Merge ~sdeziel/apparmor-profiles/+git/apparmor-profiles:thunderbird-icedove-debian into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

Proposed by Simon Déziel on 2017-09-04
Status: Merged
Merged at revision: d1493732c95b528d8622b36ed3b92d1b70748657
Proposed branch: ~sdeziel/apparmor-profiles/+git/apparmor-profiles:thunderbird-icedove-debian
Merge into: ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master
Diff against target: 236 lines (+73/-59)
1 file modified
ubuntu/17.10/usr.bin.thunderbird (+73/-59)
Reviewer Review Type Date Requested Status
Steve Beattie 2017-09-04 Approve on 2017-09-21
Review via email: mp+330183@code.launchpad.net

Description of the change

As explained in [1], the policy shipped by Debian has diverged from the one here (lp:apparmor-profiles).
This MP is to sync with Debian Stretch. Since 17.10's version is compatible with merged-/usr, I also added it back on top of Debian's version. The goal is to have that back into Debian once this MP is merged.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874100

To post a comment you must log in.
intrigeri (intrigeri) wrote :

Thanks! I will try review this MR shortly :)

Steve Beattie (sbeattie) wrote :

Thanks. I merged this as-is (and appreciate the followup commit that maintained the merged usr where appropriate). I did raise an eyebrow at

+ # other commonly used locations
+ /{data,media,mnt,srv}/** r,
+ owner /{data,media,mnt,srv}/** rw,

in that for /srv/ I personally tend to place system service data files there, rather than user data files... but I can see that not being the case for other environments.

Also, at some point, we should try to identify if the accesses to /proc/[0-9]* are to its own pid (or likely for the thunderbird crash reporter), for different pids, and use @{pid} and @{pids} accordingly.

Thanks again!

review: Approve
Simon Déziel (sdeziel) wrote :

Thanks Steve! The rules that made you raise an eyebrow were added in response to [1]. I've heard of folks mounting their network shares under /srv :/

I'm pretty sure some of the /proc rules could use "owner" without problem, will test that (someday).

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861018

Christian Boltz (cboltz) wrote :

I've heard of people mounting a disk to /foobar/ - can you also add this to the profile, please? ;-)

On a more serious note - this sounds like one of the cases I tend to close as "wontfix" with a note that the user should add "alias /home/ /foobar/" to tunables/alias or to adjust tunables/home - and the users typically agree that this makes more sense than adding their custom path to the official profile.

Vincas Dargis (talkless) wrote :

> and use @{pid} and @{pids} accordingly

These work in kernel?

Seth Arnold (seth-arnold) wrote :

On Fri, Sep 22, 2017 at 04:00:19PM -0000, Vincas Dargis wrote:
> > and use @{pid} and @{pids} accordingly
> These work in kernel?

Not yet, but it is something we'd like to do eventually.

Thanks

Vincas Dargis (talkless) wrote :

OK so we should use it for the future. Got it, thanks.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/ubuntu/17.10/usr.bin.thunderbird b/ubuntu/17.10/usr.bin.thunderbird
2index e74e9f5..caec9ef 100644
3--- a/ubuntu/17.10/usr.bin.thunderbird
4+++ b/ubuntu/17.10/usr.bin.thunderbird
5@@ -25,6 +25,12 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
6 #include <abstractions/ubuntu-browsers>
7 #include <abstractions/ubuntu-helpers>
8
9+ # For Xubuntu to launch the browser
10+ /usr/bin/exo-open ixr,
11+ /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
12+ /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
13+ /etc/xdg/xfce4/helpers.rc r,
14+
15 # for crash reports?
16 ptrace (read,trace) peer=@{profile_name},
17
18@@ -45,6 +51,10 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
19 # rw access to HOME is useful when sending/receiving attachments
20 owner @{HOME}/** rw,
21
22+ # other commonly used locations
23+ /{data,media,mnt,srv}/** r,
24+ owner /{data,media,mnt,srv}/** rw,
25+
26 # Required for LVM setups
27 /sys/devices/virtual/block/dm-[0-9]*/uevent r,
28
29@@ -58,6 +68,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
30 @{PROC}/[0-9]*/net/ipv6_route r,
31 @{PROC}/[0-9]*/net/dev r,
32 @{PROC}/[0-9]*/net/wireless r,
33+ @{PROC}/[0-9]*/net/arp r,
34
35 # should maybe be in abstractions
36 /etc/ r,
37@@ -108,13 +119,19 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
38 owner @{PROC}/[0-9]*/stat r,
39 owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
40 /sys/devices/pci[0-9]*/**/uevent r,
41+ /sys/devices/pci*/**/config r,
42+ /sys/devices/system/node/node[0-9]*/meminfo r,
43 /etc/mtab r,
44 /etc/fstab r,
45
46 # Needed for the crash reporter
47 owner @{PROC}/[0-9]*/environ r,
48 owner @{PROC}/[0-9]*/auxv r,
49+ owner @{PROC}/[0-9]*/status r,
50+ owner @{PROC}/[0-9]*/cmdline r,
51 /etc/lsb-release r,
52+ /etc/ssl/openssl.cnf r,
53+ /usr/lib/thunderbird/crashreporter ix,
54 /usr/bin/expr ix,
55 /sys/devices/system/cpu/ r,
56 /sys/devices/system/cpu/** r,
57@@ -138,12 +155,12 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
58 /**/ r,
59
60 # per-user thunderbird configuration
61- owner @{HOME}/.thunderbird/ rw,
62- owner @{HOME}/.thunderbird/** rw,
63- owner @{HOME}/.thunderbird/**/storage.sdb k,
64- owner @{HOME}/.thunderbird/**/*.{db,parentlock,sqlite}* k,
65- owner @{HOME}/.thunderbird/plugins/** rm,
66- owner @{HOME}/.thunderbird/**/plugins/** rm,
67+ owner @{HOME}/.{icedove,thunderbird}/ rw,
68+ owner @{HOME}/.{icedove,thunderbird}/** rw,
69+ owner @{HOME}/.{icedove,thunderbird}/**/storage.sdb k,
70+ owner @{HOME}/.{icedove,thunderbird}/**/*.{db,parentlock,sqlite}* k,
71+ owner @{HOME}/.{icedove,thunderbird}/plugins/** rm,
72+ owner @{HOME}/.{icedove,thunderbird}/**/plugins/** rm,
73 owner @{HOME}/.cache/thunderbird/ rw,
74 owner @{HOME}/.cache/thunderbird/** rw,
75
76@@ -154,7 +171,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
77 # Extensions
78 # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
79 # Allow 'x' for downloaded extensions, but inherit policy for safety
80- owner @{HOME}/.thunderbird/**/extensions/** mixrw,
81+ owner @{HOME}/.{icedove,thunderbird}/**/extensions/** mixrw,
82 owner @{HOME}/.mozilla/extensions/** mixr,
83 /usr/share/xul-ext/**/*.sqlite rk,
84 /usr/lib/xul-ext/**/*.sqlite rk,
85@@ -175,67 +192,30 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
86 /{usr/,}bin/uname Uxr,
87 /usr/bin/locale Uxr,
88
89- /usr/bin/gpg Cx -> gpg,
90-
91- profile gpg {
92- #include <abstractions/base>
93-
94- # Required to import keys from keyservers
95- #include <abstractions/nameservice>
96- #include <abstractions/p11-kit>
97-
98- # For smartcards?
99- /dev/bus/usb/ r,
100- /dev/bus/usb/[0-9]*/ r,
101- /dev/bus/usb/[0-9]*/[0-9]* r,
102-
103- # LDAP key servers
104- /etc/ldap/ldap.conf r,
105-
106- /usr/bin/gpg mr,
107- /usr/lib/gnupg/gpgkeys_* ix,
108- owner @{HOME}/.gnupg r,
109- owner @{HOME}/.gnupg/gpg.conf r,
110- owner @{HOME}/.gnupg/random_seed rwk,
111- owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
112- owner @{HOME}/.gnupg/secring.gpg rw,
113- owner @{HOME}/.gnupg/trustdb.gpg rw,
114- owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
115- owner @{HOME}/.gnupg/.#*[0-9] rw,
116- owner @{HOME}/.gnupg/.#*[0-9]x rwl,
117- owner @{HOME}/** r,
118-
119- owner /run/user/[0-9]*/keyring-*/gpg rw,
120-
121- # for inline pgp
122- owner /tmp/encfile rw,
123- owner /tmp/encfile-[0-9]* rw,
124- }
125-
126- /usr/bin/gpg2 Cx -> gpg2,
127- /usr/bin/gpgconf Cx -> gpg2,
128- /usr/bin/gpg-connect-agent Cx -> gpg2,
129+ /usr/bin/gpg Cx -> gpg,
130+ /usr/bin/gpg2 Cx -> gpg,
131+ /usr/bin/gpgconf Cx -> gpg,
132+ /usr/bin/gpg-connect-agent Cx -> gpg,
133
134 # TB tries to create this file but has no business doing so
135 deny @{HOME}/.gnupg/gpg-agent.conf w,
136
137- profile gpg2 {
138+ profile gpg {
139 #include <abstractions/base>
140
141 # Required to import keys from keyservers
142 #include <abstractions/nameservice>
143 #include <abstractions/p11-kit>
144- /usr/lib/gnupg2/gpg2keys_hkp ix,
145+
146+ /usr/share/xul-ext/enigmail/chrome/enigmail.jar r,
147
148 # silence noise from enigmail 1.9+
149- deny owner @{HOME}/.thunderbird/*/.parentlock w,
150- deny owner @{HOME}/.thunderbird/*/panacea.dat w,
151- deny owner @{HOME}/.thunderbird/*/*.mab w,
152- deny owner @{HOME}/.thunderbird/**/*.msf w,
153+ deny owner @{HOME}/.{icedove,thunderbird}/*/.parentlock w,
154+ deny owner @{HOME}/.{icedove,thunderbird}/*/panacea.dat w,
155+ deny owner @{HOME}/.{icedove,thunderbird}/*/*.mab w,
156+ deny owner @{HOME}/.{icedove,thunderbird}/**/*.msf w,
157 deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,
158
159- /usr/share/xul-ext/enigmail/chrome/enigmail.jar r,
160-
161 # For smartcards?
162 /dev/bus/usb/ r,
163 /dev/bus/usb/[0-9]*/ r,
164@@ -244,25 +224,32 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
165 # LDAP key servers
166 /etc/ldap/ldap.conf r,
167
168- /usr/bin/gpg-connect-agent mr,
169- owner @{HOME}/.gnupg/S.gpg-agent rw,
170- owner @{HOME}/.gnupg/S.dirmngr rw,
171-
172+ /usr/bin/gpg mr,
173 /usr/bin/gpg2 mr,
174+ /usr/bin/gpgconf mr,
175+ /usr/bin/gpg-connect-agent mr,
176+ /usr/lib/gnupg/gpgkeys_* ix,
177+ /usr/lib/gnupg2/gpg2keys_* ix,
178 owner @{HOME}/.gnupg/ rw,
179 owner @{HOME}/.gnupg/gpg.conf r,
180 owner @{HOME}/.gnupg/random_seed rwk,
181 owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
182 owner @{HOME}/.gnupg/secring.gpg rw,
183 owner @{HOME}/.gnupg/trustdb.gpg rw,
184+ owner @{HOME}/.gnupg/S.gpg-agent rw,
185+ owner @{HOME}/.gnupg/S.dirmngr rw,
186 owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
187 owner @{HOME}/.gnupg/.gpg-*.lock rwl,
188 owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl,
189+ owner @{HOME}/.gnupg/.#*[0-9] rw,
190+ owner @{HOME}/.gnupg/.#*[0-9]x rwl,
191 owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
192 owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
193 owner @{HOME}/** r,
194 owner @{PROC}/@{pids}/mountinfo r,
195
196+ owner /run/user/[0-9]*/keyring-*/gpg rw,
197+
198 # for inline pgp
199 owner /tmp/encfile rw,
200 owner /tmp/encfile-[0-9]* rw,
201@@ -276,8 +263,35 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
202 owner /tmp/data-[0-9]*.sig r,
203
204 owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,
205+
206+ /usr/share/sounds/** r,
207+ }
208+
209+ /usr/bin/lsb_release Cxr -> lsb_release,
210+ profile lsb_release {
211+ #include <abstractions/base>
212+ #include <abstractions/python>
213+ /usr/bin/lsb_release r,
214+ /{usr/,}bin/dash ixr,
215+ /usr/bin/dpkg-query ixr,
216+ /usr/include/python2.[4567]/pyconfig.h r,
217+ /etc/lsb-release r,
218+ /etc/debian_version r,
219+ /var/lib/dpkg/** r,
220+
221+ /usr/local/lib/python3.[0-9]/dist-packages/ r,
222+ /usr/bin/ r,
223+ /usr/bin/python3.[0-9] r,
224+
225+ /etc/apt/apt.conf.d/ r,
226+ /etc/default/apport r,
227+ /usr/share/distro-info/debian.csv r,
228+
229+ # file_inherit
230+ deny /tmp/gtalkplugin.log w,
231 }
232
233 # Site-specific additions and overrides. See local/README for details.
234 #include <local/usr.bin.thunderbird>
235 }
236+

Subscribers

People subscribed via source and target branches