On Mon, Apr 18, 2016 at 09:57:24PM -0000, Simon Déziel wrote: > On 2016-04-18 04:36 PM, Seth Arnold wrote: > > I'm surprised about the silenced denials -- those seem wide-ranging > > and potentially problematic. I might have even thought that > > thunderbird should have ~/.thunderbird/** rwlk, access. > > The web view doesn't make it very easy to spot but those rules apply > only to the _subprofile_ gpg2.
Thanks for highlighting that. > > The static names in /tmp/ are interesting. Those may need more > > research to see if those need a CVE. (It's possible to use static > > names in /tmp safely, but the [0-9]* regex there gives me a bad > > feeling.) > > When the base file already exists, a number is appended, that's only how > far I checked this. It's a bit dubious, but looking at the gpg2 subprofile, there's other similar dubious /tmp/ usage already. I've merged this branch after applying the changes to the 16.10 tree as well. -- Steve Beattie <[email protected]> http://NxNW.org/~steve/ https://code.launchpad.net/~sdeziel/apparmor-profiles/thunderbird-enigmail-1.9/+merge/292191 Your team AppArmor Developers is requested to review the proposed merge of lp:~sdeziel/apparmor-profiles/thunderbird-enigmail-1.9 into lp:apparmor-profiles. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
