Bug#921888: apparmor: allow access to ~/.local/share/mime/**

Carsten Schoenert Sun, 10 Feb 2019 06:25:11 -0800

Hello Vincas,

could you check if the proposed modification to the profile is
acceptable? For me this looks good.


Am 09.02.19 um 22:38 schrieb Anthony DeRobertis:
> Package: thunderbird
> Version: 1:60.4.0-1
> Severity: minor
> 
> Whenever a calendar reminder is displaying, Thunderbird is flooding my
> logs with apparmor denials:
> 
> Feb  9 16:20:34 Watt kernel: [518027.774746] audit: type=1400 
> audit(1549747234.261:2371): apparmor="DENIED" operation="open" 
> profile="thunderbird" name="/home/anthony/.local/share/mime/mime.cache" 
> pid=4245 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 
> ouid=1000
> Feb  9 16:20:34 Watt kernel: [518027.774759] audit: type=1400 
> audit(1549747234.261:2372): apparmor="DENIED" operation="open" 
> profile="thunderbird" name="/home/anthony/.local/share/mime/globs2" pid=4245 
> comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> Feb  9 16:20:34 Watt kernel: [518027.774761] audit: type=1400 
> audit(1549747234.261:2373): apparmor="DENIED" operation="open" 
> profile="thunderbird" name="/home/anthony/.local/share/mime/magic" pid=4245 
> comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> ... [snip]
> Feb  9 16:22:13 Watt kernel: [518126.872750] audit: type=1400 
> audit(1549747333.359:2412): apparmor="DENIED" operation="open" 
> profile="thunderbird" name="/home/anthony/.local/share/mime/generic-icons" 
> pid=4245 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 
> ouid=1000
> 
> The journal has 264 lines of this in the last hour alone (during which
> the machine was sitting idle, untouched, but Thunderbird was displaying
> a calendar reminder)
> 
> I added this, seems reasonable for Thunderbird to read the MIME
> database:
> 
> diff --git a/apparmor.d/usr.bin.thunderbird b/apparmor.d/usr.bin.thunderbird
> index b5c6251..bbf11be 100644
> --- a/apparmor.d/usr.bin.thunderbird
> +++ b/apparmor.d/usr.bin.thunderbird
> @@ -99,6 +99,9 @@ profile thunderbird @{thunderbird_executable} {
>    @{PROC}/[0-9]*/net/wireless r,
>    @{PROC}/[0-9]*/net/arp r,
>  
> +  # local - more MIME stuff
> +  owner @{HOME}/.local/share/mime/** r,
> +
>    # should maybe be in abstractions
>    /etc/ r,
>    /etc/mime.types r,

-- 
Regards
Carsten Schoenert

Bug#921888: apparmor: allow access to ~/.local/share/mime/**

Reply via email to