Thanks for using Ubuntu and filing a bug. This is a hard problem and the
sanitized_helper profile is there to provide a stop-gap measure until we
get proper environment filtering. I am going to mark this as "Won't Fix"
for now because we must scrub the environment, otherwise an attacker may
create a bad .so file, adjust the environment just before executing
tbird, and have remote code execution (exactly what the profile is
trying to protect against, see bug #851986 for more info). Because tbird
is not confined in the default install, adjusting the firefox profile to
run tbird unconfined would reduce the security of the firefox profile
for people using a default install with the firefox profile enabled (if
tbird shipped a profile, we could consider changing this). I understand
that this is an unsatisfactory situation, but know that providing a
proper environment filtering mechanism is something we are actively
looking at for future versions of AppArmor.
All that said, you can workaround this by removing the 'mailto'
abstraction from /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox,
and then adding a 'Px' rule to /etc/apparmor.d/local/usr.bin.firefox
(neither of these are conffiles, so you want be prompted on upgrades).
Alternatively, you can adjust your environment to call
'/usr/bin/thunderbird' instead of /usr/lib/thunderbird... and it should
work for you just fine (since /usr/bin/thunderbird will set up the
environment for you).
** Changed in: apparmor (Ubuntu)
Status: New => Won't Fix
** Changed in: apparmor (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/965771
Title:
Firefox is unable to launch thunderbird when both are confined
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/965771/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
