Bug#909281: Apparmor: allow access to ~/.mailcap
Package: thunderbird Version: 1:60.0-3 Followup-For: Bug #909281 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm not sure if anything needs to be done to let Thunderbird actually fork/exec a program from ~/.mailcap, but just to read it is, I think: diff --git a/apparmor.d/usr.bin.thunderbird b/apparmor.d/usr.bin.thunderbird index 1ffb231..d418aa9 100644 - --- a/apparmor.d/usr.bin.thunderbird +++ b/apparmor.d/usr.bin.thunderbird @@ -108,6 +108,7 @@ profile thunderbird @{thunderbird_executable} { owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeapps.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, + owner @{HOME}/.mailcap r, owner @{HOME}/.recently-used r, /tmp/.X[0-9]*-lock r, /etc/udev/udev.conf r, - -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (130, 'unstable-debug'), (130, 'unstable'), (120, 'experimental-debug'), (120, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages thunderbird depends on: ii debianutils 4.8.6 ii fontconfig2.13.0-5 ii libatk1.0-0 2.28.1-1 ii libc6 2.27-6 ii libcairo-gobject2 1.15.12-1 ii libcairo2 1.15.12-1 ii libdbus-1-3 1.12.10-1 ii libdbus-glib-1-2 0.110-3 ii libevent-2.1-62.1.8-stable-4 ii libffi6 3.2.1-8 ii libfontconfig12.13.0-5 ii libfreetype6 2.8.1-2 ii libgcc1 1:8.2.0-6 ii libgdk-pixbuf2.0-02.36.12-2 ii libglib2.0-0 2.56.1-2 ii libgtk-3-03.22.30-2 ii libgtk2.0-0 2.24.32-3 ii libhunspell-1.6-0 1.6.2-1+b1 ii libicu60 60.2-6 ii libjsoncpp1 1.7.4-3 ii libnspr4 2:4.20-1 ii libnss3 2:3.39-1 ii libpango-1.0-01.42.4-1 ii libpangocairo-1.0-0 1.42.4-1 ii libpangoft2-1.0-0 1.42.4-1 ii libsqlite3-0 3.24.0-1 ii libstartup-notification0 0.12-5 ii libstdc++68.2.0-6 ii libvpx5 1.7.0-3 ii libx11-6 2:1.6.6-1 ii libx11-xcb1 2:1.6.6-1 ii libxcb-shm0 1.13-3 ii libxcb1 1.13-3 ii libxext6 2:1.3.3-1+b2 ii libxrender1 1:0.9.10-1 ii libxt61:1.1.5-1 ii psmisc23.1-1+b1 ii x11-utils 7.7+4 ii zlib1g1:1.2.11.dfsg-1 Versions of packages thunderbird recommends: ii hunspell-en-us [hunspell-dictionary] 1:2018.04.16-1 ii lightning 1:60.0-3 Versions of packages thunderbird suggests: ii apparmor 2.13-8 ii fonts-lyx 2.3.0-3 ii libgssapi-krb5-2 1.16-2 - -- Configuration Files: /etc/apparmor.d/usr.bin.thunderbird changed [not included] - -- debconf information excluded -BEGIN PGP SIGNATURE- iHMEARECADMWIQTlAc7j4DAtSNRJJ0z7P4jCVepZ/gUCW6kLhhUcYW50aG9ueUBk ZXJvYmVydC5uZXQACgkQ+z+IwlXqWf4pAQCeJprWMtGqAHJe18jEJ96BfmnHPFUA njpSrXpT+/mnIYSMyjEYoBdi1aNH =5kmK -END PGP SIGNATURE-
Bug#909281: Apparmor: allow access to ~/.mailcap
On Thu, 20 Sep 2018 16:53:44 -0400 Anthony DeRobertis wrote> would make sense to allow a mail program to read ~/.mailcap (and execute the programs found there, no idea how that's done in apparmor) Allowing to read that file will be trivial, but AppArmor will not be able to parse it and dynamically allow execute programs based on that file. You'll have to add rules to `/etc/apparmor.d/local/usr.bin.thunderbird`, like: ``` /usr/bin/foo PUx, # your application mentioned in .mailcap ```
Bug#909281: Apparmor: allow access to ~/.mailcap
Hello Vincas, one more AppArmor thing you could please have a look at. Thanks! Am 20.09.18 um 22:53 schrieb Anthony DeRobertis: > Package: thunderbird > Version: 1:60.0-3~deb9u1 > Severity: normal > File: /etc/apparmor.d/usr.bin.thunderbird > > I got these in my log: > > Sep 19 20:02:42 Watt kernel: [9950821.734919] audit: type=1400 > audit(1537401762.512:297): apparmor="DENIED" operation="open" > profile="thunderbird" name="/home/anthony/.mailcap" pid=9593 > comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > Sep 19 20:02:43 Watt kernel: [9950822.548807] audit: type=1400 > audit(1537401763.328:298): apparmor="DENIED" operation="open" > profile="thunderbird" name="/home/anthony/.mailcap" pid=9593 > comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > > would make sense to allow a mail program to read ~/.mailcap (and execute > the programs found there, no idea how that's done in apparmor) > > -- System Information: > Debian Release: buster/sid > APT prefers testing-debug > APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), > (130, 'unstable-debug'), (130, 'unstable'), (120, 'experimental-debug'), > (120, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages thunderbird depends on: > ii debianutils 4.8.6 > ii fontconfig2.13.0-5 > ii libatk1.0-0 2.28.1-1 > ii libc6 2.27-6 > ii libcairo-gobject2 1.15.12-1 > ii libcairo2 1.15.12-1 > ii libdbus-1-3 1.12.10-1 > ii libdbus-glib-1-2 0.110-3 > ii libevent-2.0-52.0.21-stable-3 > ii libffi6 3.2.1-8 > ii libfontconfig12.13.0-5 > ii libfreetype6 2.8.1-2 > ii libgcc1 1:8.2.0-6 > ii libgdk-pixbuf2.0-02.36.12-2 > ii libglib2.0-0 2.56.1-2 > ii libgtk-3-03.22.30-2 > ii libgtk2.0-0 2.24.32-3 > ii libjsoncpp1 1.7.4-3 > ii libpango-1.0-01.42.4-1 > ii libpangocairo-1.0-0 1.42.4-1 > ii libpangoft2-1.0-0 1.42.4-1 > ii libstartup-notification0 0.12-5 > ii libstdc++68.2.0-6 > ii libvpx4 1.6.1-3+deb9u1 > ii libx11-6 2:1.6.6-1 > ii libx11-xcb1 2:1.6.6-1 > ii libxcb-shm0 1.13-3 > ii libxcb1 1.13-3 > ii libxext6 2:1.3.3-1+b2 > ii libxrender1 1:0.9.10-1 > ii libxt61:1.1.5-1 > ii psmisc23.1-1+b1 > ii x11-utils 7.7+4 > ii zlib1g1:1.2.11.dfsg-1 > > Versions of packages thunderbird recommends: > ii hunspell-en-us [hunspell-dictionary] 1:2018.04.16-1 > ii lightning 1:60.0-3~deb9u1 > > Versions of packages thunderbird suggests: > ii apparmor 2.13-8 > ii fonts-lyx 2.3.0-3 > ii libgssapi-krb5-2 1.16-2 > > -- debconf information excluded -- Regards Carsten Schoenert
Bug#909281: Apparmor: allow access to ~/.mailcap
Package: thunderbird Version: 1:60.0-3~deb9u1 Severity: normal File: /etc/apparmor.d/usr.bin.thunderbird -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I got these in my log: Sep 19 20:02:42 Watt kernel: [9950821.734919] audit: type=1400 audit(1537401762.512:297): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/anthony/.mailcap" pid=9593 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Sep 19 20:02:43 Watt kernel: [9950822.548807] audit: type=1400 audit(1537401763.328:298): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/anthony/.mailcap" pid=9593 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 would make sense to allow a mail program to read ~/.mailcap (and execute the programs found there, no idea how that's done in apparmor) - -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (130, 'unstable-debug'), (130, 'unstable'), (120, 'experimental-debug'), (120, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages thunderbird depends on: ii debianutils 4.8.6 ii fontconfig2.13.0-5 ii libatk1.0-0 2.28.1-1 ii libc6 2.27-6 ii libcairo-gobject2 1.15.12-1 ii libcairo2 1.15.12-1 ii libdbus-1-3 1.12.10-1 ii libdbus-glib-1-2 0.110-3 ii libevent-2.0-52.0.21-stable-3 ii libffi6 3.2.1-8 ii libfontconfig12.13.0-5 ii libfreetype6 2.8.1-2 ii libgcc1 1:8.2.0-6 ii libgdk-pixbuf2.0-02.36.12-2 ii libglib2.0-0 2.56.1-2 ii libgtk-3-03.22.30-2 ii libgtk2.0-0 2.24.32-3 ii libjsoncpp1 1.7.4-3 ii libpango-1.0-01.42.4-1 ii libpangocairo-1.0-0 1.42.4-1 ii libpangoft2-1.0-0 1.42.4-1 ii libstartup-notification0 0.12-5 ii libstdc++68.2.0-6 ii libvpx4 1.6.1-3+deb9u1 ii libx11-6 2:1.6.6-1 ii libx11-xcb1 2:1.6.6-1 ii libxcb-shm0 1.13-3 ii libxcb1 1.13-3 ii libxext6 2:1.3.3-1+b2 ii libxrender1 1:0.9.10-1 ii libxt61:1.1.5-1 ii psmisc23.1-1+b1 ii x11-utils 7.7+4 ii zlib1g1:1.2.11.dfsg-1 Versions of packages thunderbird recommends: ii hunspell-en-us [hunspell-dictionary] 1:2018.04.16-1 ii lightning 1:60.0-3~deb9u1 Versions of packages thunderbird suggests: ii apparmor 2.13-8 ii fonts-lyx 2.3.0-3 ii libgssapi-krb5-2 1.16-2 - -- debconf information excluded -BEGIN PGP SIGNATURE- iHMEARECADMWIQTlAc7j4DAtSNRJJ0z7P4jCVepZ/gUCW6QItRUcYW50aG9ueUBk ZXJvYmVydC5uZXQACgkQ+z+IwlXqWf48vwCfXLjejfEz2GoDscwP2uaSlcxE8JoA n0MMCFh2G4kIMxfwW3w8iSOGmGr8 =mDRk -END PGP SIGNATURE-