AppArmor Profiles

Merge lp:~sdeziel/apparmor-profiles/thunderbird-enigmail-1.9 into lp:apparmor-profiles

  1. thunderbird-enigmail-1.9
  2. Merge into master
Proposed by Simon Déziel
Status: Merged
Merged at revision: 164
Proposed branch: lp:~sdeziel/apparmor-profiles/thunderbird-enigmail-1.9
Merge into: lp:apparmor-profiles
Diff against target: 42 lines (+13/-0)
1 file modified
ubuntu/16.04/usr.bin.thunderbird (+13/-0)
To merge this branch: bzr merge lp:~sdeziel/apparmor-profiles/thunderbird-enigmail-1.9
Reviewer Review Type Date Requested Status
AppArmor Developers Pending
Review via email: mp+292191@code.launchpad.net

Description of the change

This updates the thunderbird//gpg2 profile to support the enigmail version 1.9 that landed in Xenial recently.

While at it, give thunderbird access to /usr/bin/locale that is sometimes needed.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Heh, I was going to complain about the /usr/bin/locale Uxr, rule but there's at least those three other Uxr rules right next to it.

I'm surprised about the silenced denials -- those seem wide-ranging and potentially problematic. I might have even thought that thunderbird should have ~/.thunderbird/** rwlk, access.

The static names in /tmp/ are interesting. Those may need more research to see if those need a CVE. (It's possible to use static names in /tmp safely, but the [0-9]* regex there gives me a bad feeling.)

Thanks

Revision history for this message
Simon Déziel (sdeziel) wrote :

On 2016-04-18 04:36 PM, Seth Arnold wrote:
> I'm surprised about the silenced denials -- those seem wide-ranging
> and potentially problematic. I might have even thought that
> thunderbird should have ~/.thunderbird/** rwlk, access.

The web view doesn't make it very easy to spot but those rules apply
only to the _subprofile_ gpg2.

> The static names in /tmp/ are interesting. Those may need more
> research to see if those need a CVE. (It's possible to use static
> names in /tmp safely, but the [0-9]* regex there gives me a bad
> feeling.)

When the base file already exists, a number is appended, that's only how
far I checked this.

lp:~sdeziel/apparmor-profiles/thunderbird-enigmail-1.9 updated
164. By Simon Déziel

usr.bin.thunderbird: gpg2 needs read access to mountinfo

Revision history for this message
Steve Beattie (sbeattie) wrote :

On Mon, Apr 18, 2016 at 09:57:24PM -0000, Simon Déziel wrote:
> On 2016-04-18 04:36 PM, Seth Arnold wrote:
> > I'm surprised about the silenced denials -- those seem wide-ranging
> > and potentially problematic. I might have even thought that
> > thunderbird should have ~/.thunderbird/** rwlk, access.
>
> The web view doesn't make it very easy to spot but those rules apply
> only to the _subprofile_ gpg2.

Thanks for highlighting that.

> > The static names in /tmp/ are interesting. Those may need more
> > research to see if those need a CVE. (It's possible to use static
> > names in /tmp safely, but the [0-9]* regex there gives me a bad
> > feeling.)
>
> When the base file already exists, a number is appended, that's only how
> far I checked this.

It's a bit dubious, but looking at the gpg2 subprofile, there's other
similar dubious /tmp/ usage already.

I've merged this branch after applying the changes to the 16.10 tree as
well.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

Revision history for this message
Simon Déziel (sdeziel) wrote :

On 2016-04-30 12:45 PM, Steve Beattie wrote:
> I've merged this branch after applying the changes to the 16.10 tree as
> well.

Thanks!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'ubuntu/16.04/usr.bin.thunderbird'
--- ubuntu/16.04/usr.bin.thunderbird 2016-04-05 20:06:07 +0000
+++ ubuntu/16.04/usr.bin.thunderbird 2016-04-25 20:13:29 +0000
@@ -168,6 +168,7 @@
168 /usr/bin/mkfifo Uxr, # investigate168 /usr/bin/mkfifo Uxr, # investigate
169 /bin/ps Uxr,169 /bin/ps Uxr,
170 /bin/uname Uxr,170 /bin/uname Uxr,
171 /usr/bin/locale Uxr,
171172
172 /usr/bin/gpg Cx -> gpg,173 /usr/bin/gpg Cx -> gpg,
173174
@@ -221,6 +222,13 @@
221 #include <abstractions/p11-kit>222 #include <abstractions/p11-kit>
222 /usr/lib/gnupg2/gpg2keys_hkp ix,223 /usr/lib/gnupg2/gpg2keys_hkp ix,
223224
225 # silence noise from enigmail 1.9+
226 deny owner @{HOME}/.thunderbird/*/.parentlock w,
227 deny owner @{HOME}/.thunderbird/*/panacea.dat w,
228 deny owner @{HOME}/.thunderbird/*/*.mab w,
229 deny owner @{HOME}/.thunderbird/**/*.msf w,
230 deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,
231
224 # For smartcards?232 # For smartcards?
225 /dev/bus/usb/ r,233 /dev/bus/usb/ r,
226 /dev/bus/usb/[0-9]*/ r,234 /dev/bus/usb/[0-9]*/ r,
@@ -246,11 +254,16 @@
246 owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,254 owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
247 owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,255 owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
248 owner @{HOME}/** r,256 owner @{HOME}/** r,
257 owner @{PROC}/@{pids}/mountinfo r,
249258
250 # for inline pgp259 # for inline pgp
251 owner /tmp/encfile rw,260 owner /tmp/encfile rw,
252 owner /tmp/encfile-[0-9]* rw,261 owner /tmp/encfile-[0-9]* rw,
253262
263 # for signature generation
264 owner /tmp/nsemail.eml w,
265 owner /tmp/nsemail-[0-9]*.eml w,
266
254 # for signature verifications267 # for signature verifications
255 owner /tmp/data.sig r,268 owner /tmp/data.sig r,
256 owner /tmp/data-[0-9]*.sig r,269 owner /tmp/data-[0-9]*.sig r,

Subscribers

People subscribed via source and target branches

to status/vote changes: