Package: icedove
Severity: normal
Hi,
I've prepared a patch against current master which adds an AppArmor
profile for Icedove. I've tested this profile for several months, but
I've not tested to build Icedove with this patch.
The profile comes from upstream's latest revision 169:
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/16.10/usr.bin.thunderbird
May you please try to add this to future versions of Icedove?
Documentation on how to use AppArmor is available here:
https://wiki.debian.org/AppArmor/HowToUse
Documentation on debugging the profile is available here:
https://wiki.debian.org/AppArmor/Debug
I'm happy to help with any testing, for this and future versions. I'll
also happily help to update this profile when upstream modifies it and
when Debian bug #816679 is resolved.
Cheers!
u.
From f7ca341b9abea2d88de14518e3aab45679a7791d Mon Sep 17 00:00:00 2001
From: Ulrike Uhlig <u...@451f.org>
Date: Tue, 5 Jul 2016 17:54:01 +0200
Subject: [PATCH] Add rebranded apparmor profile from upstream.
The profile was taken from commit 169. All occurences of the brand name have
been renamed to Icedove.
debian/rules: Add rules to copy the profile.
debian/control: Add build dependency and suggests.
---
debian/apparmor/usr.bin.icedove | 276 ++++++++++++++++++++++++++++++++++++++++
debian/control | 2 +
debian/rules | 3 +
3 files changed, 281 insertions(+)
create mode 100644 debian/apparmor/usr.bin.icedove
diff --git a/debian/apparmor/usr.bin.icedove b/debian/apparmor/usr.bin.icedove
new file mode 100644
index 0000000..11ac830
--- /dev/null
+++ b/debian/apparmor/usr.bin.icedove
@@ -0,0 +1,276 @@
+# vim:syntax=apparmor
+# Author: Simon Deziel <simon.deziel at gmail_com>
+# This apparmor profile is derived from firefox profile
+# by Jamie Strandboge <ja...@canonical.com>
+
+# Declare an apparmor variable to help with overrides
+@{MOZ_LIBDIR}=/usr/lib/icedove
+
+#include <tunables/global>
+
+profile icedove /usr/lib/icedove/icedove {
+ #include <abstractions/audio>
+ #include <abstractions/aspell>
+ #include <abstractions/cups-client>
+ # TODO: finetune this for required accesses
+ #include <abstractions/dbus>
+ #include <abstractions/dbus-accessibility>
+ #include <abstractions/dbus-session>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+ #include <abstractions/nameservice>
+ #include <abstractions/p11-kit>
+ #include <abstractions/private-files>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/ubuntu-browsers>
+ #include <abstractions/ubuntu-helpers>
+
+ # for crash reports?
+ ptrace (read,trace) peer=@{profile_name},
+
+ # Pulseaudio
+ /usr/bin/pulseaudio Pixr,
+
+ owner @{HOME}/.{cache,config}/dconf/user rw,
+ owner /run/user/[0-9]*/dconf/user rw,
+ owner @{HOME}/.config/gtk-3.0/bookmarks r,
+ deny owner @{HOME}/.local/share/gvfs-metadata/* r,
+
+ # potentially extremely sensitive files
+ audit deny @{HOME}/.gnupg/** mrwkl,
+ audit deny @{HOME}/.ssh/** mrwkl,
+
+ # rw access to HOME is useful when sending/receiving attachments
+ owner @{HOME}/** rw,
+
+ # Required for LVM setups
+ /sys/devices/virtual/block/dm-[0-9]*/uevent r,
+
+ # Addons (too lax for icedove)
+ ##include <abstractions/ubuntu-browsers.d/firefox>
+
+ # for networking
+ network inet stream,
+ network inet6 stream,
+ @{PROC}/[0-9]*/net/if_inet6 r,
+ @{PROC}/[0-9]*/net/ipv6_route r,
+ @{PROC}/[0-9]*/net/dev r,
+ @{PROC}/[0-9]*/net/wireless r,
+
+ # should maybe be in abstractions
+ /etc/ r,
+ /etc/mime.types r,
+ /etc/mailcap r,
+ /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
+ /etc/xfce4/defaults.list r,
+ /usr/share/xubuntu/applications/defaults.list r,
+ owner @{HOME}/.local/share/applications/defaults.list r,
+ owner @{HOME}/.local/share/applications/mimeapps.list r,
+ owner @{HOME}/.local/share/applications/mimeinfo.cache r,
+ owner /tmp/** m,
+ owner /var/tmp/** m,
+ /tmp/.X[0-9]*-lock r,
+ /etc/udev/udev.conf r,
+ # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
+ # Possibly move to an abstraction if anything else needs it.
+ deny /run/udev/data/** r,
+
+ /etc/timezone r,
+ /etc/wildmidi/wildmidi.cfg r,
+
+ # icedove specific
+ /etc/icedove/ r,
+ /etc/icedove/** r,
+ /etc/xul-ext/** r,
+ /etc/xulrunner-2.0*/ r,
+ /etc/xulrunner-2.0*/** r,
+ /etc/gre.d/ r,
+ /etc/gre.d/* r,
+
+ # noisy
+ deny @{MOZ_LIBDIR}/** w,
+ deny /usr/lib/icedove-addons/** w,
+ deny /usr/lib/xulrunner-addons/** w,
+ deny /usr/lib/xulrunner-*/components/*.tmp w,
+ deny /.suspended r,
+ deny /boot/initrd.img* r,
+ deny /boot/vmlinuz* r,
+ deny /var/cache/fontconfig/ w,
+ deny @{HOME}/.local/share/recently-used.xbel r,
+ deny @{HOME}/.* r,
+
+ # TODO: investigate
+ deny /usr/bin/gconftool-2 x,
+
+ owner @{PROC}/[0-9]*/mountinfo r,
+ owner @{PROC}/[0-9]*/stat r,
+ owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
+ /sys/devices/pci[0-9]*/**/uevent r,
+ /etc/mtab r,
+ /etc/fstab r,
+
+ # Needed for the crash reporter
+ owner @{PROC}/[0-9]*/environ r,
+ owner @{PROC}/[0-9]*/auxv r,
+ /etc/lsb-release r,
+ /usr/bin/expr ix,
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/cpu/** r,
+
+ # about:memory
+ owner @{PROC}/[0-9]*/statm r,
+ owner @{PROC}/[0-9]*/smaps r,
+
+ # Needed for container to work in xul builds
+ /usr/lib/xulrunner-*/plugin-container ixr,
+
+ # allow access to documentation and other files the user may want to look
+ # at in /usr and /opt
+ /usr/ r,
+ /usr/** r,
+ /opt/ r,
+ /opt/** r,
+
+ # so browsing directories works
+ / r,
+ /**/ r,
+
+ # per-user icedove configuration
+ owner @{HOME}/.icedove/ rw,
+ owner @{HOME}/.icedove/** rw,
+ owner @{HOME}/.icedove/**/storage.sdb k,
+ owner @{HOME}/.icedove/**/*.{db,parentlock,sqlite}* k,
+ owner @{HOME}/.icedove/plugins/** rm,
+ owner @{HOME}/.icedove/**/plugins/** rm,
+ owner @{HOME}/.cache/icedove/ rw,
+ owner @{HOME}/.cache/icedove/** rw,
+
+ #
+ # Extensions
+ # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
+ # Allow 'x' for downloaded extensions, but inherit policy for safety
+ owner @{HOME}/.icedove/**/extensions/** mixrw,
+ owner @{HOME}/.mozilla/extensions/** mixr,
+ /usr/share/xul-ext/**/*.sqlite rk,
+ /usr/lib/xul-ext/**/*.sqlite rk,
+ /usr/lib/icedove-addons/extensions/**/*.sqlite rk,
+
+ deny @{MOZ_LIBDIR}/update.test w,
+ deny /usr/lib/mozilla/extensions/**/ w,
+ deny /usr/lib/xulrunner-addons/extensions/**/ w,
+ deny /usr/share/mozilla/extensions/**/ w,
+ deny /usr/share/mozilla/ w,
+
+ # Miscellaneous (to be abstracted)
+ # Ideally these would use a child profile. They are all ELF executables
+ # so running with 'Ux', while not ideal, is ok because we will at least
+ # benefit from glibc's secure execute.
+ /usr/bin/mkfifo Uxr, # investigate
+ /bin/ps Uxr,
+ /bin/uname Uxr,
+ /usr/bin/locale Uxr,
+
+ /usr/bin/gpg Cx -> gpg,
+
+ profile gpg {
+ #include <abstractions/base>
+
+ # Required to import keys from keyservers
+ #include <abstractions/nameservice>
+ #include <abstractions/p11-kit>
+
+ # For smartcards?
+ /dev/bus/usb/ r,
+ /dev/bus/usb/[0-9]*/ r,
+ /dev/bus/usb/[0-9]*/[0-9]* r,
+
+ # LDAP key servers
+ /etc/ldap/ldap.conf r,
+
+ /usr/bin/gpg mr,
+ /usr/lib/gnupg/gpgkeys_* ix,
+ owner @{HOME}/.gnupg r,
+ owner @{HOME}/.gnupg/gpg.conf r,
+ owner @{HOME}/.gnupg/random_seed rwk,
+ owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
+ owner @{HOME}/.gnupg/secring.gpg rw,
+ owner @{HOME}/.gnupg/trustdb.gpg rw,
+ owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
+ owner @{HOME}/.gnupg/.#*[0-9] rw,
+ owner @{HOME}/.gnupg/.#*[0-9]x rwl,
+ owner @{HOME}/** r,
+
+ owner /run/user/[0-9]*/keyring-*/gpg rw,
+
+ # for inline pgp
+ owner /tmp/encfile rw,
+ owner /tmp/encfile-[0-9]* rw,
+ }
+
+ /usr/bin/gpg2 Cx -> gpg2,
+ /usr/bin/gpgconf Cx -> gpg2,
+ /usr/bin/gpg-connect-agent Cx -> gpg2,
+
+ # TB tries to create this file but has no business doing so
+ deny @{HOME}/.gnupg/gpg-agent.conf w,
+
+ profile gpg2 {
+ #include <abstractions/base>
+
+ # Required to import keys from keyservers
+ #include <abstractions/nameservice>
+ #include <abstractions/p11-kit>
+ /usr/lib/gnupg2/gpg2keys_hkp ix,
+
+ # silence noise from enigmail 1.9+
+ deny owner @{HOME}/.icedove/*/.parentlock w,
+ deny owner @{HOME}/.icedove/*/panacea.dat w,
+ deny owner @{HOME}/.icedove/*/*.mab w,
+ deny owner @{HOME}/.icedove/**/*.msf w,
+ deny owner @{HOME}/.cache/icedove/**/_CACHE_* w,
+
+ # For smartcards?
+ /dev/bus/usb/ r,
+ /dev/bus/usb/[0-9]*/ r,
+ /dev/bus/usb/[0-9]*/[0-9]* r,
+
+ # LDAP key servers
+ /etc/ldap/ldap.conf r,
+
+ /usr/bin/gpg-connect-agent mr,
+ owner @{HOME}/.gnupg/S.gpg-agent rw,
+ owner @{HOME}/.gnupg/S.dirmngr rw,
+
+ /usr/bin/gpg2 mr,
+ owner @{HOME}/.gnupg/ rw,
+ owner @{HOME}/.gnupg/gpg.conf r,
+ owner @{HOME}/.gnupg/random_seed rwk,
+ owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
+ owner @{HOME}/.gnupg/secring.gpg rw,
+ owner @{HOME}/.gnupg/trustdb.gpg rw,
+ owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
+ owner @{HOME}/.gnupg/.gpg-*.lock rwl,
+ owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl,
+ owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
+ owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
+ owner @{HOME}/** r,
+ owner @{PROC}/@{pids}/mountinfo r,
+
+ # for inline pgp
+ owner /tmp/encfile rw,
+ owner /tmp/encfile-[0-9]* rw,
+
+ # for signature generation
+ owner /tmp/nsemail.eml w,
+ owner /tmp/nsemail-[0-9]*.eml w,
+
+ # for signature verifications
+ owner /tmp/data.sig r,
+ owner /tmp/data-[0-9]*.sig r,
+
+ owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.icedove>
+}
diff --git a/debian/control b/debian/control
index b042288..66d4412 100644
--- a/debian/control
+++ b/debian/control
@@ -10,6 +10,7 @@ Build-Depends:
autotools-dev,
bzip2,
debhelper (>= 7.0.50~),
+ dh-apparmor,
dpkg-dev (>= 1.16.1~),
libasound2-dev [linux-any],
libatk-adaptor,
@@ -65,6 +66,7 @@ Recommends:
iceowl-extension (= ${binary:Version}),
myspell-en-us | hunspell-dictionary | myspell-dictionary,
Suggests:
+ apparmor,
fonts-lyx,
libgssapi-krb5-2,
${gnome:Depends},
diff --git a/debian/rules b/debian/rules
index 5916929..90fcbf8 100755
--- a/debian/rules
+++ b/debian/rules
@@ -207,6 +207,9 @@ override_dh_install-indep:
# sometimes there are temporary build files in calendar-google-provider
@echo " --> searching for temporary build files in 'calendar-google-provider' ..."
@for i in `find debian/calendar-google-provider/ -name ".mkdir.done*"`; do echo remove $$i && rm $$i; done
+ # install apparmor profile
+ cp debian/apparmor/usr.bin.icedove debian/icedove/apparmor/etc/apparmor.d/usr.bin.icedove
+ dh_apparmor --profile-name=usr.bin.icedove -picedove
override_dh_fixperms-arch:
dh_fixperms
--
2.1.4
