AppArmor Profiles

Merge ~talkless/apparmor-profiles:thunderbird-mozilla-java-plugins into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

  1. Git
  2. lp:~talkless/apparmor-profiles
  3. thunderbird-mozilla-java-plugins
  4. Merge into master
Proposed by Vincas Dargis
Status: Merged
Merge reported by: John Johansen
Merged at revision: b369099c346f2aa19ab063aae8fc06fc4938eff6
Proposed branch: ~talkless/apparmor-profiles:thunderbird-mozilla-java-plugins
Merge into: ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master
Diff against target: 19 lines (+2/-0)
1 file modified
ubuntu/17.10/usr.bin.thunderbird (+2/-0)
Reviewer Review Type Date Requested Status
intrigeri Approve
Simon Déziel Pending
AppArmor Developers Pending
Review via email: mp+331617@code.launchpad.net

Description of the change

Fixes loading Mozilla and Java plugins, such as:
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so (Debian 7, icedtea-7-plugin)
/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so (Debian 8, icedtea-7-plugin)
/usr/lib/mozilla/plugins/skypebuttons.so (7 and 8, kopete)

Fixes:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877324
https://bugs.launchpad.net/apparmor-profiles/+bug/1706870 (except python2.7 issue, I skipped for other MR)

To post a comment you must log in.
Revision history for this message
Simon Déziel (sdeziel) wrote :

LGTM but would you mind making those rules "rm" to make the read access explicit.

Revision history for this message
Vincas Dargis (talkless) wrote :

> LGTM but would you mind making those rules "rm" to make the read access
> explicit.

Done.

Revision history for this message
intrigeri (intrigeri) wrote :

I see that abstractions/ubuntu-browsers.d/java has something about IcedTeaPlugin.so + other potentially useful stuff like access to /{,var/}run/user/*/icedteaplugin-*/, that I suspect we'll need for Thunderbird as well sooner or later. So how about including this abstraction instead?

review: Needs Information
Revision history for this message
Vincas Dargis (talkless) wrote :

OK I'm on it.

Revision history for this message
Vincas Dargis (talkless) wrote :

> I see that abstractions/ubuntu-browsers.d/java has something about
> IcedTeaPlugin.so + other potentially useful stuff like access to
> /{,var/}run/user/*/icedteaplugin-*/, that I suspect we'll need for Thunderbird
> as well sooner or later. So how about including this abstraction instead?

Done, pushed amended commit.

Revision history for this message
intrigeri (intrigeri) wrote :

LGTM

review: Approve
Revision history for this message
intrigeri (intrigeri) wrote :

It seems something went wrong: John marked this as merged but apparently it was not, so I just merged it myself (+ applied the same change to 18.04): https://gitlab.com/apparmor/apparmor-profiles/commit/5ecd985737ca1e1bb6954525dfc1a405f1fe16b7.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/ubuntu/17.10/usr.bin.thunderbird b/ubuntu/17.10/usr.bin.thunderbird
2index caec9ef..48a4cdf 100644
3--- a/ubuntu/17.10/usr.bin.thunderbird
4+++ b/ubuntu/17.10/usr.bin.thunderbird
5@@ -23,6 +23,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
6 #include <abstractions/private-files>
7 #include <abstractions/ssl_certs>
8 #include <abstractions/ubuntu-browsers>
9+ #include <abstractions/ubuntu-browsers.d/java>
10 #include <abstractions/ubuntu-helpers>
11
12 # For Xubuntu to launch the browser
13@@ -174,6 +175,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
14 owner @{HOME}/.{icedove,thunderbird}/**/extensions/** mixrw,
15 owner @{HOME}/.mozilla/extensions/** mixr,
16 /usr/share/xul-ext/**/*.sqlite rk,
17+ /usr/lib/mozilla/plugins/*.so rm,
18 /usr/lib/xul-ext/**/*.sqlite rk,
19 /usr/lib/thunderbird-addons/extensions/**/*.sqlite rk,
20

Subscribers

People subscribed via source and target branches