Simon Déziel has proposed merging
~sdeziel/apparmor-profiles/+git/apparmor-profiles:thunderbird-icedove-debian
into apparmor-profiles:master.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/330183
As explained in [1], the policy shipped by Debian has diverged from the one
here (lp:apparmor-profiles).
This MP is to sync with Debian Stretch. Since 17.10's version is compatible
with merged-/usr, I also added it back on top of Debian's version. The goal is
to have that back into Debian once this MP is merged.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874100
--
Your team AppArmor Developers is requested to review the proposed merge of
~sdeziel/apparmor-profiles/+git/apparmor-profiles:thunderbird-icedove-debian
into apparmor-profiles:master.
diff --git a/ubuntu/17.10/usr.bin.thunderbird b/ubuntu/17.10/usr.bin.thunderbird
index e74e9f5..caec9ef 100644
--- a/ubuntu/17.10/usr.bin.thunderbird
+++ b/ubuntu/17.10/usr.bin.thunderbird
@@ -25,6 +25,12 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-helpers>
+ # For Xubuntu to launch the browser
+ /usr/bin/exo-open ixr,
+ /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
+ /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
+ /etc/xdg/xfce4/helpers.rc r,
+
# for crash reports?
ptrace (read,trace) peer=@{profile_name},
@@ -45,6 +51,10 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
# rw access to HOME is useful when sending/receiving attachments
owner @{HOME}/** rw,
+ # other commonly used locations
+ /{data,media,mnt,srv}/** r,
+ owner /{data,media,mnt,srv}/** rw,
+
# Required for LVM setups
/sys/devices/virtual/block/dm-[0-9]*/uevent r,
@@ -58,6 +68,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/[0-9]*/net/wireless r,
+ @{PROC}/[0-9]*/net/arp r,
# should maybe be in abstractions
/etc/ r,
@@ -108,13 +119,19 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
owner @{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
/sys/devices/pci[0-9]*/**/uevent r,
+ /sys/devices/pci*/**/config r,
+ /sys/devices/system/node/node[0-9]*/meminfo r,
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter
owner @{PROC}/[0-9]*/environ r,
owner @{PROC}/[0-9]*/auxv r,
+ owner @{PROC}/[0-9]*/status r,
+ owner @{PROC}/[0-9]*/cmdline r,
/etc/lsb-release r,
+ /etc/ssl/openssl.cnf r,
+ /usr/lib/thunderbird/crashreporter ix,
/usr/bin/expr ix,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
@@ -138,12 +155,12 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
/**/ r,
# per-user thunderbird configuration
- owner @{HOME}/.thunderbird/ rw,
- owner @{HOME}/.thunderbird/** rw,
- owner @{HOME}/.thunderbird/**/storage.sdb k,
- owner @{HOME}/.thunderbird/**/*.{db,parentlock,sqlite}* k,
- owner @{HOME}/.thunderbird/plugins/** rm,
- owner @{HOME}/.thunderbird/**/plugins/** rm,
+ owner @{HOME}/.{icedove,thunderbird}/ rw,
+ owner @{HOME}/.{icedove,thunderbird}/** rw,
+ owner @{HOME}/.{icedove,thunderbird}/**/storage.sdb k,
+ owner @{HOME}/.{icedove,thunderbird}/**/*.{db,parentlock,sqlite}* k,
+ owner @{HOME}/.{icedove,thunderbird}/plugins/** rm,
+ owner @{HOME}/.{icedove,thunderbird}/**/plugins/** rm,
owner @{HOME}/.cache/thunderbird/ rw,
owner @{HOME}/.cache/thunderbird/** rw,
@@ -154,7 +171,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
- owner @{HOME}/.thunderbird/**/extensions/** mixrw,
+ owner @{HOME}/.{icedove,thunderbird}/**/extensions/** mixrw,
owner @{HOME}/.mozilla/extensions/** mixr,
/usr/share/xul-ext/**/*.sqlite rk,
/usr/lib/xul-ext/**/*.sqlite rk,
@@ -175,67 +192,30 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
/{usr/,}bin/uname Uxr,
/usr/bin/locale Uxr,
- /usr/bin/gpg Cx -> gpg,
-
- profile gpg {
- #include <abstractions/base>
-
- # Required to import keys from keyservers
- #include <abstractions/nameservice>
- #include <abstractions/p11-kit>
-
- # For smartcards?
- /dev/bus/usb/ r,
- /dev/bus/usb/[0-9]*/ r,
- /dev/bus/usb/[0-9]*/[0-9]* r,
-
- # LDAP key servers
- /etc/ldap/ldap.conf r,
-
- /usr/bin/gpg mr,
- /usr/lib/gnupg/gpgkeys_* ix,
- owner @{HOME}/.gnupg r,
- owner @{HOME}/.gnupg/gpg.conf r,
- owner @{HOME}/.gnupg/random_seed rwk,
- owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
- owner @{HOME}/.gnupg/secring.gpg rw,
- owner @{HOME}/.gnupg/trustdb.gpg rw,
- owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
- owner @{HOME}/.gnupg/.#*[0-9] rw,
- owner @{HOME}/.gnupg/.#*[0-9]x rwl,
- owner @{HOME}/** r,
-
- owner /run/user/[0-9]*/keyring-*/gpg rw,
-
- # for inline pgp
- owner /tmp/encfile rw,
- owner /tmp/encfile-[0-9]* rw,
- }
-
- /usr/bin/gpg2 Cx -> gpg2,
- /usr/bin/gpgconf Cx -> gpg2,
- /usr/bin/gpg-connect-agent Cx -> gpg2,
+ /usr/bin/gpg Cx -> gpg,
+ /usr/bin/gpg2 Cx -> gpg,
+ /usr/bin/gpgconf Cx -> gpg,
+ /usr/bin/gpg-connect-agent Cx -> gpg,
# TB tries to create this file but has no business doing so
deny @{HOME}/.gnupg/gpg-agent.conf w,
- profile gpg2 {
+ profile gpg {
#include <abstractions/base>
# Required to import keys from keyservers
#include <abstractions/nameservice>
#include <abstractions/p11-kit>
- /usr/lib/gnupg2/gpg2keys_hkp ix,
+
+ /usr/share/xul-ext/enigmail/chrome/enigmail.jar r,
# silence noise from enigmail 1.9+
- deny owner @{HOME}/.thunderbird/*/.parentlock w,
- deny owner @{HOME}/.thunderbird/*/panacea.dat w,
- deny owner @{HOME}/.thunderbird/*/*.mab w,
- deny owner @{HOME}/.thunderbird/**/*.msf w,
+ deny owner @{HOME}/.{icedove,thunderbird}/*/.parentlock w,
+ deny owner @{HOME}/.{icedove,thunderbird}/*/panacea.dat w,
+ deny owner @{HOME}/.{icedove,thunderbird}/*/*.mab w,
+ deny owner @{HOME}/.{icedove,thunderbird}/**/*.msf w,
deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,
- /usr/share/xul-ext/enigmail/chrome/enigmail.jar r,
-
# For smartcards?
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
@@ -244,25 +224,32 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
# LDAP key servers
/etc/ldap/ldap.conf r,
- /usr/bin/gpg-connect-agent mr,
- owner @{HOME}/.gnupg/S.gpg-agent rw,
- owner @{HOME}/.gnupg/S.dirmngr rw,
-
+ /usr/bin/gpg mr,
/usr/bin/gpg2 mr,
+ /usr/bin/gpgconf mr,
+ /usr/bin/gpg-connect-agent mr,
+ /usr/lib/gnupg/gpgkeys_* ix,
+ /usr/lib/gnupg2/gpg2keys_* ix,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/gpg.conf r,
owner @{HOME}/.gnupg/random_seed rwk,
owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
owner @{HOME}/.gnupg/secring.gpg rw,
owner @{HOME}/.gnupg/trustdb.gpg rw,
+ owner @{HOME}/.gnupg/S.gpg-agent rw,
+ owner @{HOME}/.gnupg/S.dirmngr rw,
owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
owner @{HOME}/.gnupg/.gpg-*.lock rwl,
owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl,
+ owner @{HOME}/.gnupg/.#*[0-9] rw,
+ owner @{HOME}/.gnupg/.#*[0-9]x rwl,
owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
owner @{HOME}/** r,
owner @{PROC}/@{pids}/mountinfo r,
+ owner /run/user/[0-9]*/keyring-*/gpg rw,
+
# for inline pgp
owner /tmp/encfile rw,
owner /tmp/encfile-[0-9]* rw,
@@ -276,8 +263,35 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
owner /tmp/data-[0-9]*.sig r,
owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,
+
+ /usr/share/sounds/** r,
+ }
+
+ /usr/bin/lsb_release Cxr -> lsb_release,
+ profile lsb_release {
+ #include <abstractions/base>
+ #include <abstractions/python>
+ /usr/bin/lsb_release r,
+ /{usr/,}bin/dash ixr,
+ /usr/bin/dpkg-query ixr,
+ /usr/include/python2.[4567]/pyconfig.h r,
+ /etc/lsb-release r,
+ /etc/debian_version r,
+ /var/lib/dpkg/** r,
+
+ /usr/local/lib/python3.[0-9]/dist-packages/ r,
+ /usr/bin/ r,
+ /usr/bin/python3.[0-9] r,
+
+ /etc/apt/apt.conf.d/ r,
+ /etc/default/apport r,
+ /usr/share/distro-info/debian.csv r,
+
+ # file_inherit
+ deny /tmp/gtalkplugin.log w,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.thunderbird>
}
+
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
