Bug#829731: icedove: Please add an AppArmor profile for Icedove

2016-07-13 Thread Guido Günther 
Hi,
On Tue, Jul 05, 2016 at 04:09:00PM +, u wrote:
> Package: icedove
> Severity: normal
> 
> Hi,
> 
> I've prepared a patch against current master which adds an AppArmor
> profile for Icedove. I've tested this profile for several months, but
> I've not tested to build Icedove with this patch.

This looks ok to me and it should be added. Although I'd really like to
see the commented out code removed before applying it and ideally not
having it reference any ubuntu-* profiles since this confuses me a lot.

I do think that it's better to ship it now and work from there though.
Cheers,
 -- Guido

Bug#829731: icedove: Please add an AppArmor profile for Icedove

2016-07-05 Thread u 
Package: icedove
Severity: normal

Hi,

I've prepared a patch against current master which adds an AppArmor
profile for Icedove. I've tested this profile for several months, but
I've not tested to build Icedove with this patch.

The profile comes from upstream's latest revision 169:
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/16.10/usr.bin.thunderbird

May you please try to add this to future versions of Icedove?

Documentation on how to use AppArmor is available here:
https://wiki.debian.org/AppArmor/HowToUse

Documentation on debugging the profile is available here:
https://wiki.debian.org/AppArmor/Debug

I'm happy to help with any testing, for this and future versions. I'll
also happily help to update this profile when upstream modifies it and
when Debian bug #816679 is resolved.

Cheers!
u.
From f7ca341b9abea2d88de14518e3aab45679a7791d Mon Sep 17 00:00:00 2001
From: Ulrike Uhlig 
Date: Tue, 5 Jul 2016 17:54:01 +0200
Subject: [PATCH] Add rebranded apparmor profile from upstream.

The profile was taken from commit 169. All occurences of the brand name have
been renamed to Icedove.

debian/rules: Add rules to copy the profile.
debian/control: Add build dependency and suggests.
---
 debian/apparmor/usr.bin.icedove | 276 
 debian/control  |   2 +
 debian/rules|   3 +
 3 files changed, 281 insertions(+)
 create mode 100644 debian/apparmor/usr.bin.icedove

diff --git a/debian/apparmor/usr.bin.icedove b/debian/apparmor/usr.bin.icedove
new file mode 100644
index 000..11ac830
--- /dev/null
+++ b/debian/apparmor/usr.bin.icedove
@@ -0,0 +1,276 @@
+# vim:syntax=apparmor
+# Author: Simon Deziel 
+# This apparmor profile is derived from firefox profile
+# by Jamie Strandboge 
+
+# Declare an apparmor variable to help with overrides
+@{MOZ_LIBDIR}=/usr/lib/icedove
+
+#include 
+
+profile icedove /usr/lib/icedove/icedove {
+  #include 
+  #include 
+  #include 
+  # TODO: finetune this for required accesses
+  #include 
+  #include 
+  #include 
+  #include 
+  #include 
+  #include 
+  #include 
+  #include 
+  #include 
+  #include 
+  #include 
+
+  # for crash reports?
+  ptrace (read,trace) peer=@{profile_name},
+
+  # Pulseaudio
+  /usr/bin/pulseaudio Pixr,
+
+  owner @{HOME}/.{cache,config}/dconf/user rw,
+  owner /run/user/[0-9]*/dconf/user rw,
+  owner @{HOME}/.config/gtk-3.0/bookmarks r,
+  deny owner @{HOME}/.local/share/gvfs-metadata/* r,
+
+  # potentially extremely sensitive files
+  audit deny @{HOME}/.gnupg/** mrwkl,
+  audit deny @{HOME}/.ssh/** mrwkl,
+
+  # rw access to HOME is useful when sending/receiving attachments
+  owner @{HOME}/** rw,
+
+  # Required for LVM setups
+  /sys/devices/virtual/block/dm-[0-9]*/uevent r,
+
+  # Addons (too lax for icedove)
+  ##include 
+
+  # for networking
+  network inet stream,
+  network inet6 stream,
+  @{PROC}/[0-9]*/net/if_inet6 r,
+  @{PROC}/[0-9]*/net/ipv6_route r,
+  @{PROC}/[0-9]*/net/dev r,
+  @{PROC}/[0-9]*/net/wireless r,
+
+  # should maybe be in abstractions
+  /etc/ r,
+  /etc/mime.types r,
+  /etc/mailcap r,
+  /etc/xdg/*buntu/applications/defaults.listr, # for all derivatives
+  /etc/xfce4/defaults.list r,
+  /usr/share/xubuntu/applications/defaults.list r,
+  owner @{HOME}/.local/share/applications/defaults.list r,
+  owner @{HOME}/.local/share/applications/mimeapps.list r,
+  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
+  owner /tmp/** m,
+  owner /var/tmp/** m,
+  /tmp/.X[0-9]*-lock r,
+  /etc/udev/udev.conf r,
+  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
+  # Possibly move to an abstraction if anything else needs it.
+  deny /run/udev/data/** r,
+
+  /etc/timezone r,
+  /etc/wildmidi/wildmidi.cfg r,
+
+  # icedove specific
+  /etc/icedove/ r,
+  /etc/icedove/** r,
+  /etc/xul-ext/** r,
+  /etc/xulrunner-2.0*/ r,
+  /etc/xulrunner-2.0*/** r,
+  /etc/gre.d/ r,
+  /etc/gre.d/* r,
+
+  # noisy
+  deny @{MOZ_LIBDIR}/** w,
+  deny /usr/lib/icedove-addons/** w,
+  deny /usr/lib/xulrunner-addons/** w,
+  deny /usr/lib/xulrunner-*/components/*.tmp w,
+  deny /.suspended r,
+  deny /boot/initrd.img* r,
+  deny /boot/vmlinuz* r,
+  deny /var/cache/fontconfig/ w,
+  deny @{HOME}/.local/share/recently-used.xbel r,
+  deny @{HOME}/.* r,
+
+  # TODO: investigate
+  deny /usr/bin/gconftool-2 x,
+
+  owner @{PROC}/[0-9]*/mountinfo r,
+  owner @{PROC}/[0-9]*/stat r,
+  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
+  /sys/devices/pci[0-9]*/**/uevent r,
+  /etc/mtab r,
+  /etc/fstab r,
+
+  # Needed for the crash reporter
+  owner @{PROC}/[0-9]*/environ r,
+  owner @{PROC}/[0-9]*/auxv r,
+  /etc/lsb-release r,
+  /usr/bin/expr ix,
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/** r,
+
+  # about:memory
+  owner @{PROC}/[0-9]*/statm r,
+  owner @{PROC}/[0-9]*/smaps r,
+
+  # Needed for container to work in xul builds
+