AppArmor profiles for Chrome and Firefox?

Status
Not open for further replies.

notabot

Level 15
Thread author
Verified
Oct 31, 2018
721

Thanks ! - I’ll definitely look at what he did . I’m more after profiles that are maintained rather than making my own because even though I may have time to do the initial time investment what I most certainty can’t do is do the time investment to update the profile when chrome updates in a way that breaks the profile ( and almost certainly this will happen at some point )
 

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,883
Thanks ! - I’ll definitely look at what he did . I’m more after profiles that are maintained rather than making my own because even though I may have time to do the initial time investment what I most certainty can’t do is do the time investment to update the profile when chrome updates in a way that breaks the profile ( and almost certainly this will happen at some point )
However if you use Linux I would only suggest: Firejail and GUFW. I didn't try AppArmor.
 

AlanOstaszewski

Level 16
Verified
Top Poster
Malware Hunter
Jul 27, 2017
779
The profiles actually come already with AppArmor/FireJail (I think) and are also mainained by them. If they need to be renewed (because of a new update for your browser), a simple update of AppArmor/FireJail in your software manager (apt, pacman, whatever...) is enough.

I also use Firejail like @JM Security and start my browser with:
Code:
firejail --ignore=seccomp --ignore=protocol firefox-esr %u -no-remote

I don't know what the exact differences between AppArmor and FireJail are, but they do the same thing in the end.
 
Last edited:

notabot

Level 15
Thread author
Verified
Oct 31, 2018
721
The profiles actually come already with AppArmor/FireJail (I think) and are also mainained by them. If they need to be renewed (because of a new update for your browser), a simple update of AppArmor/FireJail in your software manager (apt, pacman, whatever...) is enough.

I also use Firejail like @JM Security and start my browser with:
Code:
firejail --ignore=seccomp --ignore=protocol firefox-esr %u -no-remote

I don't know what the exact differences between AppArmor and FireJail are, but they do the same thing in the end.


Thanks for this - I don’t have one for Firefox at the moment.

Firejail uses kernel namespaces, so it’s similar to dockerising your application
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
721
It turns out not seeing the file for Firefox’s app armor profile has to do with me installing Firefox as a snap app from the store.

Do you know where are the app armor profiles for snap apps ?
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
721
Looks like for snap apps AppArmor profiles are under /var/lib/snapd/apparmor

snap apps also have their own container system so they can’t be firejail’d

Overall I have to say

1) Linux security is much much better than the early 00s
2) while windows does have almost the same number of (almost) equivalent mechanisms, in Linux stuff that would be “enterprise” (or part of a “business” security suite) is available out of the box
3) a desktop machine running only snap apps from reputable publishers looks pretty secure, it would take a kernel level exploit or hardware assisted attack to “break” it
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top