Package: icedove
Severity: normal
Hi,
I've prepared a patch against current master which adds an AppArmor
profile for Icedove. I've tested this profile for several months, but
I've not tested to build Icedove with this patch.
The profile comes from upstream's latest revision 169:
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/16.10/usr.bin.thunderbird
May you please try to add this to future versions of Icedove?
Documentation on how to use AppArmor is available here:
https://wiki.debian.org/AppArmor/HowToUse
Documentation on debugging the profile is available here:
https://wiki.debian.org/AppArmor/Debug
I'm happy to help with any testing, for this and future versions. I'll
also happily help to update this profile when upstream modifies it and
when Debian bug #816679 is resolved.
Cheers!
u.
From f7ca341b9abea2d88de14518e3aab45679a7791d Mon Sep 17 00:00:00 2001
From: Ulrike Uhlig
Date: Tue, 5 Jul 2016 17:54:01 +0200
Subject: [PATCH] Add rebranded apparmor profile from upstream.
The profile was taken from commit 169. All occurences of the brand name have
been renamed to Icedove.
debian/rules: Add rules to copy the profile.
debian/control: Add build dependency and suggests.
---
debian/apparmor/usr.bin.icedove | 276
debian/control | 2 +
debian/rules| 3 +
3 files changed, 281 insertions(+)
create mode 100644 debian/apparmor/usr.bin.icedove
diff --git a/debian/apparmor/usr.bin.icedove b/debian/apparmor/usr.bin.icedove
new file mode 100644
index 000..11ac830
--- /dev/null
+++ b/debian/apparmor/usr.bin.icedove
@@ -0,0 +1,276 @@
+# vim:syntax=apparmor
+# Author: Simon Deziel
+# This apparmor profile is derived from firefox profile
+# by Jamie Strandboge
+
+# Declare an apparmor variable to help with overrides
+@{MOZ_LIBDIR}=/usr/lib/icedove
+
+#include
+
+profile icedove /usr/lib/icedove/icedove {
+ #include
+ #include
+ #include
+ # TODO: finetune this for required accesses
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
+ # for crash reports?
+ ptrace (read,trace) peer=@{profile_name},
+
+ # Pulseaudio
+ /usr/bin/pulseaudio Pixr,
+
+ owner @{HOME}/.{cache,config}/dconf/user rw,
+ owner /run/user/[0-9]*/dconf/user rw,
+ owner @{HOME}/.config/gtk-3.0/bookmarks r,
+ deny owner @{HOME}/.local/share/gvfs-metadata/* r,
+
+ # potentially extremely sensitive files
+ audit deny @{HOME}/.gnupg/** mrwkl,
+ audit deny @{HOME}/.ssh/** mrwkl,
+
+ # rw access to HOME is useful when sending/receiving attachments
+ owner @{HOME}/** rw,
+
+ # Required for LVM setups
+ /sys/devices/virtual/block/dm-[0-9]*/uevent r,
+
+ # Addons (too lax for icedove)
+ ##include
+
+ # for networking
+ network inet stream,
+ network inet6 stream,
+ @{PROC}/[0-9]*/net/if_inet6 r,
+ @{PROC}/[0-9]*/net/ipv6_route r,
+ @{PROC}/[0-9]*/net/dev r,
+ @{PROC}/[0-9]*/net/wireless r,
+
+ # should maybe be in abstractions
+ /etc/ r,
+ /etc/mime.types r,
+ /etc/mailcap r,
+ /etc/xdg/*buntu/applications/defaults.listr, # for all derivatives
+ /etc/xfce4/defaults.list r,
+ /usr/share/xubuntu/applications/defaults.list r,
+ owner @{HOME}/.local/share/applications/defaults.list r,
+ owner @{HOME}/.local/share/applications/mimeapps.list r,
+ owner @{HOME}/.local/share/applications/mimeinfo.cache r,
+ owner /tmp/** m,
+ owner /var/tmp/** m,
+ /tmp/.X[0-9]*-lock r,
+ /etc/udev/udev.conf r,
+ # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
+ # Possibly move to an abstraction if anything else needs it.
+ deny /run/udev/data/** r,
+
+ /etc/timezone r,
+ /etc/wildmidi/wildmidi.cfg r,
+
+ # icedove specific
+ /etc/icedove/ r,
+ /etc/icedove/** r,
+ /etc/xul-ext/** r,
+ /etc/xulrunner-2.0*/ r,
+ /etc/xulrunner-2.0*/** r,
+ /etc/gre.d/ r,
+ /etc/gre.d/* r,
+
+ # noisy
+ deny @{MOZ_LIBDIR}/** w,
+ deny /usr/lib/icedove-addons/** w,
+ deny /usr/lib/xulrunner-addons/** w,
+ deny /usr/lib/xulrunner-*/components/*.tmp w,
+ deny /.suspended r,
+ deny /boot/initrd.img* r,
+ deny /boot/vmlinuz* r,
+ deny /var/cache/fontconfig/ w,
+ deny @{HOME}/.local/share/recently-used.xbel r,
+ deny @{HOME}/.* r,
+
+ # TODO: investigate
+ deny /usr/bin/gconftool-2 x,
+
+ owner @{PROC}/[0-9]*/mountinfo r,
+ owner @{PROC}/[0-9]*/stat r,
+ owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
+ /sys/devices/pci[0-9]*/**/uevent r,
+ /etc/mtab r,
+ /etc/fstab r,
+
+ # Needed for the crash reporter
+ owner @{PROC}/[0-9]*/environ r,
+ owner @{PROC}/[0-9]*/auxv r,
+ /etc/lsb-release r,
+ /usr/bin/expr ix,
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/cpu/** r,
+
+ # about:memory
+ owner @{PROC}/[0-9]*/statm r,
+ owner @{PROC}/[0-9]*/smaps r,
+
+ # Needed for container to work in xul builds
+