[Bug 2130393] Re: Too restrictive mbsync apparmor profile

Wed, 21 Jan 2026 05:11:31 -0800 

I am also affected by this problem, because my mail is in ~/.mail
instead of ~/Mail and also because of the use of PassCmd which is
currently impossible with the current apparmor profile.

After tweaking the apparmor override file a little, I can see that the
PassCmd is always invoking a /usr/bin/dash shell even if a single
command is specified (secret-tool). I tweaked the rule override file in
/etc/apparmor.d/local/mbsync with the following:

owner @{HOME}/dotfiles/mutt/.mbsyncrc r,

# Required for PassCmd to call secret-tool
/usr/bin/dash mixr,
/usr/bin/secret-tool mixr,

However to call secret-tool to interact with the system keyring I need
to find out how to allow the access for dbus as well according to the
apparmor logs:

janv. 21 13:48:09 artemis kernel: audit: type=1400
audit(1768999689.179:425): apparmor="DENIED" operation="connect"
class="file" profile="mbsync" name="/run/user/1000/bus" pid=7287
comm="pool-0" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

This profile is indeed very restrictive and unworried users might even
put their password in plaintext in their configuration file to alleviate
the PassCmd issue, which might be worse than having the apparmor profile
enabled in the first place.

Upping importance to "high" to give more visibility for all Ubuntu users
impacted. The profile does not seem to exist in Debian proper so this is
an Ubuntu issue only.

** Changed in: isync (Ubuntu)
   Importance: Undecided => High

** Also affects: isync (Ubuntu Questing)
   Importance: Undecided
       Status: New

** Also affects: apparmor (Ubuntu Questing)
   Importance: Undecided
       Status: New

** Changed in: isync (Ubuntu Questing)
   Importance: Undecided => High

** Changed in: isync (Ubuntu Questing)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2130393

Title:
  Too restrictive mbsync apparmor profile

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2130393/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to