Merge lp://qastaging/~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile into lp://qastaging/apparmor-profiles

Thanks! I have some thoughts inline.

On 2016-01-12 07:35 PM, Seth Arnold wrote:
> Thanks! I have some thoughts inline.

I should have made it explicit that this started as a copy of the
Firefox profile. I tried to kept them relatively in sync.

> Diff comments:
>
>> === added file 'ubuntu/16.04/usr.bin.thunderbird'
>> --- ubuntu/16.04/usr.bin.thunderbird 1970-01-01 00:00:00 +0000
>> +++ ubuntu/16.04/usr.bin.thunderbird 2016-01-12 22:16:34 +0000
>> @@ -0,0 +1,274 @@
>> +# vim:syntax=apparmor
>> +# Author: Simon Deziel <simon.deziel at gmail_com>
>> +# This apparmor profile is provided as-is
>> +
>> +# Declare an apparmor variable to help with overrides
>> +@{MOZ_LIBDIR}=/usr/lib/thunderbird
>> +
>> +#include <tunables/global>
>> +
>> +# We want to confine the binaries that match:
>> +# /usr/lib/thunderbird/thunderbird
>> +# /usr/lib/thunderbird/thunderbird
>> +# but not:
>> +# /usr/lib/thunderbird/thunderbird.sh
>> +/usr/lib/thunderbird/thunderbird{,*[^s][^h]} {
>
> I don't understand what the first two "we want to match" lines mean, they look identical to me no matter how much I squint :) -- but I really dislike this profile name. If the attachment specification has to be this complicated, please give the profile a specific profile name like "thunderbird":

Honestly, I never understood the need for this complicated name.

> profile thunderbird /usr/lib/whatnot { ...
>
> We made the mistake of giving firefox a terrible profile name and it upsets me every time I see it. Maybe we can fix it before 16.04 LTS is released...

That would be great. I will try with TB ASAP.

>> + #include <abstractions/audio>
>> + #include <abstractions/aspell>
>> + #include <abstractions/cups-client>
>> + # TODO: finetune this for required accesses
>> + #include <abstractions/dbus>
>> + #include <abstractions/dbus-accessibility>
>> + #include <abstractions/dbus-session>
>> + #include <abstractions/gnome>
>> + #include <abstractions/ibus>
>> + #include <abstractions/nameservice>
>> + #include <abstractions/p11-kit>
>> + #include <abstractions/private-files>
>> + #include <abstractions/ssl_certs>
>> + #include <abstractions/ubuntu-browsers>
>> + #include <abstractions/ubuntu-helpers>
>> +
>> + # for crash reports?
>> + ptrace (read,trace) peer=/usr/lib/thunderbird/thunderbird{,*[^s][^h]},
>
> This could be peer=@{profile_name}

Good point, should also be replicated in FF's profile.

>> +
>> + # Pulseaudio
>> + /usr/bin/pulseaudio Pixr,
>> +
>> + owner @{HOME}/.{cache,config}/dconf/user rw,
>> + owner /run/user/[0-9]*/dconf/user rw,
>> + owner @{HOME}/.config/gtk-3.0/bookmarks r,
>> + deny owner @{HOME}/.local/share/gvfs-metadata/* r,
>> +
>> + # potentially extremely sensitive files
>> + audit deny @{HOME}/.gnupg/** mrwkl,
>> + audit deny @{HOME}/.ssh/** mrwkl,
>> +
>> + # rw access to HOME is useful when sending/receiving attachments
>> + owner @{HOME}/** rw,
>> +
>> + # Required for LVM setups
>> + /sys/devices/virtual/block/dm-[0-9]*/uevent r,
>> +
>> + # Addons (too lax for thunderbird)
>> + ##include <abstractions/ubuntu-browsers.d/firefox>
>> +
>> + # for networking
>> + network inet stream,
>> + network inet6 stream,
>> + @{PROC}/[0-9]*/net/if_inet6 r,
>> ...

It turned out that gpg2 no longer used /tmp/encfile* so I dropped it for both gpg version. I hope someone can test the older GPG version for me.

When sending an email with an attachment, TB (no GPG involved) creates the following files under /tmp: nscopy.tmp, nsemail.eml and nsmail.tmp. If I pre-create those, TB appends a "-1" before the extension. This seems to be prone to TOCTOU. I haven't check TB's source but maybe they safely create tmp files to have them renamed to something prettier?

ping?

Hmm, is this still missing? or was it caught in another merge?

Thanks

It was merged by Steve Beattie already. Thanks for checking.