Vincas Dargis has proposed merging
~talkless/apparmor-profiles:fix-thunderbird-attachements into
apparmor-profiles:master.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332870
This is modified (no sbin, less explicit) intrigeri patch [0][1] for fixing
Debian bug #855346 [2] that disallows Thunderbird users with AppArmor profile
enabled to open attachments.
Additional, some cleanup is done to close #876333.
For the record, I do not particularly like this attachment workaround (it
allows interpreters, wget...), but because *we do not have abstractions* to
cover all (most) various-documents-format-opening cases, so let's agree that:
1. This is *temporary fix* to still have Thunderbird profile Enforced on Debian.
2. I will start initiative to build list of abstractions that would allow
Browsers, Email cliends and IM's to open various format downloaded files.
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855346#60
[1]
https://git-tails.immerda.ch/icedove/commit/?h=bugfix/855346&id=8536c99bc4f00e46030b35ef271ff78ff41962b5
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855346#60
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876333
--
Your team AppArmor Developers is requested to review the proposed merge of
~talkless/apparmor-profiles:fix-thunderbird-attachements into
apparmor-profiles:master.
diff --git a/ubuntu/17.10/usr.bin.thunderbird b/ubuntu/17.10/usr.bin.thunderbird
index caec9ef..a816aa0 100644
--- a/ubuntu/17.10/usr.bin.thunderbird
+++ b/ubuntu/17.10/usr.bin.thunderbird
@@ -25,6 +25,11 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-helpers>
+ # Allow opening attachments
+ # TODO: create and use abstractions for opening various file formats
+ /{usr/local/,usr/,}bin/* Cx -> sanitized_helper,
+ /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
+
# For Xubuntu to launch the browser
/usr/bin/exo-open ixr,
/usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
@@ -80,8 +85,6 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
- owner /tmp/** m,
- owner /var/tmp/** m,
/tmp/.X[0-9]*-lock r,
/etc/udev/udev.conf r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
