Code review comment for lp:~sdeziel/apparmor-profiles/thunderbird-enigmail-1.9
Revision history for this message
| Steve Beattie (sbeattie) wrote | # |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
On Mon, Apr 18, 2016 at 09:57:24PM -0000, Simon Déziel wrote:
> On 2016-04-18 04:36 PM, Seth Arnold wrote:
> > I'm surprised about the silenced denials -- those seem wide-ranging
> > and potentially problematic. I might have even thought that
> > thunderbird should have ~/.thunderbird/** rwlk, access.
>
> The web view doesn't make it very easy to spot but those rules apply
> only to the _subprofile_ gpg2.
Thanks for highlighting that.
> > The static names in /tmp/ are interesting. Those may need more
> > research to see if those need a CVE. (It's possible to use static
> > names in /tmp safely, but the [0-9]* regex there gives me a bad
> > feeling.)
>
> When the base file already exists, a number is appended, that's only how
> far I checked this.
It's a bit dubious, but looking at the gpg2 subprofile, there's other
similar dubious /tmp/ usage already.
I've merged this branch after applying the changes to the 16.10 tree as
well.
--
Steve Beattie
<email address hidden>
http://