AppArmor Profiles

Merge lp:~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile into lp:apparmor-profiles

  1. usr.bin.thunderbird-profile
  2. Merge into master
Proposed by Simon Déziel
Status: Merged
Merged at revision: 160
Proposed branch: lp:~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile
Merge into: lp:apparmor-profiles
Diff against target: 267 lines (+263/-0)
1 file modified
ubuntu/16.04/usr.bin.thunderbird (+263/-0)
To merge this branch: bzr merge lp:~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile
Reviewer Review Type Date Requested Status
AppArmor Developers Pending
Review via email: mp+282383@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks! I have some thoughts inline.

Revision history for this message
Simon Déziel (sdeziel) wrote :
Download full text (9.2 KiB)

On 2016-01-12 07:35 PM, Seth Arnold wrote:
> Thanks! I have some thoughts inline.

I should have made it explicit that this started as a copy of the
Firefox profile. I tried to kept them relatively in sync.

> Diff comments:
>
>> === added file 'ubuntu/16.04/usr.bin.thunderbird'
>> --- ubuntu/16.04/usr.bin.thunderbird 1970-01-01 00:00:00 +0000
>> +++ ubuntu/16.04/usr.bin.thunderbird 2016-01-12 22:16:34 +0000
>> @@ -0,0 +1,274 @@
>> +# vim:syntax=apparmor
>> +# Author: Simon Deziel <simon.deziel at gmail_com>
>> +# This apparmor profile is provided as-is
>> +
>> +# Declare an apparmor variable to help with overrides
>> +@{MOZ_LIBDIR}=/usr/lib/thunderbird
>> +
>> +#include <tunables/global>
>> +
>> +# We want to confine the binaries that match:
>> +# /usr/lib/thunderbird/thunderbird
>> +# /usr/lib/thunderbird/thunderbird
>> +# but not:
>> +# /usr/lib/thunderbird/thunderbird.sh
>> +/usr/lib/thunderbird/thunderbird{,*[^s][^h]} {
>
> I don't understand what the first two "we want to match" lines mean, they look identical to me no matter how much I squint :) -- but I really dislike this profile name. If the attachment specification has to be this complicated, please give the profile a specific profile name like "thunderbird":

Honestly, I never understood the need for this complicated name.

> profile thunderbird /usr/lib/whatnot { ...
>
> We made the mistake of giving firefox a terrible profile name and it upsets me every time I see it. Maybe we can fix it before 16.04 LTS is released...

That would be great. I will try with TB ASAP.

>> + #include <abstractions/audio>
>> + #include <abstractions/aspell>
>> + #include <abstractions/cups-client>
>> + # TODO: finetune this for required accesses
>> + #include <abstractions/dbus>
>> + #include <abstractions/dbus-accessibility>
>> + #include <abstractions/dbus-session>
>> + #include <abstractions/gnome>
>> + #include <abstractions/ibus>
>> + #include <abstractions/nameservice>
>> + #include <abstractions/p11-kit>
>> + #include <abstractions/private-files>
>> + #include <abstractions/ssl_certs>
>> + #include <abstractions/ubuntu-browsers>
>> + #include <abstractions/ubuntu-helpers>
>> +
>> + # for crash reports?
>> + ptrace (read,trace) peer=/usr/lib/thunderbird/thunderbird{,*[^s][^h]},
>
> This could be peer=@{profile_name}

Good point, should also be replicated in FF's profile.

>> +
>> + # Pulseaudio
>> + /usr/bin/pulseaudio Pixr,
>> +
>> + owner @{HOME}/.{cache,config}/dconf/user rw,
>> + owner /run/user/[0-9]*/dconf/user rw,
>> + owner @{HOME}/.config/gtk-3.0/bookmarks r,
>> + deny owner @{HOME}/.local/share/gvfs-metadata/* r,
>> +
>> + # potentially extremely sensitive files
>> + audit deny @{HOME}/.gnupg/** mrwkl,
>> + audit deny @{HOME}/.ssh/** mrwkl,
>> +
>> + # rw access to HOME is useful when sending/receiving attachments
>> + owner @{HOME}/** rw,
>> +
>> + # Required for LVM setups
>> + /sys/devices/virtual/block/dm-[0-9]*/uevent r,
>> +
>> + # Addons (too lax for thunderbird)
>> + ##include <abstractions/ubuntu-browsers.d/firefox>
>> +
>> + # for networking
>> + network inet stream,
>> + network inet6 stream,
>> + @{PROC}/[0-9]*/net/if_inet6 r,
>> ...

Read more...

lp:~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile updated
157. By Simon Déziel

usr.bin.thunderbird: incorporate Seth Arnold's feedback:

- simplify profile name
- use ptrace ... peer=@{profile_name},
- drop unneeded deny rule for failed thumbnails
- prevent gpg1/2 from using hardcoded names under /tmp

Revision history for this message
Simon Déziel (sdeziel) wrote :

It turned out that gpg2 no longer used /tmp/encfile* so I dropped it for both gpg version. I hope someone can test the older GPG version for me.

When sending an email with an attachment, TB (no GPG involved) creates the following files under /tmp: nscopy.tmp, nsemail.eml and nsmail.tmp. If I pre-create those, TB appends a "-1" before the extension. This seems to be prone to TOCTOU. I haven't check TB's source but maybe they safely create tmp files to have them renamed to something prettier?

lp:~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile updated
158. By Simon Déziel

usr.bin.thunderbird: gpg2 needs read access to /tmp/data.sig
for signature verification

159. By Simon Déziel

usr.bin.thunderbird: shorthen profile name

160. By Simon Déziel

usr.bin.thunderbird: drop unused rules and use owner where appropriate

Also allow rw access to /tmp/encfile that is needed to support PGP inline.

Revision history for this message
Simon Déziel (sdeziel) wrote :

ping?

lp:~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile updated
161. By Simon Déziel

usr.bin.thunderbird: update subprofile for GnuPG 2.1

162. By Simon Déziel

usr.bin.thunderbird/gpg2: add rules for dirmngr

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hmm, is this still missing? or was it caught in another merge?

Thanks

Revision history for this message
Simon Déziel (sdeziel) wrote :

It was merged by Steve Beattie already. Thanks for checking.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'ubuntu/16.04/usr.bin.thunderbird'
2--- ubuntu/16.04/usr.bin.thunderbird 1970-01-01 00:00:00 +0000
3+++ ubuntu/16.04/usr.bin.thunderbird 2016-04-05 20:06:19 +0000
4@@ -0,0 +1,263 @@
5+# vim:syntax=apparmor
6+# Author: Simon Deziel <simon.deziel at gmail_com>
7+# This apparmor profile is derived from firefox profile
8+# by Jamie Strandboge <jamie@canonical.com>
9+
10+# Declare an apparmor variable to help with overrides
11+@{MOZ_LIBDIR}=/usr/lib/thunderbird
12+
13+#include <tunables/global>
14+
15+profile thunderbird /usr/lib/thunderbird/thunderbird {
16+ #include <abstractions/audio>
17+ #include <abstractions/aspell>
18+ #include <abstractions/cups-client>
19+ # TODO: finetune this for required accesses
20+ #include <abstractions/dbus>
21+ #include <abstractions/dbus-accessibility>
22+ #include <abstractions/dbus-session>
23+ #include <abstractions/gnome>
24+ #include <abstractions/ibus>
25+ #include <abstractions/nameservice>
26+ #include <abstractions/p11-kit>
27+ #include <abstractions/private-files>
28+ #include <abstractions/ssl_certs>
29+ #include <abstractions/ubuntu-browsers>
30+ #include <abstractions/ubuntu-helpers>
31+
32+ # for crash reports?
33+ ptrace (read,trace) peer=@{profile_name},
34+
35+ # Pulseaudio
36+ /usr/bin/pulseaudio Pixr,
37+
38+ owner @{HOME}/.{cache,config}/dconf/user rw,
39+ owner /run/user/[0-9]*/dconf/user rw,
40+ owner @{HOME}/.config/gtk-3.0/bookmarks r,
41+ deny owner @{HOME}/.local/share/gvfs-metadata/* r,
42+
43+ # potentially extremely sensitive files
44+ audit deny @{HOME}/.gnupg/** mrwkl,
45+ audit deny @{HOME}/.ssh/** mrwkl,
46+
47+ # rw access to HOME is useful when sending/receiving attachments
48+ owner @{HOME}/** rw,
49+
50+ # Required for LVM setups
51+ /sys/devices/virtual/block/dm-[0-9]*/uevent r,
52+
53+ # Addons (too lax for thunderbird)
54+ ##include <abstractions/ubuntu-browsers.d/firefox>
55+
56+ # for networking
57+ network inet stream,
58+ network inet6 stream,
59+ @{PROC}/[0-9]*/net/if_inet6 r,
60+ @{PROC}/[0-9]*/net/ipv6_route r,
61+ @{PROC}/[0-9]*/net/dev r,
62+ @{PROC}/[0-9]*/net/wireless r,
63+
64+ # should maybe be in abstractions
65+ /etc/ r,
66+ /etc/mime.types r,
67+ /etc/mailcap r,
68+ /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
69+ /etc/xfce4/defaults.list r,
70+ /usr/share/xubuntu/applications/defaults.list r,
71+ owner @{HOME}/.local/share/applications/defaults.list r,
72+ owner @{HOME}/.local/share/applications/mimeapps.list r,
73+ owner @{HOME}/.local/share/applications/mimeinfo.cache r,
74+ owner /tmp/** m,
75+ owner /var/tmp/** m,
76+ /tmp/.X[0-9]*-lock r,
77+ /etc/udev/udev.conf r,
78+ # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
79+ # Possibly move to an abstraction if anything else needs it.
80+ deny /run/udev/data/** r,
81+
82+ /etc/timezone r,
83+ /etc/wildmidi/wildmidi.cfg r,
84+
85+ # thunderbird specific
86+ /etc/thunderbird/ r,
87+ /etc/thunderbird/** r,
88+ /etc/xul-ext/** r,
89+ /etc/xulrunner-2.0*/ r,
90+ /etc/xulrunner-2.0*/** r,
91+ /etc/gre.d/ r,
92+ /etc/gre.d/* r,
93+
94+ # noisy
95+ deny @{MOZ_LIBDIR}/** w,
96+ deny /usr/lib/thunderbird-addons/** w,
97+ deny /usr/lib/xulrunner-addons/** w,
98+ deny /usr/lib/xulrunner-*/components/*.tmp w,
99+ deny /.suspended r,
100+ deny /boot/initrd.img* r,
101+ deny /boot/vmlinuz* r,
102+ deny /var/cache/fontconfig/ w,
103+ deny @{HOME}/.local/share/recently-used.xbel r,
104+ deny @{HOME}/.* r,
105+
106+ # TODO: investigate
107+ deny /usr/bin/gconftool-2 x,
108+
109+ owner @{PROC}/[0-9]*/mountinfo r,
110+ owner @{PROC}/[0-9]*/stat r,
111+ owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
112+ /sys/devices/pci[0-9]*/**/uevent r,
113+ /etc/mtab r,
114+ /etc/fstab r,
115+
116+ # Needed for the crash reporter
117+ owner @{PROC}/[0-9]*/environ r,
118+ owner @{PROC}/[0-9]*/auxv r,
119+ /etc/lsb-release r,
120+ /usr/bin/expr ix,
121+ /sys/devices/system/cpu/ r,
122+ /sys/devices/system/cpu/** r,
123+
124+ # about:memory
125+ owner @{PROC}/[0-9]*/statm r,
126+ owner @{PROC}/[0-9]*/smaps r,
127+
128+ # Needed for container to work in xul builds
129+ /usr/lib/xulrunner-*/plugin-container ixr,
130+
131+ # allow access to documentation and other files the user may want to look
132+ # at in /usr and /opt
133+ /usr/ r,
134+ /usr/** r,
135+ /opt/ r,
136+ /opt/** r,
137+
138+ # so browsing directories works
139+ / r,
140+ /**/ r,
141+
142+ # per-user thunderbird configuration
143+ owner @{HOME}/.thunderbird/ rw,
144+ owner @{HOME}/.thunderbird/** rw,
145+ owner @{HOME}/.thunderbird/**/storage.sdb k,
146+ owner @{HOME}/.thunderbird/**/*.{db,parentlock,sqlite}* k,
147+ owner @{HOME}/.thunderbird/plugins/** rm,
148+ owner @{HOME}/.thunderbird/**/plugins/** rm,
149+ owner @{HOME}/.cache/thunderbird/ rw,
150+ owner @{HOME}/.cache/thunderbird/** rw,
151+
152+ #
153+ # Extensions
154+ # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
155+ # Allow 'x' for downloaded extensions, but inherit policy for safety
156+ owner @{HOME}/.thunderbird/**/extensions/** mixrw,
157+ owner @{HOME}/.mozilla/extensions/** mixr,
158+ /usr/share/xul-ext/**/*.sqlite rk,
159+ /usr/lib/xul-ext/**/*.sqlite rk,
160+ /usr/lib/thunderbird-addons/extensions/**/*.sqlite rk,
161+
162+ deny @{MOZ_LIBDIR}/update.test w,
163+ deny /usr/lib/mozilla/extensions/**/ w,
164+ deny /usr/lib/xulrunner-addons/extensions/**/ w,
165+ deny /usr/share/mozilla/extensions/**/ w,
166+ deny /usr/share/mozilla/ w,
167+
168+ # Miscellaneous (to be abstracted)
169+ # Ideally these would use a child profile. They are all ELF executables
170+ # so running with 'Ux', while not ideal, is ok because we will at least
171+ # benefit from glibc's secure execute.
172+ /usr/bin/mkfifo Uxr, # investigate
173+ /bin/ps Uxr,
174+ /bin/uname Uxr,
175+
176+ /usr/bin/gpg Cx -> gpg,
177+
178+ profile gpg {
179+ #include <abstractions/base>
180+
181+ # Required to import keys from keyservers
182+ #include <abstractions/nameservice>
183+ #include <abstractions/p11-kit>
184+
185+ # For smartcards?
186+ /dev/bus/usb/ r,
187+ /dev/bus/usb/[0-9]*/ r,
188+ /dev/bus/usb/[0-9]*/[0-9]* r,
189+
190+ # LDAP key servers
191+ /etc/ldap/ldap.conf r,
192+
193+ /usr/bin/gpg mr,
194+ /usr/lib/gnupg/gpgkeys_* ix,
195+ owner @{HOME}/.gnupg r,
196+ owner @{HOME}/.gnupg/gpg.conf r,
197+ owner @{HOME}/.gnupg/random_seed rwk,
198+ owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
199+ owner @{HOME}/.gnupg/secring.gpg rw,
200+ owner @{HOME}/.gnupg/trustdb.gpg rw,
201+ owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
202+ owner @{HOME}/.gnupg/.#*[0-9] rw,
203+ owner @{HOME}/.gnupg/.#*[0-9]x rwl,
204+ owner @{HOME}/** r,
205+
206+ owner /run/user/[0-9]*/keyring-*/gpg rw,
207+
208+ # for inline pgp
209+ owner /tmp/encfile rw,
210+ owner /tmp/encfile-[0-9]* rw,
211+ }
212+
213+ /usr/bin/gpg2 Cx -> gpg2,
214+ /usr/bin/gpgconf Cx -> gpg2,
215+ /usr/bin/gpg-connect-agent Cx -> gpg2,
216+
217+ # TB tries to create this file but has no business doing so
218+ deny @{HOME}/.gnupg/gpg-agent.conf w,
219+
220+ profile gpg2 {
221+ #include <abstractions/base>
222+
223+ # Required to import keys from keyservers
224+ #include <abstractions/nameservice>
225+ #include <abstractions/p11-kit>
226+ /usr/lib/gnupg2/gpg2keys_hkp ix,
227+
228+ # For smartcards?
229+ /dev/bus/usb/ r,
230+ /dev/bus/usb/[0-9]*/ r,
231+ /dev/bus/usb/[0-9]*/[0-9]* r,
232+
233+ # LDAP key servers
234+ /etc/ldap/ldap.conf r,
235+
236+ /usr/bin/gpg-connect-agent mr,
237+ owner @{HOME}/.gnupg/S.gpg-agent rw,
238+ owner @{HOME}/.gnupg/S.dirmngr rw,
239+
240+ /usr/bin/gpg2 mr,
241+ owner @{HOME}/.gnupg/ rw,
242+ owner @{HOME}/.gnupg/gpg.conf r,
243+ owner @{HOME}/.gnupg/random_seed rwk,
244+ owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
245+ owner @{HOME}/.gnupg/secring.gpg rw,
246+ owner @{HOME}/.gnupg/trustdb.gpg rw,
247+ owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
248+ owner @{HOME}/.gnupg/.gpg-*.lock rwl,
249+ owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl,
250+ owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
251+ owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
252+ owner @{HOME}/** r,
253+
254+ # for inline pgp
255+ owner /tmp/encfile rw,
256+ owner /tmp/encfile-[0-9]* rw,
257+
258+ # for signature verifications
259+ owner /tmp/data.sig r,
260+ owner /tmp/data-[0-9]*.sig r,
261+
262+ owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,
263+ }
264+
265+ # Site-specific additions and overrides. See local/README for details.
266+ #include <local/usr.bin.thunderbird>
267+}

Subscribers

People subscribed via source and target branches

to status/vote changes: