get desktop notifications whenever apparmor logs something to kern.log. Handy for debugging profiles.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.