Skip to content
GitLab

Prevent spawning Unsafe Browser from main apps

As per !956 (comment 198972) , some apps (LibreOffice for sure; Thunderbird has not been tested) can spawn Unsafe Browser. This is a security problem that can lead to deanonymization, e.g. via the accessibility bus (if enabled).

Improving the AppArmor profile should be enough.

But we've tought of a more elegant and possibly more maintainable approach on !989. The last plan there is an allow-list approach, that does not need AppArmor 3.0, that is safe vs. PID cycles, and does not require hardening AppArmor profiles for risky apps:

  • Scrap most of the !989 branch
  • Run GNOME Shell and TCA portal under almost-dummy AppArmor profiles, that:
    • allow everything
    • when executing Unsafe Browser, transition to a specific AppArmor profile (not the one that it would get by default if I started Unsafe Browser in a Terminal)
  • Unsafe Browser script: abort unless running under this specific AppArmor profile
  • AppArmor policy: by default, don't apply any profile to the Unsafe Browser
  • Only root can run a program under an AppArmor profile of their choice, so this should be safe.
Edited by intrigeri
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information