AppArmor Profiles

Code review comment for lp:~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile

usr.bin.thunderbird-profile
Merge into master

Revision history for this message

Simon Déziel (sdeziel) wrote on 2016-01-13:

On 2016-01-12 07:35 PM, Seth Arnold wrote:
> Thanks! I have some thoughts inline.

I should have made it explicit that this started as a copy of the
Firefox profile. I tried to kept them relatively in sync.

> Diff comments:
>
>> === added file 'ubuntu/16.04/usr.bin.thunderbird'
>> --- ubuntu/16.04/usr.bin.thunderbird 1970-01-01 00:00:00 +0000
>> +++ ubuntu/16.04/usr.bin.thunderbird 2016-01-12 22:16:34 +0000
>> @@ -0,0 +1,274 @@
>> +# vim:syntax=apparmor
>> +# Author: Simon Deziel <simon.deziel at gmail_com>
>> +# This apparmor profile is provided as-is
>> +
>> +# Declare an apparmor variable to help with overrides
>> +@{MOZ_LIBDIR}=/usr/lib/thunderbird
>> +
>> +#include <tunables/global>
>> +
>> +# We want to confine the binaries that match:
>> +# /usr/lib/thunderbird/thunderbird
>> +# /usr/lib/thunderbird/thunderbird
>> +# but not:
>> +# /usr/lib/thunderbird/thunderbird.sh
>> +/usr/lib/thunderbird/thunderbird{,*[^s][^h]} {
>
> I don't understand what the first two "we want to match" lines mean, they look identical to me no matter how much I squint :) -- but I really dislike this profile name. If the attachment specification has to be this complicated, please give the profile a specific profile name like "thunderbird":

Honestly, I never understood the need for this complicated name.

> profile thunderbird /usr/lib/whatnot { ...
>
> We made the mistake of giving firefox a terrible profile name and it upsets me every time I see it. Maybe we can fix it before 16.04 LTS is released...

That would be great. I will try with TB ASAP.

>> + #include <abstractions/audio>
>> + #include <abstractions/aspell>
>> + #include <abstractions/cups-client>
>> + # TODO: finetune this for required accesses
>> + #include <abstractions/dbus>
>> + #include <abstractions/dbus-accessibility>
>> + #include <abstractions/dbus-session>
>> + #include <abstractions/gnome>
>> + #include <abstractions/ibus>
>> + #include <abstractions/nameservice>
>> + #include <abstractions/p11-kit>
>> + #include <abstractions/private-files>
>> + #include <abstractions/ssl_certs>
>> + #include <abstractions/ubuntu-browsers>
>> + #include <abstractions/ubuntu-helpers>
>> +
>> + # for crash reports?
>> + ptrace (read,trace) peer=/usr/lib/thunderbird/thunderbird{,*[^s][^h]},
>
> This could be peer=@{profile_name}

Good point, should also be replicated in FF's profile.

>> +
>> + # Pulseaudio
>> + /usr/bin/pulseaudio Pixr,
>> +
>> + owner @{HOME}/.{cache,config}/dconf/user rw,
>> + owner /run/user/[0-9]*/dconf/user rw,
>> + owner @{HOME}/.config/gtk-3.0/bookmarks r,
>> + deny owner @{HOME}/.local/share/gvfs-metadata/* r,
>> +
>> + # potentially extremely sensitive files
>> + audit deny @{HOME}/.gnupg/** mrwkl,
>> + audit deny @{HOME}/.ssh/** mrwkl,
>> +
>> + # rw access to HOME is useful when sending/receiving attachments
>> + owner @{HOME}/** rw,
>> +
>> + # Required for LVM setups
>> + /sys/devices/virtual/block/dm-[0-9]*/uevent r,
>> +
>> + # Addons (too lax for thunderbird)
>> + ##include <abstractions/ubuntu-browsers.d/firefox>
>> +
>> + # for networking
>> + network inet stream,
>> + network inet6 stream,
>> + @{PROC}/[0-9]*/net/if_inet6 r,
>> + @{PROC}/[0-9]*/net/ipv6_route r,
>> + @{PROC}/[0-9]*/net/dev r,
>> + @{PROC}/[0-9]*/net/wireless r,
>> +
>> + # should maybe be in abstractions
>> + /etc/ r,
>> + /etc/mime.types r,
>> + /etc/mailcap r,
>> + /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
>> + /etc/xfce4/defaults.list r,
>> + /usr/share/xubuntu/applications/defaults.list r,
>> + owner @{HOME}/.local/share/applications/defaults.list r,
>> + owner @{HOME}/.local/share/applications/mimeapps.list r,
>> + owner @{HOME}/.local/share/applications/mimeinfo.cache r,
>> + owner /tmp/** m,
>> + owner /var/tmp/** m,
>> + /tmp/.X[0-9]*-lock r,
>> + /etc/udev/udev.conf r,
>> + # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
>> + # Possibly move to an abstraction if anything else needs it.
>> + deny /run/udev/data/** r,
>> +
>> + /etc/timezone r,
>> + /etc/wildmidi/wildmidi.cfg r,
>> +
>> + # thunderbird specific
>> + /etc/thunderbird/ r,
>> + /etc/thunderbird/** r,
>> + /etc/xul-ext/** r,
>> + /etc/xulrunner-2.0*/ r,
>> + /etc/xulrunner-2.0*/** r,
>> + /etc/gre.d/ r,
>> + /etc/gre.d/* r,
>> +
>> + # noisy
>> + deny @{MOZ_LIBDIR}/** w,
>> + deny /usr/lib/thunderbird-addons/** w,
>> + deny /usr/lib/xulrunner-addons/** w,
>> + deny /usr/lib/xulrunner-*/components/*.tmp w,
>> + deny /.suspended r,
>
> Wow. What the heck are they even trying to do??

Really no clue. Again it was copied verbatim from FF's profile.

>> + deny /boot/initrd.img* r,
>> + deny /boot/vmlinuz* r,
>> + deny /var/cache/fontconfig/ w,
>> + deny @{HOME}/.local/share/recently-used.xbel r,
>> + deny @{HOME}/.* r,
>> +
>> + # TODO: investigate
>> + deny /usr/bin/gconftool-2 x,
>> +
>> + # These are needed when a new user starts thunderbird and thunderbird.sh is used
>> + @{MOZ_LIBDIR}/** ixr,
>> + /usr/bin/basename ixr,
>> + /usr/bin/dirname ixr,
>> + /usr/bin/pwd ixr,
>> + /sbin/killall5 ixr,
>> + /bin/which ixr,
>> + /usr/bin/tr ixr,
>> + @{PROC}/ r,
>> + @{PROC}/[0-9]*/cmdline r,
>> + @{PROC}/[0-9]*/mountinfo r,
>> + @{PROC}/[0-9]*/stat r,
>> + owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
>> + @{PROC}/[0-9]*/status r,
>> + @{PROC}/filesystems r,
>> + /sys/devices/pci[0-9]*/**/uevent r,
>> + owner @{HOME}/.thumbnails/*/*.png r,
>> + owner @{HOME}/.cache/thumbnails/*/*.png r,
>> + deny @{HOME}/.cache/thumbnails/fail/*.png r,
>
> What's wrong with allowing this?

FF's profile doesn't have it and maybe never had. I think I wanted the
failed thumbnails to not be used because they could be "poisoned". I'll
drop it for the sake of uniformity with FF.

>> +
>> + /etc/mtab r,
>> + /etc/fstab r,
>> +
>> + # Needed for the crash reporter
>> + owner @{PROC}/[0-9]*/environ r,
>> + owner @{PROC}/[0-9]*/auxv r,
>> + /etc/lsb-release r,
>> + /usr/bin/expr ix,
>> + /sys/devices/system/cpu/ r,
>> + /sys/devices/system/cpu/** r,
>> +
>> + # about:memory
>> + owner @{PROC}/[0-9]*/statm r,
>> + owner @{PROC}/[0-9]*/smaps r,
>> +
>> + # Needed for container to work in xul builds
>> + /usr/lib/xulrunner-*/plugin-container ixr,
>> +
>> + # allow access to documentation and other files the user may want to look
>> + # at in /usr and /opt
>> + /usr/ r,
>> + /usr/** r,
>> + /opt/ r,
>> + /opt/** r,
>> +
>> + # so browsing directories works
>> + / r,
>> + /**/ r,
>> +
>> + # per-user thunderbird configuration
>> + owner @{HOME}/.thunderbird/ rw,
>> + owner @{HOME}/.thunderbird/** rw,
>> + owner @{HOME}/.thunderbird/**/storage.sdb k,
>> + owner @{HOME}/.thunderbird/**/*.{db,parentlock,sqlite}* k,
>> + owner @{HOME}/.thunderbird/plugins/** rm,
>> + owner @{HOME}/.thunderbird/**/plugins/** rm,
>> + owner @{HOME}/.cache/thunderbird/ rw,
>> + owner @{HOME}/.cache/thunderbird/** rw,
>> +
>> + #
>> + # Extensions
>> + # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
>> + # Allow 'x' for downloaded extensions, but inherit policy for safety
>> + owner @{HOME}/.thunderbird/**/extensions/** mixrw,
>> + owner @{HOME}/.mozilla/extensions/** mixr,
>> + /usr/share/xul-ext/**/*.sqlite rk,
>> + /usr/lib/xul-ext/**/*.sqlite rk,
>> + /usr/lib/thunderbird-addons/extensions/**/*.sqlite rk,
>> +
>> + deny @{MOZ_LIBDIR}/update.test w,
>> + deny /usr/lib/mozilla/extensions/**/ w,
>> + deny /usr/lib/xulrunner-addons/extensions/**/ w,
>> + deny /usr/share/mozilla/extensions/**/ w,
>> + deny /usr/share/mozilla/ w,
>> +
>> + # Miscellaneous (to be abstracted)
>> + # Ideally these would use a child profile. They are all ELF executables
>> + # so running with 'Ux', while not ideal, is ok because we will at least
>> + # benefit from glibc's secure execute.
>> + /usr/bin/mkfifo Uxr, # investigate
>> + /bin/ps Uxr,
>> + /bin/uname Uxr,
>> +
>> + /usr/bin/gpg Cx -> gpg,
>> +
>> + profile gpg {
>> + #include <abstractions/base>
>> +
>> + # Required to import keys from keyservers
>> + #include <abstractions/nameservice>
>> + #include <abstractions/p11-kit>
>> +
>> + # For smartcards?
>> + /dev/bus/usb/ r,
>> + /dev/bus/usb/[0-9]*/ r,
>> + /dev/bus/usb/[0-9]*/[0-9]* r,
>> +
>> + # LDAP key servers
>> + /etc/ldap/ldap.conf r,
>> +
>> + /usr/bin/gpg mr,
>> + /usr/lib/gnupg/gpgkeys_* ix,
>> + owner @{HOME}/.gnupg r,
>> + owner @{HOME}/.gnupg/gpg.conf r,
>> + owner @{HOME}/.gnupg/random_seed rwk,
>> + owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
>> + owner @{HOME}/.gnupg/secring.gpg rw,
>> + owner @{HOME}/.gnupg/trustdb.gpg rw,
>> + owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
>> + owner @{HOME}/.gnupg/.#*[0-9] rw,
>> + owner @{HOME}/.gnupg/.#*[0-9]x rwl,
>> + owner /run/user/[0-9]*/keyring-*/gpg rw,
>> +
>> + owner @{HOME}/** r,
>> + owner /tmp/** r,
>> + owner /tmp/encfile wr,
>
> Well now, this is interesting. Normally when you see a hardcoded path in /tmp/ like this you also find an exploitable security bug. We might have Yama to prevent this but other people may not. I wonder if Kurt's seen this yet.

IIRC, TB uses /tmp/encfile first then if it exists it uses encfile-x and
keep incrementing x.

I'll "audit" this.

Thanks for the review!
Simon

On 2016-01-12 07:35 PM, Seth Arnold wrote:
> Thanks! I have some thoughts inline.

I should have made it explicit that this started as a copy of the
Firefox profile. I tried to kept them relatively in sync.

> Diff comments:
> 
>> === added file 'ubuntu/16.04/usr.bin.thunderbird'
>> --- ubuntu/16.04/usr.bin.thunderbird	1970-01-01 00:00:00 +0000
>> +++ ubuntu/16.04/usr.bin.thunderbird	2016-01-12 22:16:34 +0000
>> @@ -0,0 +1,274 @@
>> +# vim:syntax=apparmor
>> +# Author: Simon Deziel <simon.deziel at gmail_com>
>> +# This apparmor profile is provided as-is
>> +
>> +# Declare an apparmor variable to help with overrides
>> +@{MOZ_LIBDIR}=/usr/lib/thunderbird
>> +
>> +#include <tunables/global>
>> +
>> +# We want to confine the binaries that match:
>> +#  /usr/lib/thunderbird/thunderbird
>> +#  /usr/lib/thunderbird/thunderbird
>> +# but not:
>> +#  /usr/lib/thunderbird/thunderbird.sh
>> +/usr/lib/thunderbird/thunderbird{,*[^s][^h]} {
> 
> I don't understand what the first two "we want to match" lines mean, they look identical to me no matter how much I squint :) -- but I really dislike this profile name. If the attachment specification has to be this complicated, please give the profile a specific profile name like "thunderbird":

Honestly, I never understood the need for this complicated name.

> profile thunderbird /usr/lib/whatnot { ...
> 
> We made the mistake of giving firefox a terrible profile name and it upsets me every time I see it. Maybe we can fix it before 16.04 LTS is released...

That would be great. I will try with TB ASAP.

>> +  #include <abstractions/audio>
>> +  #include <abstractions/aspell>
>> +  #include <abstractions/cups-client>
>> +  # TODO: finetune this for required accesses
>> +  #include <abstractions/dbus>
>> +  #include <abstractions/dbus-accessibility>
>> +  #include <abstractions/dbus-session>
>> +  #include <abstractions/gnome>
>> +  #include <abstractions/ibus>
>> +  #include <abstractions/nameservice>
>> +  #include <abstractions/p11-kit>
>> +  #include <abstractions/private-files>
>> +  #include <abstractions/ssl_certs>
>> +  #include <abstractions/ubuntu-browsers>
>> +  #include <abstractions/ubuntu-helpers>
>> +
>> +  # for crash reports?
>> +  ptrace (read,trace) peer=/usr/lib/thunderbird/thunderbird{,*[^s][^h]},
> 
> This could be peer=@{profile_name}

Good point, should also be replicated in FF's profile.

>> +
>> +  # Pulseaudio
>> +  /usr/bin/pulseaudio Pixr,
>> +
>> +  owner @{HOME}/.{cache,config}/dconf/user rw,
>> +  owner /run/user/[0-9]*/dconf/user rw,
>> +  owner @{HOME}/.config/gtk-3.0/bookmarks r,
>> +  deny owner @{HOME}/.local/share/gvfs-metadata/* r,
>> +
>> +  # potentially extremely sensitive files
>> +  audit deny @{HOME}/.gnupg/** mrwkl,
>> +  audit deny @{HOME}/.ssh/** mrwkl,
>> +
>> +  # rw access to HOME is useful when sending/receiving attachments
>> +  owner @{HOME}/** rw,
>> +
>> +  # Required for LVM setups
>> +  /sys/devices/virtual/block/dm-[0-9]*/uevent r,
>> +
>> +  # Addons (too lax for thunderbird)
>> +  ##include <abstractions/ubuntu-browsers.d/firefox>
>> +
>> +  # for networking
>> +  network inet stream,
>> +  network inet6 stream,
>> +  @{PROC}/[0-9]*/net/if_inet6 r,
>> +  @{PROC}/[0-9]*/net/ipv6_route r,
>> +  @{PROC}/[0-9]*/net/dev r,
>> +  @{PROC}/[0-9]*/net/wireless r,
>> +
>> +  # should maybe be in abstractions
>> +  /etc/ r,
>> +  /etc/mime.types r,
>> +  /etc/mailcap r,
>> +  /etc/xdg/*buntu/applications/defaults.list    r, # for all derivatives
>> +  /etc/xfce4/defaults.list r,
>> +  /usr/share/xubuntu/applications/defaults.list r,
>> +  owner @{HOME}/.local/share/applications/defaults.list r,
>> +  owner @{HOME}/.local/share/applications/mimeapps.list r,
>> +  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
>> +  owner /tmp/** m,
>> +  owner /var/tmp/** m,
>> +  /tmp/.X[0-9]*-lock r,
>> +  /etc/udev/udev.conf r,
>> +  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
>> +  # Possibly move to an abstraction if anything else needs it.
>> +  deny /run/udev/data/** r,
>> +
>> +  /etc/timezone r,
>> +  /etc/wildmidi/wildmidi.cfg r,
>> +
>> +  # thunderbird specific
>> +  /etc/thunderbird/ r,
>> +  /etc/thunderbird/** r,
>> +  /etc/xul-ext/** r,
>> +  /etc/xulrunner-2.0*/ r,
>> +  /etc/xulrunner-2.0*/** r,
>> +  /etc/gre.d/ r,
>> +  /etc/gre.d/* r,
>> +
>> +  # noisy
>> +  deny @{MOZ_LIBDIR}/** w,
>> +  deny /usr/lib/thunderbird-addons/** w,
>> +  deny /usr/lib/xulrunner-addons/** w,
>> +  deny /usr/lib/xulrunner-*/components/*.tmp w,
>> +  deny /.suspended r,
> 
> Wow. What the heck are they even trying to do??

Really no clue. Again it was copied verbatim from FF's profile.

>> +  deny /boot/initrd.img* r,
>> +  deny /boot/vmlinuz* r,
>> +  deny /var/cache/fontconfig/ w,
>> +  deny @{HOME}/.local/share/recently-used.xbel r,
>> +  deny @{HOME}/.* r,
>> +
>> +  # TODO: investigate
>> +  deny /usr/bin/gconftool-2 x,
>> +
>> +  # These are needed when a new user starts thunderbird and thunderbird.sh is used
>> +  @{MOZ_LIBDIR}/** ixr,
>> +  /usr/bin/basename ixr,
>> +  /usr/bin/dirname ixr,
>> +  /usr/bin/pwd ixr,
>> +  /sbin/killall5 ixr,
>> +  /bin/which ixr,
>> +  /usr/bin/tr ixr,
>> +  @{PROC}/ r,
>> +  @{PROC}/[0-9]*/cmdline r,
>> +  @{PROC}/[0-9]*/mountinfo r,
>> +  @{PROC}/[0-9]*/stat r,
>> +  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
>> +  @{PROC}/[0-9]*/status r,
>> +  @{PROC}/filesystems r,
>> +  /sys/devices/pci[0-9]*/**/uevent r,
>> +  owner @{HOME}/.thumbnails/*/*.png r,
>> +  owner @{HOME}/.cache/thumbnails/*/*.png r,
>> +  deny @{HOME}/.cache/thumbnails/fail/*.png r,
> 
> What's wrong with allowing this?

FF's profile doesn't have it and maybe never had. I think I wanted the
failed thumbnails to not be used because they could be "poisoned". I'll
drop it for the sake of uniformity with FF.

>> +
>> +  /etc/mtab r,
>> +  /etc/fstab r,
>> +
>> +  # Needed for the crash reporter
>> +  owner @{PROC}/[0-9]*/environ r,
>> +  owner @{PROC}/[0-9]*/auxv r,
>> +  /etc/lsb-release r,
>> +  /usr/bin/expr ix,
>> +  /sys/devices/system/cpu/ r,
>> +  /sys/devices/system/cpu/** r,
>> +
>> +  # about:memory
>> +  owner @{PROC}/[0-9]*/statm r,
>> +  owner @{PROC}/[0-9]*/smaps r,
>> +
>> +  # Needed for container to work in xul builds
>> +  /usr/lib/xulrunner-*/plugin-container ixr,
>> +
>> +  # allow access to documentation and other files the user may want to look
>> +  # at in /usr and /opt
>> +  /usr/ r,
>> +  /usr/** r,
>> +  /opt/ r,
>> +  /opt/** r,
>> +
>> +  # so browsing directories works
>> +  / r,
>> +  /**/ r,
>> +
>> +  # per-user thunderbird configuration
>> +  owner @{HOME}/.thunderbird/ rw,
>> +  owner @{HOME}/.thunderbird/** rw,
>> +  owner @{HOME}/.thunderbird/**/storage.sdb k,
>> +  owner @{HOME}/.thunderbird/**/*.{db,parentlock,sqlite}* k,
>> +  owner @{HOME}/.thunderbird/plugins/** rm,
>> +  owner @{HOME}/.thunderbird/**/plugins/** rm,
>> +  owner @{HOME}/.cache/thunderbird/ rw,
>> +  owner @{HOME}/.cache/thunderbird/** rw,
>> +
>> +  #
>> +  # Extensions
>> +  # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
>> +  # Allow 'x' for downloaded extensions, but inherit policy for safety
>> +  owner @{HOME}/.thunderbird/**/extensions/** mixrw,
>> +  owner @{HOME}/.mozilla/extensions/**        mixr,
>> +  /usr/share/xul-ext/**/*.sqlite              rk,
>> +  /usr/lib/xul-ext/**/*.sqlite                rk,
>> +  /usr/lib/thunderbird-addons/extensions/**/*.sqlite rk,
>> +
>> +  deny @{MOZ_LIBDIR}/update.test w,
>> +  deny /usr/lib/mozilla/extensions/**/ w,
>> +  deny /usr/lib/xulrunner-addons/extensions/**/ w,
>> +  deny /usr/share/mozilla/extensions/**/ w,
>> +  deny /usr/share/mozilla/ w,
>> +
>> +  # Miscellaneous (to be abstracted)
>> +  # Ideally these would use a child profile. They are all ELF executables
>> +  # so running with 'Ux', while not ideal, is ok because we will at least
>> +  # benefit from glibc's secure execute.
>> +  /usr/bin/mkfifo Uxr,  # investigate
>> +  /bin/ps Uxr,
>> +  /bin/uname Uxr,
>> +
>> +  /usr/bin/gpg Cx -> gpg,
>> +
>> +  profile gpg {
>> +    #include <abstractions/base>
>> +
>> +    # Required to import keys from keyservers
>> +    #include <abstractions/nameservice>
>> +    #include <abstractions/p11-kit>
>> +
>> +    # For smartcards?
>> +    /dev/bus/usb/ r,
>> +    /dev/bus/usb/[0-9]*/ r,
>> +    /dev/bus/usb/[0-9]*/[0-9]* r,
>> +
>> +    # LDAP key servers
>> +    /etc/ldap/ldap.conf r,
>> +
>> +    /usr/bin/gpg mr,
>> +    /usr/lib/gnupg/gpgkeys_* ix,
>> +    owner @{HOME}/.gnupg r,
>> +    owner @{HOME}/.gnupg/gpg.conf r,
>> +    owner @{HOME}/.gnupg/random_seed rwk,
>> +    owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
>> +    owner @{HOME}/.gnupg/secring.gpg rw,
>> +    owner @{HOME}/.gnupg/trustdb.gpg rw,
>> +    owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
>> +    owner @{HOME}/.gnupg/.#*[0-9]  rw,
>> +    owner @{HOME}/.gnupg/.#*[0-9]x rwl,
>> +    owner /run/user/[0-9]*/keyring-*/gpg rw,
>> +
>> +    owner @{HOME}/** r,
>> +    owner /tmp/** r,
>> +    owner /tmp/encfile wr,
> 
> Well now, this is interesting. Normally when you see a hardcoded path in /tmp/ like this you also find an exploitable security bug. We might have Yama to prevent this but other people may not. I wonder if Kurt's seen this yet.

IIRC, TB uses /tmp/encfile first then if it exists it uses encfile-x and
keep incrementing x.

I'll "audit" this.

Thanks for the review!
Simon

« Back to merge proposal