[Bug 255541] New: [feature-request] AppArmored FireFox
https://bugzilla.novell.com/show_bug.cgi?id=255541 Summary: [feature-request] AppArmored FireFox Product: openSUSE 10.3 Version: Alpha 2 Platform: All OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: AppArmor AssignedTo: dreynolds@novell.com ReportedBy: al4321@gmail.com QAContact: dreynolds@novell.com hi all ! I would like to feature-request AppArmored FireFox for openSUSE 10.3 ! The point is: Microsoft did Protected-mode Internet Explorer 7 in Windows Vista, and so, our community must respond with something. The best response I see is an AppArmored profile for FireFox. I think openSUSE 10.3 needs to have 2 versions of FireFox installed by default; Both AppArmored and normal. The Armored version will *not* allow to save anything anywhere. It will allow to save only in one directory: ~/downloads so all hackers alike will not be able to do much... I understand it will cause problems such as: plugins (Adobe Reader) might stop working, you won't be able to install themes and extensions, etc... This is why we must have both normal version and a secured one ! What do you think of this idea? P.S. The armored version must have a separate icon too... what about a knight ? Or FireFox icon with small shield on it? -- -Alexey Eremenko "Technologov" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 seth.arnold@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |seth.arnold@novell.com, maw@novell.com ------- Comment #1 from seth.arnold@novell.com 2007-03-16 17:17 MST ------- Michael, I think Alexey's got a great idea here. If I give you an AppArmor profile for something like /usr/bin/mozilla-confined that is pretty restrictive, could you work on getting new "confined mozilla" icons placed near standard mozilla icons? (I'd even be willing to try my hand at icon design. :) Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #2 from al4321@gmail.com 2007-03-17 04:16 MST ------- Created an attachment (id=125148) --> (https://bugzilla.novell.com/attachment.cgi?id=125148&action=view) Potential icon for AppArmored Firefox - Green Shield -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #3 from al4321@gmail.com 2007-03-17 04:17 MST ------- Created an attachment (id=125149) --> (https://bugzilla.novell.com/attachment.cgi?id=125149&action=view) Potential icon for AppArmored Firefox - Orange Shield -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #4 from al4321@gmail.com 2007-03-17 04:21 MST ------- OK, so I have submitted potential icons for AppArmored Firefox. The shield was taken from OpenClipart gallery - SVG format, public domain. This is the concept that I have for icons. I know those look a bit out-of-water, they are ugly, because they look too 2D, while FireFox itself is rendered much better. We must try to build a 3D shield. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 wolfgang@rosenauer.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wolfgang@rosenauer.org ------- Comment #5 from wolfgang@rosenauer.org 2007-03-17 04:56 MST ------- Basically I don't have any objection in having an apparmored alternative. Problem with the icon is that it's not allowed by MoCo's trademark law to modify the Firefox logo/icon at all. We would have to get clearance from them for any icon we want to use. It's hard to guess if they are going to accept it but we can try if we have a nice one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #6 from mbarringer@novell.com 2007-03-19 16:40 MST ------- Created an attachment (id=125341) --> (https://bugzilla.novell.com/attachment.cgi?id=125341&action=view) Icon suggestion You could also roll with the old school icon/Firefox combo. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #7 from al4321@gmail.com 2007-03-19 23:16 MST ------- Matt Barringer: Well, your one is a nice icon indeed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #8 from al4321@gmail.com 2007-03-19 23:20 MST ------- Now, let's speak of AppArmored rules: -ability to write only to ~/downloads (and maybe ~/.AppArmoredFireFox ?) (since this is different version, it must have different settings directory in $HOME. ) -read from: ~/.AppArmoredFireFox ~/downloads Make it possible to use Flash and Java and Adobe Reader plugins. Make it possible to use FFox extensions. ..something else ? What do you think of it? -Alexey -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #9 from maw@novell.com 2007-03-20 13:44 MST ------- (In reply to comment #1)
Michael, I think Alexey's got a great idea here. If I give you an AppArmor profile for something like /usr/bin/mozilla-confined that is pretty restrictive, could you work on getting new "confined mozilla" icons placed near standard mozilla icons? (I'd even be willing to try my hand at icon design. :)
Sounds like an interesting idea. Once we have an AppArmor profile, what else is involved? How is it invoked, etc? Wolfgang is right about possible trademark issues, of course. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #10 from seth.arnold@novell.com 2007-03-20 14:01 MST ------- (In reply to comment #8)
Now, let's speak of AppArmored rules:
-ability to write only to ~/downloads (and maybe ~/.AppArmoredFireFox ?) (since this is different version, it must have different settings directory in $HOME. )
I had actually been thinking of granting it read-only access to the standard firefox directory of config files. (At least, I assume firefox has tolerable behaviour when it can't update config files. :) Using a different directory completely would mean changes like font sizes and customized .css files and so forth would have to be duplicated. (Handling it in firefox looks relatively easy, if the 'firefox' script is the only place that sets which directory to use..) But the different directory does mean the 'armored' version couldn't steal data out of the 'wide open' version. (My Firefox, for example, logs me into bugzilla automatically through a greasemonkey script.. this username and password are therefore stored in a way that an armored firefox could still report my username/password to other entities..)
-read from: ~/.AppArmoredFireFox ~/downloads Make it possible to use Flash and Java and Adobe Reader plugins. Make it possible to use FFox extensions. ...something else ?
I'm of two minds about the plugs; on the one hand, I _really_ want a confined firefox for flash and acroread :) on the other hand, if we prevent them from running out of the box, then users would have to enable the plugins that they personally use -- which would be more tight, if less usable. Maybe making sure all the extensions that ship with openSUSE would make the most sense. But we certainly can't make every feature of every extension work. (IIRC, acroread has a button that'll start up a configured mail: handler... a little annoying to handle kmail, evolution, sylpheed, etc. "out of the box" for this.)
What do you think of it?
Thanks for bringing it up well before the first beta. :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #11 from seth.arnold@novell.com 2007-03-20 14:05 MST ------- (In reply to comment #9)
Sounds like an interesting idea. Once we have an AppArmor profile, what else is involved? How is it invoked, etc?
We'd put a profile for e.g. /usr/bin/firefox-confined into /etc/apparmor.d/usr.bin.firefox-confined We'd make a hardlink of /usr/bin/firefox to /usr/bin/firefox-confined. (Maybe we'd make a copy, so we could edit it to use a different prefs dir -- ~/.firefox-apparmor or something.) Then, whereever we think it'd be nice to offer an "AppArmor-confined Firefox" icon, we'd throw one.. maybe some other programs (evo? kmail? etc?) could gain an "open <url> in apparmor-confined firefox" menu entries where it makes sense.. Something to consider, any way.
Wolfgang is right about possible trademark issues, of course.
If mozilla corp is really adamant about it and we can't use one of the three icons already attached, we could try to find something nice from kdelook.org or gnome equivs? Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #12 from wolfgang@rosenauer.org 2007-03-20 14:20 MST ------- (In reply to comment #10)
I had actually been thinking of granting it read-only access to the standard firefox directory of config files. (At least, I assume firefox has tolerable behaviour when it can't update config files. :)
Hmm, wrong assumption I fear. It writes to many files at startup and shutdown (and runtime) and I don't think it would really be usable w/o write access to them.
Using a different directory completely would mean changes like font sizes and customized .css files and so forth would have to be duplicated. (Handling it in firefox looks relatively easy, if the 'firefox' script is the only place that sets which directory to use..)
Also no. The basic profile directory is hardcoded to ~/.mozilla/firefox There are multiple profiles possible under this structure though which can be chosen through command line. But then it's a completely different profile (as for another user). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #13 from al4321@gmail.com 2007-03-20 15:48 MST ------- I think that a possible approach is to have a totally different directory, say ~/AppArmoredFireFox ( RW access ), but with possibility to configure sharing between normal FFox and a protected-one, perhaps by hardlinking most important files ? ..For example, provide a script to configure FFox to have shared profiles via hardlinks, or have separate profiles... so users can choose - and everyone will be [hopefully] happy. The default, perhaps, needs to be as user-friendly as possible, that-is, shared accounts. I want normal users to at least try protected version. Another possibility to share data between the FFoxes is to use Google Browser Sync. Not very good (slow+requires Internet), but it works. As for icon, well, I hope that Mozilla will allow us to use it, if we tell them, that we must compete with Protected-IE7 in Vista, and it's very important for us. Yes, it's trademarked, but I want to play nice with Mozilla (please no IceWeasels here... if dialogue is possible) Additionally, we must make it clear in the "About" dialog, that this version is special. Either write it in text, or even better provide the same icon, but in large resolution there. -Alexey -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #14 from al4321@gmail.com 2007-04-04 10:40 MST ------- wooow... this thing had no progress for two weeks ! Assign to someone? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #15 from al4321@gmail.com 2007-04-14 16:56 MST ------- So, people, is this moving ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #16 from seth.arnold@novell.com 2007-04-16 13:23 MST ------- Sorry Alexey, no news from me.. if you have the time and inclination to prepare a profile that would allow what you think should be allowed, it'd be a nice concrete discussion point.. Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #17 from al4321@gmail.com 2007-04-28 10:00 MST ------- Created an attachment (id=136242) --> (https://bugzilla.novell.com/attachment.cgi?id=136242&action=view) AppArmored FireFox profile - Alpha1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #18 from al4321@gmail.com 2007-04-28 11:46 MST ------- Created an attachment (id=136249) --> (https://bugzilla.novell.com/attachment.cgi?id=136249&action=view) AppArmored FireFox profile - Alpha2 This version in addition to Alpha1 features, received some testing and Java support. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #19 from al4321@gmail.com 2007-04-28 12:00 MST ------- BTW: The desktop Apparmored-FireFox icon is not enough, because it will only be seen in Start Menu. We should rebuild FireFox in a way that the new icon is shown also in "Help->About" and in Taskbar, so users will know which window corresponds to which version of FireFox. When users will have many FireFox windows opened at the same time, it will be easy to distinguish between armored and normal FireFoxes out there. Usually I have over a dozen foxes opened with a dozen of tabs in each. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #20 from al4321@gmail.com 2007-04-28 12:34 MST ------- Besides the icon problem there is another problem that will force us to rebuild FireFox: namely single process problem. PROBLEM - 1 PROCESS: Once there is 1 FireFox process running, there is no way I know of, to run a second FireFox process unless we use VMs with lot of overhead, which is not an option in this case. Hacking FireFox to start a second process may be required. ICONS AGAIN: (licensing related) Another thing on icons: how do we approach Mozilla to ask them to modify their icon ? Is there someone from openSUSE/Novell community with good connection to Mozilla? This step is needed, because I want to push this icon: https://bugzilla.novell.com/attachment.cgi?id=125341 officially. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #21 from al4321@gmail.com 2007-05-06 14:42 MST ------- Created an attachment (id=137790) --> (https://bugzilla.novell.com/attachment.cgi?id=137790&action=view) Artwork: AppArmored FireFox - About Dialog this is the new artwork - for the new product by me :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #22 from al4321@gmail.com 2007-05-24 14:24 MST ------- So, can anyone help with creating a package ? (RPM) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #23 from al4321@gmail.com 2007-05-24 14:57 MST ------- Created an attachment (id=142155) --> (https://bugzilla.novell.com/attachment.cgi?id=142155&action=view) AppArmored-FireFox.odt This file describes my targets, my ideas and my expectation from this AppArmored FireFox project. It may be interesting to read. Format: OpenDocument -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #24 from wolfgang@rosenauer.org 2007-06-04 07:51 MST ------- I got an answer from Mozilla Corporation about the branding. They won't allow changes to the logo anywhere. So no internal logo change and no different desktop icon. We would be allowed to change the menu title/shortcut though to reflect the locked down status. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541 ------- Comment #25 from al4321@gmail.com 2007-06-09 12:22 MST ------- Too bad.... This can mean that we either must change only text, -or- go the Debian route with a known result: AppArmored IceWeasel. I think that using standard Artwork is very bad idea, because if users have both normal and AppArmored Firefoxes run at the same time on their desktops, they may forget which is which and make mistakes... sometimes costly mistakes - when someone can phish their credit cards info. I still haven't decided... What do people think ? I tend to favor AppArmored IceWeasel then... The good news: I have setup AppArmored FireFox project home page, that explains about this project: http://en.opensuse.org/AppArmored_FireFox It uses wiki, so users can ask me questions... -Alexey "Technologov" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=255541#c26 Dominic Reynolds <dreynolds@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |LATER --- Comment #26 from Dominic Reynolds <dreynolds@novell.com> 2007-08-20 13:32:12 MST --- Move to later. This feature is not complete. Lets take a look after 10.3 and see what we can do here. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com