snap.firefox.firefox apparmor profile INSECURE. As provided in Ubuntu 24.04 Desktop
Categories
(Firefox Build System :: Third Party Packaging, defect, P4)
Tracking
(Not tracked)
People
(Reporter: v9753.v9753, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: reporter-external, sec-other, Whiteboard: [not Mozilla's version])
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Steps to reproduce:
I find the apparmor profile snap.firefox.firefox insecure in that it allows read access to the whole drive and the entire home directory. The @{HOME}/Documents directory should be denied because it houses private and secret documents. Allowing reads from the root down allows attackers to load any library she needs - very dangerous should there be a vulnerability in firefox. Apparmor profiles' purpose is to confine access and only allow what is absolutely required by each app, or else it won't be functioning as a security layer.
For example :
Code:
Allow read-access to / for navigating to other parts of the filesystem.
/ r,
Code:
Allow read-access on /home/ for navigating to other parts of the
filesystem. While this allows enumerating users, this is already allowed
via /etc/passwd and getent.
@{HOMEDIRS}/ r,
Code:
Allow read access to toplevel $HOME for the user
owner @{HOME}/ r,
There is already other places that allow access to @{HOME}/snap - so that firefox can save it's work stuff. So such reading of root directory contents is unwarranted.
The owner bit in front of @{HOME} does practically nothing because Firefox will always be run by the owner.
I can also navigate the entire file system from / down using Password Manager > Import. That should not happen, it should be restricted to the home directories.
Thanks.
Expected results:
Tbe snap.firefox.firefox apparmor profile (as installed in latest Ubuntu 24.04) should restrict access only to necessary directories required for running Firefox, plus some @{HOME} directories.
|
||
Updated•1 year ago
|
|
||
Comment 1•1 year ago
•
|
||
The Snap and AppArmor profile are provided by Ubuntu, so this is the wrong place to file those bugs. AFAIK filesystem access restrictions in this setup are specified by the Snap profile itself, and it's not considered AppArmor's responsibility. But again, it's Ubuntu that manages those profiles so I won't/can't speak authoritatively on this one.
(On top of this, all of this assumes you already managed to find a security hole in Firefox and break out of its own sandbox to get to the main process)
Not sure we need to keep this bug closed, but let's see if we can at least ping someone on the Ubuntu side before opening.
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
Thank you for your bug report. Firefox doesn't access to the / system as described
$ snap run --shell firefox
$ ls /etc/apt
ls: cannot open directory '/etc/apt': Permission denied
The fileselector you get from the UI is the xdg-desktop-portal one which requires specific user interaction.
Could you describe what's the security problem exactly?
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 3•1 year ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:gerard-majax, since the bug doesn't have a severity set, could you please set the severity or close the bug?
For more information, please visit BugBot documentation.
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
Description
•