What does Firefox AppArmor restrict/allow?

firefox apparmor

The only thing confusing in there are the codes and your interpret them like this: 

'r'  read
'w'  write
'm'  memory map as executable
'k'  file locking
'l'  creation hard links
'ix' execute and inherit this profile
'Px' execute under another profile, after cleaning the environment
'Ux' execute unconfined, after cleaning the environment

The rest of the file are mainly directories, files and libraries with sometimes some parameters in front (like PROC and HOME which seem easy to understand) and regexes to make it more flexible and sometimes a 'deny' or 'owner' in front of the line (these seem to be self-explanatory to me: they deny access and limit actions in case it is the owner doing them).

Regarding PROC:

Example:

# for networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,

and do 

cd /proc/
ls *

See all the directories with digits? These correspond to each running process. If any of them contain a directory net (network) and that holds a file if_net6 or ipv6_route they are considered read.


See Access Modes, Rule Qualifiers, and #include mechanism in the man page...

man apparmor.d

The man page explains it pretty verbosely. Regarding your question about @{PROC} there are variables which can be set within include files. From the apparmor.d(5) man page...

Some of the abstractions rely on variables that are set in files in the /etc/apparmor.d/tunables/ directory. These variables are currently @{HOME} and @{HOMEDIRS}. Variables cannot be set in profile scope; they can only be set before the profile. Therefore, any profiles that use abstractions should either #include <tunables/global> or otherwise ensure that @{HOME} and @{HOMEDIRS} are set before starting the profile definition. The aa-autodep(8) and aa-genprof(8) utilities will automatically emit #include <tunables/global> in generated profiles.

If you look in /etc/apparmor.d/tunables/global you'll see there's another #include <tunables/proc>. The contents of that file is....

# Copyright (C) 2006 Novell/SUSE... GNU GPLv2... more license info...
# @{PROC} is the location where procfs is mounted.
@{PROC}=/proc/

So @{PROC} is simply an abstract variable pointing to the proc(5) filesystem.

Related

Boot failure randomly. Can someone help?
How do I set a "custom" browser as default in Preferred Applications
Is there a Cyber-Cafe program for server-client places (Internet Cafe)
Is e4rat safe to use and will it really increase boot speed?
How to get notfications of ppa updates?
Complete freeze on a Thinkpad T520 [closed]
Find the correct package for a given font?
How can I increase time of working from my battery?
Can't find ALL wireless networks, just my neighbours
How to check charged percentage of battery and to adjust its thresholds?
How to use SPICE?
How do I run Windows 8 via virtualization?