Hi Simon, Simon McVittie (2026-02-22): > On Mon, 16 Feb 2026 at 12:09:18 +0100, intrigeri wrote: >>my next step, as announced on that MR a while ago, is to remove >>the AppArmor profile from the Debian package in sid: without >>a collaborative effort upstream, there's no good way for me to keep >>maintaining it for Debian, with an amount of effort that I can >>justify. > > I think that would be wise: this profile seems to be causing more > problems than it solves. I think the following bugs could be closed by > its removal: […]
Thank you, I've passed on this info via the MR: https://salsa.debian.org/mozilla-team/thunderbird/-/merge_requests/11 >>Given the profile is so widely open > > In particular, it has > > #include <abstractions/dbus-session> > > which is a complete sandbox escape: lots of session services can be > asked to execute arbitrary code via D-Bus. It also has > > owner @{HOME}/.{cache,config}/dconf/user rw, > > which is a complete sandbox escape via any dconf/GSettings option that > can be configured to run arbitrary commands, for example GNOME's > desktop-wide custom keyboard shortcuts. Thanks for this input! Cheers, -- intrigeri
