Updated: November 30, 2022
Several weeks ago, I wrote an article that provided a basic overview of the AppArmor hardening tool, explained how it works, and showed you a practical example on how to confine and harden the Firefox browser. But wait, not just any which Firefox, but specifically the tarball version that you can download from Mozilla. I'm talking about the tar archive. Grab, extract, run.
So far so good. Using the AppArmor profile (template) from my Kubuntu installation, I was able, with small modifications, to create a custom ruleset for the Firefox tar version running from my home directory. Things are fine, but there be one problem. By default, it cannot update. We shall fix that now.
Problem in more detail
So, what happens is the following. If you use the Firefox tar version, it has the option to auto-update on its own like you'd see in Windows. Basically, the browser will get an update, you restart it, job done. You don't need to manually reinstall anything, you just keep running the browser from wherever you first extracted it, like say ~/Firefox/ or something.
However, with my AppArmor profile in place, the browser cannot self-update (see the screenshot above). It will tell you that updates are available, and you can manually download them. Indeed, there are quite a few workarounds:
- You can remove the AppArmor rule, and on next browser restart, Firefox will be able to self-update. But this is cumbersome. And you will need to reapply the rule again later.
sudo apparmor_parser -R "the name of your Firefox tar version profile"
- You can manually go to the official site, download the new tarball archive, and then extract it over the old one, or just extract it and manually copy all of the files from the new folder into wherever you keep Firefox. This will not affect your Firefox profile in any way.
tar -xvf "tarball"
cp -ar "tarball extract folder"/* "Firefox installation folder"/
However, these are just (easy) semi-fixes, and we want something more solid.
Solution
The real fix is to go through the AppArmor profile and understand which of the rules in place create a conflict. In general, each line in the profile is a rule that selectively allows something (like read but not write to a directory), or completely denies access to a specific resource. Anything that's not explicitly written will not be covered by the profile.
One of the default rules in the file is to deny write access to files and folders inside the Firefox installation directory. This makes sense for the default profile when and where Firefox is installed in a system directory, but not necessarily if you install Firefox in its own isolated place.
deny @{MOZ_LIBDIR}/** w,
We can comment out this rule, reload the Firefox profile, and job done:
sudo apparmor_parser -r "profile name"
Conclusion
Job done. This tiny and simple change is all it takes to give the Firefox tar version (back) its self-update ability. Now, if you are super-security-conscious, you may say this is not good or whatnot, and you are okay with doing the manual update if and when needed. You can always resort to that trick, indeed. But if you want some convenience, and still have the bulk of the AppArmor profile hardening working for you, then you can allow the browser to be able to write to its installation folder. Just be aware of the potential consequences.
Hopefully, this guide clarifies or demystifies some of the questions you may have had around this topic. But again, we're not done. Next, we will talk about D-Bus, and specifically, any rules needed to give Firefox the ability to use the KDE/Plasma integration features. Perhaps this sounds KDE-specific, but I will make sure the tutorial is generic enough to be applicable for any sort of browser integration functionality. Until the next time, dear fellow nerds.
Cheers.