[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apparmor: 1 processes are unconfined but have a profile defined



	Hi.

I accept on-list communication only.

On Fri, Jul 13, 2018 at 11:09:19PM +0300, Ge wrote:
> Hi i couldn't figure out so i delete all Firefox profiles and i started
> again from the beginning

If you just deleted the files from /etc/apparmor.d - that won't be
enough as old profiles are still loaded into the running kernel.
See if it sticks after the reboot.

But,

> My Firefox profile now seems to work.
> 
>  sudo cat ./usr.lib.firefox-esr.firefox-esr

If your Apparmor profile is not world-readable then you're doing it
wrong (i.e. sudo should not be needed for this).

> [sudo] password for gssd:
> # Last Modified: Fri Jul 13 19:58:57 2018
> #include <tunables/global>
> 
> /usr/lib/firefox-esr/firefox-esr {

That line's crucial. Enabling and disabling should be done via
aa-enforce/aa-complain /usr/lib/firefox-esr/firefox-esr.


>   "/home/gssd/.mozilla/firefox/Crash Reports/*" r,

This one and everything like it are better written as:

owner "@{HOME}/.mozilla/firefox/Crash Reports/*" r

And I wonder whenever disabling writing crash reports was intentional.

>   /home/*/.mozilla/firefox/72z9u2as.default/browser-extension-data/** rw,

This one:

owner @{HOME}/.mozilla/firefox/*/browser-extension-data/** rw,


Everything else is more or less ok.

Reco


Reply to: