Merge ~talkless/apparmor-profiles:fix-thunderbird-attachements into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

Proposed by Vincas Dargis
Status: Merged
Merged at revision: 822639246e5a1dea5c1f7155899472b0390ab0a0
Proposed branch: ~talkless/apparmor-profiles:fix-thunderbird-attachements
Merge into: ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master
Diff against target: 25 lines (+5/-2)
1 file modified
ubuntu/17.10/usr.bin.thunderbird (+5/-2)
Reviewer Review Type Date Requested Status
intrigeri Approve
Simon Déziel Pending
AppArmor Developers Pending
Review via email: mp+332870@code.launchpad.net

Description of the change

This is modified (no sbin, less explicit) intrigeri patch [0][1] for fixing Debian bug #855346 [2] that disallows Thunderbird users with AppArmor profile enabled to open attachments.

Additional, some cleanup is done to close #876333 [3]

For the record, I do not particularly like this attachment workaround (it allows interpreters, wget...), but because *we do not have abstractions* to cover all (most) various-documents-format-opening cases, so let's agree that:

1. This is *temporary fix* to still have Thunderbird profile Enforced on Debian.
2. I will start initiative to build list of abstractions that would allow Browsers, Email cliends and IM's to open various format downloaded files.

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855346#60
[1] https://git-tails.immerda.ch/icedove/commit/?h=bugfix/855346&id=8536c99bc4f00e46030b35ef271ff78ff41962b5
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855346#60
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876333

To post a comment you must log in.
Revision history for this message
Simon Déziel (sdeziel) wrote :

I've been running without the mmap rules for a while and haven't seen any problem. As for the sanitized_helper rules, it works as expected where helper apps get contained by the thunderbird//sanitized_helper profile (even if they have their own profile). I tested simple stuff like PDF (evince) and patches (gedit).

Looks good to me, thanks!

Revision history for this message
Vincas Dargis (talkless) wrote :

On 2017.10.26 20:10, Simon Déziel wrote:
> I've been running without the mmap rules for a while and haven't seen any problem. As for the sanitized_helper rules, it works as expected where helper apps get contained by the thunderbird//sanitized_helper profile (even if they have their own profile)
About sanitized_helper, totem runs on it's own profile, while evince is not. It's some kind a bug out of this scope:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1042771

Revision history for this message
Simon Déziel (sdeziel) wrote :

> On 2017.10.26 20:10, Simon Déziel wrote:
> > I've been running without the mmap rules for a while and haven't seen any
> problem. As for the sanitized_helper rules, it works as expected where helper
> apps get contained by the thunderbird//sanitized_helper profile (even if they
> have their own profile)
> About sanitized_helper, totem runs on it's own profile, while evince is not.
> It's some kind a bug out of this scope:
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1042771

They only way to have evince locked in its own profile was to explicitly add "/usr/bin/evince Px," to the TB profile. Add that same line to abstractions/ubuntu-helpers didn't work.

Revision history for this message
intrigeri (intrigeri) wrote :

Thanks Vincas for the MR & Simon for the review (that will save me quite some time)! I'll look into this soon.

Revision history for this message
Christian Boltz (cboltz) wrote :

On 2017.10.26 20:10, Simon Déziel wrote:
> They only way to have evince locked in its own profile was to explicitly add
> "/usr/bin/evince Px," to the TB profile. Add that same line to abstractions
> /ubuntu-helpers didn't work.

abstractions/ubuntu-helpers is basically (ignoring comments)

    profile sanitized_helper {
        [...]
    }

My guess is that you added the evince Px rule inside sanitized_helper, but you'd need to add it outside of it (well, unless you want to apply it to the case "a program running under sanitized_helper starts evince" ;-)

That said - IMHO abstractions/ubuntu-helpers should stay as is, and such Px rules should go into a separate abstraction which users of sanitized_helper could or could not include.

Revision history for this message
Simon Déziel (sdeziel) wrote :

> On 2017.10.26 20:10, Simon Déziel wrote:
> > They only way to have evince locked in its own profile was to explicitly add
> > "/usr/bin/evince Px," to the TB profile. Add that same line to abstractions
> > /ubuntu-helpers didn't work.
>
> abstractions/ubuntu-helpers is basically (ignoring comments)
>
> profile sanitized_helper {
> [...]
> }
>
> My guess is that you added the evince Px rule inside sanitized_helper, but
> you'd need to add it outside of it (well, unless you want to apply it to the
> case "a program running under sanitized_helper starts evince" ;-)

Yes, you've spot my error :)

> That said - IMHO abstractions/ubuntu-helpers should stay as is, and such Px
> rules should go into a separate abstraction which users of sanitized_helper
> could or could not include.

It makes sense and I proposed this in LP: #1042771 for Firefox. For TB, simply
adding "/usr/bin/evince Px," would work. Vincas do you want to add that here or
should I send another MP?

Revision history for this message
Simon Déziel (sdeziel) wrote :

@Vincas, I just noticed that you added simon123 as reviewer. Despite the similarity in name it is not me as I go by the LP ID sdeziel.

Revision history for this message
intrigeri (intrigeri) wrote :

Wrt. LibreOffice: interestingly, both Debian and Ubuntu ship a usr.lib.libreofficeprogram.soffice.bin profile (enforced by default) but it applies to a path that is not the one we use (/usr/lib/libreofficeprogram/soffice.bin). That's out of scope here so let's stick with what Vincas proposes.

Wrt. Evince and Totem, IMO we need these rules somewhere on distros that ship the Evince and Totem profiles:

  /usr/bin/evince Px,
  /usr/bin/totem Px,

I see two ways to do it:

1. Adjust the existing Evince rule in abstractions/ubuntu-browsers.d/productivity + the existing Totem rule in abstractions/ubuntu-media-players, and then we include these abstractions in the Thunderbird profile.

2. Add these rules to the Thunderbird profile.

At first glance it feels like (1) is the cleanest way forward *but* it has a big drawback: it won't work as intended on distros that don't ship Evince/Totem profiles, which feels super wrong in abstractions that are part of the upstream AppArmor tarball. I think that's yet another reason to sit down, take a deep breath, and rethink how & where we're maintaining+shipping policy, but IMO we shouldn't block on this here. So I think (2) is the way to go.

The main drawback of (2) is that any distro that starts shipping the Thunderbird profile will need to either also ship the Evince and Totem profiles, or drop these two lines In Debian that's a mere matter of adding a dependency on apparmor-profiles-extra. Are there other distros around that already ship the Thunderbird profile *and* would have a problem with this? I see that Ubuntu does not ship the Thunderbird profile, but what about openSUSE or Ubuntu future plans?

This being said, this MR already incrementally improves things, so I'll merge it as-is and will move the Evince/Totem discussion to a new, dedicated issue.

review: Approve
Revision history for this message
intrigeri (intrigeri) wrote :
Revision history for this message
Vincas Dargis (talkless) wrote :

On 2017.10.26 23:03, Simon Déziel wrote:
> @Vincas, I just noticed that you added simon123 as reviewer. Despite the similarity in name it is not me as I go by the LP ID sdeziel.
>

Oh, sorry for that.

Revision history for this message
Christian Boltz (cboltz) wrote :

intrigeri wrote:
> Are there other distros around that already ship the Thunderbird profile *and* would have a problem with this? I see that Ubuntu does not ship the Thunderbird profile, but what about openSUSE or Ubuntu future plans?

openSUSE doesn't ship the Thunderbird profile, and I'm not aware of plans to do so, so just go ahead ;-)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/ubuntu/17.10/usr.bin.thunderbird b/ubuntu/17.10/usr.bin.thunderbird
2index caec9ef..a816aa0 100644
3--- a/ubuntu/17.10/usr.bin.thunderbird
4+++ b/ubuntu/17.10/usr.bin.thunderbird
5@@ -25,6 +25,11 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
6 #include <abstractions/ubuntu-browsers>
7 #include <abstractions/ubuntu-helpers>
8
9+ # Allow opening attachments
10+ # TODO: create and use abstractions for opening various file formats
11+ /{usr/local/,usr/,}bin/* Cx -> sanitized_helper,
12+ /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
13+
14 # For Xubuntu to launch the browser
15 /usr/bin/exo-open ixr,
16 /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
17@@ -80,8 +85,6 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
18 owner @{HOME}/.local/share/applications/defaults.list r,
19 owner @{HOME}/.local/share/applications/mimeapps.list r,
20 owner @{HOME}/.local/share/applications/mimeinfo.cache r,
21- owner /tmp/** m,
22- owner /var/tmp/** m,
23 /tmp/.X[0-9]*-lock r,
24 /etc/udev/udev.conf r,
25 # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.

Subscribers

People subscribed via source and target branches