Merge ~sdeziel/apparmor-profiles/+git/apparmor-profiles:thunderbird-icedove-debian into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

Proposed by Simon Déziel on 2017-09-04
Status: Merged
Merged at revision: d1493732c95b528d8622b36ed3b92d1b70748657
Proposed branch: ~sdeziel/apparmor-profiles/+git/apparmor-profiles:thunderbird-icedove-debian
Merge into: ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master
Diff against target: 236 lines (+73/-59)
1 file modified
ubuntu/17.10/usr.bin.thunderbird (+73/-59)
Reviewer Review Type Date Requested Status
Steve Beattie 2017-09-04 Approve on 2017-09-21
Review via email: mp+330183@code.launchpad.net

Description of the change

As explained in [1], the policy shipped by Debian has diverged from the one here (lp:apparmor-profiles).
This MP is to sync with Debian Stretch. Since 17.10's version is compatible with merged-/usr, I also added it back on top of Debian's version. The goal is to have that back into Debian once this MP is merged.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874100

To post a comment you must log in.
intrigeri (intrigeri) wrote :

Thanks! I will try review this MR shortly :)

Steve Beattie (sbeattie) wrote :

Thanks. I merged this as-is (and appreciate the followup commit that maintained the merged usr where appropriate). I did raise an eyebrow at

+ # other commonly used locations
+ /{data,media,mnt,srv}/** r,
+ owner /{data,media,mnt,srv}/** rw,

in that for /srv/ I personally tend to place system service data files there, rather than user data files... but I can see that not being the case for other environments.

Also, at some point, we should try to identify if the accesses to /proc/[0-9]* are to its own pid (or likely for the thunderbird crash reporter), for different pids, and use @{pid} and @{pids} accordingly.

Thanks again!

review: Approve
Simon Déziel (sdeziel) wrote :

Thanks Steve! The rules that made you raise an eyebrow were added in response to [1]. I've heard of folks mounting their network shares under /srv :/

I'm pretty sure some of the /proc rules could use "owner" without problem, will test that (someday).

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861018

Christian Boltz (cboltz) wrote :

I've heard of people mounting a disk to /foobar/ - can you also add this to the profile, please? ;-)

On a more serious note - this sounds like one of the cases I tend to close as "wontfix" with a note that the user should add "alias /home/ /foobar/" to tunables/alias or to adjust tunables/home - and the users typically agree that this makes more sense than adding their custom path to the official profile.

Vincas Dargis (talkless) wrote :

> and use @{pid} and @{pids} accordingly

These work in kernel?

Seth Arnold (seth-arnold) wrote :

On Fri, Sep 22, 2017 at 04:00:19PM -0000, Vincas Dargis wrote:
> > and use @{pid} and @{pids} accordingly
> These work in kernel?

Not yet, but it is something we'd like to do eventually.

Thanks

Vincas Dargis (talkless) wrote :

OK so we should use it for the future. Got it, thanks.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/ubuntu/17.10/usr.bin.thunderbird b/ubuntu/17.10/usr.bin.thunderbird
index e74e9f5..caec9ef 100644
--- a/ubuntu/17.10/usr.bin.thunderbird
+++ b/ubuntu/17.10/usr.bin.thunderbird
@@ -25,6 +25,12 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
25 #include <abstractions/ubuntu-browsers>25 #include <abstractions/ubuntu-browsers>
26 #include <abstractions/ubuntu-helpers>26 #include <abstractions/ubuntu-helpers>
2727
28 # For Xubuntu to launch the browser
29 /usr/bin/exo-open ixr,
30 /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
31 /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
32 /etc/xdg/xfce4/helpers.rc r,
33
28 # for crash reports?34 # for crash reports?
29 ptrace (read,trace) peer=@{profile_name},35 ptrace (read,trace) peer=@{profile_name},
3036
@@ -45,6 +51,10 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
45 # rw access to HOME is useful when sending/receiving attachments51 # rw access to HOME is useful when sending/receiving attachments
46 owner @{HOME}/** rw,52 owner @{HOME}/** rw,
4753
54 # other commonly used locations
55 /{data,media,mnt,srv}/** r,
56 owner /{data,media,mnt,srv}/** rw,
57
48 # Required for LVM setups58 # Required for LVM setups
49 /sys/devices/virtual/block/dm-[0-9]*/uevent r,59 /sys/devices/virtual/block/dm-[0-9]*/uevent r,
5060
@@ -58,6 +68,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
58 @{PROC}/[0-9]*/net/ipv6_route r,68 @{PROC}/[0-9]*/net/ipv6_route r,
59 @{PROC}/[0-9]*/net/dev r,69 @{PROC}/[0-9]*/net/dev r,
60 @{PROC}/[0-9]*/net/wireless r,70 @{PROC}/[0-9]*/net/wireless r,
71 @{PROC}/[0-9]*/net/arp r,
6172
62 # should maybe be in abstractions73 # should maybe be in abstractions
63 /etc/ r,74 /etc/ r,
@@ -108,13 +119,19 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
108 owner @{PROC}/[0-9]*/stat r,119 owner @{PROC}/[0-9]*/stat r,
109 owner @{PROC}/[0-9]*/task/[0-9]*/stat r,120 owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
110 /sys/devices/pci[0-9]*/**/uevent r,121 /sys/devices/pci[0-9]*/**/uevent r,
122 /sys/devices/pci*/**/config r,
123 /sys/devices/system/node/node[0-9]*/meminfo r,
111 /etc/mtab r,124 /etc/mtab r,
112 /etc/fstab r,125 /etc/fstab r,
113126
114 # Needed for the crash reporter127 # Needed for the crash reporter
115 owner @{PROC}/[0-9]*/environ r,128 owner @{PROC}/[0-9]*/environ r,
116 owner @{PROC}/[0-9]*/auxv r,129 owner @{PROC}/[0-9]*/auxv r,
130 owner @{PROC}/[0-9]*/status r,
131 owner @{PROC}/[0-9]*/cmdline r,
117 /etc/lsb-release r,132 /etc/lsb-release r,
133 /etc/ssl/openssl.cnf r,
134 /usr/lib/thunderbird/crashreporter ix,
118 /usr/bin/expr ix,135 /usr/bin/expr ix,
119 /sys/devices/system/cpu/ r,136 /sys/devices/system/cpu/ r,
120 /sys/devices/system/cpu/** r,137 /sys/devices/system/cpu/** r,
@@ -138,12 +155,12 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
138 /**/ r,155 /**/ r,
139156
140 # per-user thunderbird configuration157 # per-user thunderbird configuration
141 owner @{HOME}/.thunderbird/ rw,158 owner @{HOME}/.{icedove,thunderbird}/ rw,
142 owner @{HOME}/.thunderbird/** rw,159 owner @{HOME}/.{icedove,thunderbird}/** rw,
143 owner @{HOME}/.thunderbird/**/storage.sdb k,160 owner @{HOME}/.{icedove,thunderbird}/**/storage.sdb k,
144 owner @{HOME}/.thunderbird/**/*.{db,parentlock,sqlite}* k,161 owner @{HOME}/.{icedove,thunderbird}/**/*.{db,parentlock,sqlite}* k,
145 owner @{HOME}/.thunderbird/plugins/** rm,162 owner @{HOME}/.{icedove,thunderbird}/plugins/** rm,
146 owner @{HOME}/.thunderbird/**/plugins/** rm,163 owner @{HOME}/.{icedove,thunderbird}/**/plugins/** rm,
147 owner @{HOME}/.cache/thunderbird/ rw,164 owner @{HOME}/.cache/thunderbird/ rw,
148 owner @{HOME}/.cache/thunderbird/** rw,165 owner @{HOME}/.cache/thunderbird/** rw,
149166
@@ -154,7 +171,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
154 # Extensions171 # Extensions
155 # /usr/share/.../extensions/... is already covered by '/usr/** r', above.172 # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
156 # Allow 'x' for downloaded extensions, but inherit policy for safety173 # Allow 'x' for downloaded extensions, but inherit policy for safety
157 owner @{HOME}/.thunderbird/**/extensions/** mixrw,174 owner @{HOME}/.{icedove,thunderbird}/**/extensions/** mixrw,
158 owner @{HOME}/.mozilla/extensions/** mixr,175 owner @{HOME}/.mozilla/extensions/** mixr,
159 /usr/share/xul-ext/**/*.sqlite rk,176 /usr/share/xul-ext/**/*.sqlite rk,
160 /usr/lib/xul-ext/**/*.sqlite rk,177 /usr/lib/xul-ext/**/*.sqlite rk,
@@ -175,67 +192,30 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
175 /{usr/,}bin/uname Uxr,192 /{usr/,}bin/uname Uxr,
176 /usr/bin/locale Uxr,193 /usr/bin/locale Uxr,
177194
178 /usr/bin/gpg Cx -> gpg,195 /usr/bin/gpg Cx -> gpg,
179196 /usr/bin/gpg2 Cx -> gpg,
180 profile gpg {197 /usr/bin/gpgconf Cx -> gpg,
181 #include <abstractions/base>198 /usr/bin/gpg-connect-agent Cx -> gpg,
182
183 # Required to import keys from keyservers
184 #include <abstractions/nameservice>
185 #include <abstractions/p11-kit>
186
187 # For smartcards?
188 /dev/bus/usb/ r,
189 /dev/bus/usb/[0-9]*/ r,
190 /dev/bus/usb/[0-9]*/[0-9]* r,
191
192 # LDAP key servers
193 /etc/ldap/ldap.conf r,
194
195 /usr/bin/gpg mr,
196 /usr/lib/gnupg/gpgkeys_* ix,
197 owner @{HOME}/.gnupg r,
198 owner @{HOME}/.gnupg/gpg.conf r,
199 owner @{HOME}/.gnupg/random_seed rwk,
200 owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
201 owner @{HOME}/.gnupg/secring.gpg rw,
202 owner @{HOME}/.gnupg/trustdb.gpg rw,
203 owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
204 owner @{HOME}/.gnupg/.#*[0-9] rw,
205 owner @{HOME}/.gnupg/.#*[0-9]x rwl,
206 owner @{HOME}/** r,
207
208 owner /run/user/[0-9]*/keyring-*/gpg rw,
209
210 # for inline pgp
211 owner /tmp/encfile rw,
212 owner /tmp/encfile-[0-9]* rw,
213 }
214
215 /usr/bin/gpg2 Cx -> gpg2,
216 /usr/bin/gpgconf Cx -> gpg2,
217 /usr/bin/gpg-connect-agent Cx -> gpg2,
218199
219 # TB tries to create this file but has no business doing so200 # TB tries to create this file but has no business doing so
220 deny @{HOME}/.gnupg/gpg-agent.conf w,201 deny @{HOME}/.gnupg/gpg-agent.conf w,
221202
222 profile gpg2 {203 profile gpg {
223 #include <abstractions/base>204 #include <abstractions/base>
224205
225 # Required to import keys from keyservers206 # Required to import keys from keyservers
226 #include <abstractions/nameservice>207 #include <abstractions/nameservice>
227 #include <abstractions/p11-kit>208 #include <abstractions/p11-kit>
228 /usr/lib/gnupg2/gpg2keys_hkp ix,209
210 /usr/share/xul-ext/enigmail/chrome/enigmail.jar r,
229211
230 # silence noise from enigmail 1.9+212 # silence noise from enigmail 1.9+
231 deny owner @{HOME}/.thunderbird/*/.parentlock w,213 deny owner @{HOME}/.{icedove,thunderbird}/*/.parentlock w,
232 deny owner @{HOME}/.thunderbird/*/panacea.dat w,214 deny owner @{HOME}/.{icedove,thunderbird}/*/panacea.dat w,
233 deny owner @{HOME}/.thunderbird/*/*.mab w,215 deny owner @{HOME}/.{icedove,thunderbird}/*/*.mab w,
234 deny owner @{HOME}/.thunderbird/**/*.msf w,216 deny owner @{HOME}/.{icedove,thunderbird}/**/*.msf w,
235 deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,217 deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,
236218
237 /usr/share/xul-ext/enigmail/chrome/enigmail.jar r,
238
239 # For smartcards?219 # For smartcards?
240 /dev/bus/usb/ r,220 /dev/bus/usb/ r,
241 /dev/bus/usb/[0-9]*/ r,221 /dev/bus/usb/[0-9]*/ r,
@@ -244,25 +224,32 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
244 # LDAP key servers224 # LDAP key servers
245 /etc/ldap/ldap.conf r,225 /etc/ldap/ldap.conf r,
246226
247 /usr/bin/gpg-connect-agent mr,227 /usr/bin/gpg mr,
248 owner @{HOME}/.gnupg/S.gpg-agent rw,
249 owner @{HOME}/.gnupg/S.dirmngr rw,
250
251 /usr/bin/gpg2 mr,228 /usr/bin/gpg2 mr,
229 /usr/bin/gpgconf mr,
230 /usr/bin/gpg-connect-agent mr,
231 /usr/lib/gnupg/gpgkeys_* ix,
232 /usr/lib/gnupg2/gpg2keys_* ix,
252 owner @{HOME}/.gnupg/ rw,233 owner @{HOME}/.gnupg/ rw,
253 owner @{HOME}/.gnupg/gpg.conf r,234 owner @{HOME}/.gnupg/gpg.conf r,
254 owner @{HOME}/.gnupg/random_seed rwk,235 owner @{HOME}/.gnupg/random_seed rwk,
255 owner @{HOME}/.gnupg/pubring.gpg{,~} rw,236 owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
256 owner @{HOME}/.gnupg/secring.gpg rw,237 owner @{HOME}/.gnupg/secring.gpg rw,
257 owner @{HOME}/.gnupg/trustdb.gpg rw,238 owner @{HOME}/.gnupg/trustdb.gpg rw,
239 owner @{HOME}/.gnupg/S.gpg-agent rw,
240 owner @{HOME}/.gnupg/S.dirmngr rw,
258 owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,241 owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
259 owner @{HOME}/.gnupg/.gpg-*.lock rwl,242 owner @{HOME}/.gnupg/.gpg-*.lock rwl,
260 owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl,243 owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl,
244 owner @{HOME}/.gnupg/.#*[0-9] rw,
245 owner @{HOME}/.gnupg/.#*[0-9]x rwl,
261 owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,246 owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
262 owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,247 owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
263 owner @{HOME}/** r,248 owner @{HOME}/** r,
264 owner @{PROC}/@{pids}/mountinfo r,249 owner @{PROC}/@{pids}/mountinfo r,
265250
251 owner /run/user/[0-9]*/keyring-*/gpg rw,
252
266 # for inline pgp253 # for inline pgp
267 owner /tmp/encfile rw,254 owner /tmp/encfile rw,
268 owner /tmp/encfile-[0-9]* rw,255 owner /tmp/encfile-[0-9]* rw,
@@ -276,8 +263,35 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
276 owner /tmp/data-[0-9]*.sig r,263 owner /tmp/data-[0-9]*.sig r,
277264
278 owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,265 owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,
266
267 /usr/share/sounds/** r,
268 }
269
270 /usr/bin/lsb_release Cxr -> lsb_release,
271 profile lsb_release {
272 #include <abstractions/base>
273 #include <abstractions/python>
274 /usr/bin/lsb_release r,
275 /{usr/,}bin/dash ixr,
276 /usr/bin/dpkg-query ixr,
277 /usr/include/python2.[4567]/pyconfig.h r,
278 /etc/lsb-release r,
279 /etc/debian_version r,
280 /var/lib/dpkg/** r,
281
282 /usr/local/lib/python3.[0-9]/dist-packages/ r,
283 /usr/bin/ r,
284 /usr/bin/python3.[0-9] r,
285
286 /etc/apt/apt.conf.d/ r,
287 /etc/default/apport r,
288 /usr/share/distro-info/debian.csv r,
289
290 # file_inherit
291 deny /tmp/gtalkplugin.log w,
279 }292 }
280293
281 # Site-specific additions and overrides. See local/README for details.294 # Site-specific additions and overrides. See local/README for details.
282 #include <local/usr.bin.thunderbird>295 #include <local/usr.bin.thunderbird>
283}296}
297

Subscribers

People subscribed via source and target branches