On 2017-11-01 03:52 AM, intrigeri wrote: > Hi, > > Simon Deziel: >> On 2017-10-31 08:32 AM, Philipp Kern wrote: >>> When I use Thunderbird I see a lot of these in the kernel log (probably >>> whenever I look at a signed and/or encrypted email): >>> >>> [94784.485686] audit: type=1400 audit(1509453045.981:153): >>> apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" >>> name="/usr/share/thunderbird/omni.ja" pid=4440 comm="gpg2" >>> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > > This means that Thunderbird has run gpg2 that inherited an open file > descriptor to omni.ja (AppArmor now mediates such inherited file > descriptors). But it does not imply that gpg2 has tried to access > omni.ja whatsoever. > >>> I don't see an obvious degradation of the client. Even gpg-encrypted >>> mails get handled correctly by Enigmail. But I suppose some kind of rule >>> is missing to make the log lines go away? > > Indeed. > >> I'd be tempted to add a deny rule to silence it. Opinions? > > Yes, please :)
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/333081 > You might need to add more than just the omni.ja rule, like I had to > do for torbrowser-launcher: > https://github.com/intrigeri/torbrowser-launcher/commit/d043788f590e8ff2da585e3512a0e596e7460ff8 There was already some overlap with other deny rules so I think we are good for now at least. Thanks Regards, Simon
signature.asc
Description: OpenPGP digital signature
