subject:"Bug#909281\: Apparmor\: allow access to \~\/.mailcap"

Bug#909281: Apparmor: allow access to ~/.mailcap

2018-09-24 Thread Anthony DeRobertis

Package: thunderbird
Version: 1:60.0-3
Followup-For: Bug #909281

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm not sure if anything needs to be done to let Thunderbird actually
fork/exec a program from ~/.mailcap, but just to read it is, I think:

diff --git a/apparmor.d/usr.bin.thunderbird b/apparmor.d/usr.bin.thunderbird
index 1ffb231..d418aa9 100644
- --- a/apparmor.d/usr.bin.thunderbird
+++ b/apparmor.d/usr.bin.thunderbird
@@ -108,6 +108,7 @@ profile thunderbird @{thunderbird_executable} {
   owner @{HOME}/.local/share/applications/defaults.list r,
   owner @{HOME}/.local/share/applications/mimeapps.list r,
   owner @{HOME}/.local/share/applications/mimeinfo.cache r,
+  owner @{HOME}/.mailcap r,
   owner @{HOME}/.recently-used r,
   /tmp/.X[0-9]*-lock r,
   /etc/udev/udev.conf r,


- -- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (130, 
'unstable-debug'), (130, 'unstable'), (120, 'experimental-debug'), (120, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages thunderbird depends on:
ii  debianutils   4.8.6
ii  fontconfig2.13.0-5
ii  libatk1.0-0   2.28.1-1
ii  libc6 2.27-6
ii  libcairo-gobject2 1.15.12-1
ii  libcairo2 1.15.12-1
ii  libdbus-1-3   1.12.10-1
ii  libdbus-glib-1-2  0.110-3
ii  libevent-2.1-62.1.8-stable-4
ii  libffi6   3.2.1-8
ii  libfontconfig12.13.0-5
ii  libfreetype6  2.8.1-2
ii  libgcc1   1:8.2.0-6
ii  libgdk-pixbuf2.0-02.36.12-2
ii  libglib2.0-0  2.56.1-2
ii  libgtk-3-03.22.30-2
ii  libgtk2.0-0   2.24.32-3
ii  libhunspell-1.6-0 1.6.2-1+b1
ii  libicu60  60.2-6
ii  libjsoncpp1   1.7.4-3
ii  libnspr4  2:4.20-1
ii  libnss3   2:3.39-1
ii  libpango-1.0-01.42.4-1
ii  libpangocairo-1.0-0   1.42.4-1
ii  libpangoft2-1.0-0 1.42.4-1
ii  libsqlite3-0  3.24.0-1
ii  libstartup-notification0  0.12-5
ii  libstdc++68.2.0-6
ii  libvpx5   1.7.0-3
ii  libx11-6  2:1.6.6-1
ii  libx11-xcb1   2:1.6.6-1
ii  libxcb-shm0   1.13-3
ii  libxcb1   1.13-3
ii  libxext6  2:1.3.3-1+b2
ii  libxrender1   1:0.9.10-1
ii  libxt61:1.1.5-1
ii  psmisc23.1-1+b1
ii  x11-utils 7.7+4
ii  zlib1g1:1.2.11.dfsg-1

Versions of packages thunderbird recommends:
ii  hunspell-en-us [hunspell-dictionary]  1:2018.04.16-1
ii  lightning 1:60.0-3

Versions of packages thunderbird suggests:
ii  apparmor  2.13-8
ii  fonts-lyx 2.3.0-3
ii  libgssapi-krb5-2  1.16-2

- -- Configuration Files:
/etc/apparmor.d/usr.bin.thunderbird changed [not included]

- -- debconf information excluded

-BEGIN PGP SIGNATURE-

iHMEARECADMWIQTlAc7j4DAtSNRJJ0z7P4jCVepZ/gUCW6kLhhUcYW50aG9ueUBk
ZXJvYmVydC5uZXQACgkQ+z+IwlXqWf4pAQCeJprWMtGqAHJe18jEJ96BfmnHPFUA
njpSrXpT+/mnIYSMyjEYoBdi1aNH
=5kmK
-END PGP SIGNATURE-

Bug#909281: Apparmor: allow access to ~/.mailcap

2018-09-21 Thread Vincas Dargis

On Thu, 20 Sep 2018 16:53:44 -0400 Anthony DeRobertis  wrote> would make sense 
to allow a mail program to read ~/.mailcap (and execute

the programs found there, no idea how that's done in apparmor)


Allowing to read that file will be trivial, but AppArmor will not be able to parse it and 
dynamically allow execute programs based on that file. You'll have to add rules to 
`/etc/apparmor.d/local/usr.bin.thunderbird`, like:


```
/usr/bin/foo PUx, # your application mentioned in .mailcap
```

Bug#909281: Apparmor: allow access to ~/.mailcap

2018-09-20 Thread Carsten Schoenert

Hello Vincas,

one more AppArmor thing you could please have a look at.

Thanks!

Am 20.09.18 um 22:53 schrieb Anthony DeRobertis:
> Package: thunderbird
> Version: 1:60.0-3~deb9u1
> Severity: normal
> File: /etc/apparmor.d/usr.bin.thunderbird
> 
> I got these in my log:
> 
> Sep 19 20:02:42 Watt kernel: [9950821.734919] audit: type=1400 
> audit(1537401762.512:297): apparmor="DENIED" operation="open" 
> profile="thunderbird" name="/home/anthony/.mailcap" pid=9593 
> comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> Sep 19 20:02:43 Watt kernel: [9950822.548807] audit: type=1400 
> audit(1537401763.328:298): apparmor="DENIED" operation="open" 
> profile="thunderbird" name="/home/anthony/.mailcap" pid=9593 
> comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> 
> would make sense to allow a mail program to read ~/.mailcap (and execute
> the programs found there, no idea how that's done in apparmor)
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers testing-debug
>   APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), 
> (130, 'unstable-debug'), (130, 'unstable'), (120, 'experimental-debug'), 
> (120, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
> LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages thunderbird depends on:
> ii  debianutils   4.8.6
> ii  fontconfig2.13.0-5
> ii  libatk1.0-0   2.28.1-1
> ii  libc6 2.27-6
> ii  libcairo-gobject2 1.15.12-1
> ii  libcairo2 1.15.12-1
> ii  libdbus-1-3   1.12.10-1
> ii  libdbus-glib-1-2  0.110-3
> ii  libevent-2.0-52.0.21-stable-3
> ii  libffi6   3.2.1-8
> ii  libfontconfig12.13.0-5
> ii  libfreetype6  2.8.1-2
> ii  libgcc1   1:8.2.0-6
> ii  libgdk-pixbuf2.0-02.36.12-2
> ii  libglib2.0-0  2.56.1-2
> ii  libgtk-3-03.22.30-2
> ii  libgtk2.0-0   2.24.32-3
> ii  libjsoncpp1   1.7.4-3
> ii  libpango-1.0-01.42.4-1
> ii  libpangocairo-1.0-0   1.42.4-1
> ii  libpangoft2-1.0-0 1.42.4-1
> ii  libstartup-notification0  0.12-5
> ii  libstdc++68.2.0-6
> ii  libvpx4   1.6.1-3+deb9u1
> ii  libx11-6  2:1.6.6-1
> ii  libx11-xcb1   2:1.6.6-1
> ii  libxcb-shm0   1.13-3
> ii  libxcb1   1.13-3
> ii  libxext6  2:1.3.3-1+b2
> ii  libxrender1   1:0.9.10-1
> ii  libxt61:1.1.5-1
> ii  psmisc23.1-1+b1
> ii  x11-utils 7.7+4
> ii  zlib1g1:1.2.11.dfsg-1
> 
> Versions of packages thunderbird recommends:
> ii  hunspell-en-us [hunspell-dictionary]  1:2018.04.16-1
> ii  lightning 1:60.0-3~deb9u1
> 
> Versions of packages thunderbird suggests:
> ii  apparmor  2.13-8
> ii  fonts-lyx 2.3.0-3
> ii  libgssapi-krb5-2  1.16-2
> 
> -- debconf information excluded

-- 
Regards
Carsten Schoenert

Bug#909281: Apparmor: allow access to ~/.mailcap

2018-09-20 Thread Anthony DeRobertis

Package: thunderbird
Version: 1:60.0-3~deb9u1
Severity: normal
File: /etc/apparmor.d/usr.bin.thunderbird

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I got these in my log:

Sep 19 20:02:42 Watt kernel: [9950821.734919] audit: type=1400 
audit(1537401762.512:297): apparmor="DENIED" operation="open" 
profile="thunderbird" name="/home/anthony/.mailcap" pid=9593 comm="thunderbird" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 19 20:02:43 Watt kernel: [9950822.548807] audit: type=1400 
audit(1537401763.328:298): apparmor="DENIED" operation="open" 
profile="thunderbird" name="/home/anthony/.mailcap" pid=9593 comm="thunderbird" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

would make sense to allow a mail program to read ~/.mailcap (and execute
the programs found there, no idea how that's done in apparmor)

- -- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (130, 
'unstable-debug'), (130, 'unstable'), (120, 'experimental-debug'), (120, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages thunderbird depends on:
ii  debianutils   4.8.6
ii  fontconfig2.13.0-5
ii  libatk1.0-0   2.28.1-1
ii  libc6 2.27-6
ii  libcairo-gobject2 1.15.12-1
ii  libcairo2 1.15.12-1
ii  libdbus-1-3   1.12.10-1
ii  libdbus-glib-1-2  0.110-3
ii  libevent-2.0-52.0.21-stable-3
ii  libffi6   3.2.1-8
ii  libfontconfig12.13.0-5
ii  libfreetype6  2.8.1-2
ii  libgcc1   1:8.2.0-6
ii  libgdk-pixbuf2.0-02.36.12-2
ii  libglib2.0-0  2.56.1-2
ii  libgtk-3-03.22.30-2
ii  libgtk2.0-0   2.24.32-3
ii  libjsoncpp1   1.7.4-3
ii  libpango-1.0-01.42.4-1
ii  libpangocairo-1.0-0   1.42.4-1
ii  libpangoft2-1.0-0 1.42.4-1
ii  libstartup-notification0  0.12-5
ii  libstdc++68.2.0-6
ii  libvpx4   1.6.1-3+deb9u1
ii  libx11-6  2:1.6.6-1
ii  libx11-xcb1   2:1.6.6-1
ii  libxcb-shm0   1.13-3
ii  libxcb1   1.13-3
ii  libxext6  2:1.3.3-1+b2
ii  libxrender1   1:0.9.10-1
ii  libxt61:1.1.5-1
ii  psmisc23.1-1+b1
ii  x11-utils 7.7+4
ii  zlib1g1:1.2.11.dfsg-1

Versions of packages thunderbird recommends:
ii  hunspell-en-us [hunspell-dictionary]  1:2018.04.16-1
ii  lightning 1:60.0-3~deb9u1

Versions of packages thunderbird suggests:
ii  apparmor  2.13-8
ii  fonts-lyx 2.3.0-3
ii  libgssapi-krb5-2  1.16-2

- -- debconf information excluded

-BEGIN PGP SIGNATURE-

iHMEARECADMWIQTlAc7j4DAtSNRJJ0z7P4jCVepZ/gUCW6QItRUcYW50aG9ueUBk
ZXJvYmVydC5uZXQACgkQ+z+IwlXqWf48vwCfXLjejfEz2GoDscwP2uaSlcxE8JoA
n0MMCFh2G4kIMxfwW3w8iSOGmGr8
=mDRk
-END PGP SIGNATURE-

Bug#909281: Apparmor: allow access to ~/.mailcap

Bug#909281: Apparmor: allow access to ~/.mailcap

Bug#909281: Apparmor: allow access to ~/.mailcap

Bug#909281: Apparmor: allow access to ~/.mailcap

4 matches

Site Navigation

Mail list logo

Footer information