Package: thunderbird Version: 1:52.4.0-1 I turned on AppArmor and Thunderbird stopped opening links for me. dmesg has the following denial message:
[ 3795.153239] audit: type=1400 audit(1509283418.100:64): apparmor="DENIED" operation="exec" profile="thunderbird" name="/opt/google/chrome-beta/google-chrome-beta" pid=31896 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 I think there needs to be some kind of defined way for browsers to be allowed to be executed. I understand that I use a browser that is not in the distribution, which makes this even more important. In this case the browser is literally set as the xdg default: $ xdg-settings get default-web-browser google-chrome-beta.desktop /etc/apparmor.d/abstractions/ubuntu-browsers includes the regular google-chrome: /opt/google/chrome/google-chrome Cx -> sanitized_helper, Literally the only browser Thunderbird should be able to execute is the one configured as the default, not some set of ancient and potentially exploitable other browsers (like some compiled against old webkit versions), looking at the current list in the abstraction. I suppose one way would be to always launch some kind of sensible-browser binary and let that call out to the default browser only. Which might be what sanitized_helper is already trying to accomplish. Except that the abstraction leaks into the... abstraction. :) Another way would be to let browser packages ship a file that allows their execution and then the installed ones are automatically available to Thunderbird (or another browser-spawning program). In this case Chrome would need to start shipping such a file. Kind regards and thanks Philipp Kern
signature.asc
Description: OpenPGP digital signature
