Firefox, AppArmor & self-update - Tutorial

Updated: November 30, 2022

Several weeks ago, I wrote an article that provided a basic overview of the AppArmor hardening tool, explained how it works, and showed you a practical example on how to confine and harden the Firefox browser. But wait, not just any which Firefox, but specifically the tarball version that you can download from Mozilla. I'm talking about the tar archive. Grab, extract, run.

So far so good. Using the AppArmor profile (template) from my Kubuntu installation, I was able, with small modifications, to create a custom ruleset for the Firefox tar version running from my home directory. Things are fine, but there be one problem. By default, it cannot update. We shall fix that now.

Cannot update

Problem in more detail

So, what happens is the following. If you use the Firefox tar version, it has the option to auto-update on its own like you'd see in Windows. Basically, the browser will get an update, you restart it, job done. You don't need to manually reinstall anything, you just keep running the browser from wherever you first extracted it, like say ~/Firefox/ or something.

However, with my AppArmor profile in place, the browser cannot self-update (see the screenshot above). It will tell you that updates are available, and you can manually download them. Indeed, there are quite a few workarounds:

sudo apparmor_parser -R "the name of your Firefox tar version profile"

tar -xvf "tarball"
cp -ar "tarball extract folder"/* "Firefox installation folder"/

However, these are just (easy) semi-fixes, and we want something more solid.

Solution

The real fix is to go through the AppArmor profile and understand which of the rules in place create a conflict. In general, each line in the profile is a rule that selectively allows something (like read but not write to a directory), or completely denies access to a specific resource. Anything that's not explicitly written will not be covered by the profile.

One of the default rules in the file is to deny write access to files and folders inside the Firefox installation directory. This makes sense for the default profile when and where Firefox is installed in a system directory, but not necessarily if you install Firefox in its own isolated place.

deny @{MOZ_LIBDIR}/** w,

We can comment out this rule, reload the Firefox profile, and job done:

sudo apparmor_parser -r "profile name"

Update works

Firefox updated

Conclusion

Job done. This tiny and simple change is all it takes to give the Firefox tar version (back) its self-update ability. Now, if you are super-security-conscious, you may say this is not good or whatnot, and you are okay with doing the manual update if and when needed. You can always resort to that trick, indeed. But if you want some convenience, and still have the bulk of the AppArmor profile hardening working for you, then you can allow the browser to be able to write to its installation folder. Just be aware of the potential consequences.

Hopefully, this guide clarifies or demystifies some of the questions you may have had around this topic. But again, we're not done. Next, we will talk about D-Bus, and specifically, any rules needed to give Firefox the ability to use the KDE/Plasma integration features. Perhaps this sounds KDE-specific, but I will make sure the tutorial is generic enough to be applicable for any sort of browser integration functionality. Until the next time, dear fellow nerds.

Cheers.

You may also like: