[pkg-apparmor] Bug#882048: apparmor should let thunderbird use signatures from files
Vincas Dargis
vindrg at gmail.com
Sat Nov 18 13:52:39 UTC 2017
Looks like the culprit is this line in usr.bin.thunderbird [0]:
```
deny @{HOME}/.* r,
```
I am not a maintainer of Thunderbird, but I _guess_ that the story is like this:
1. AppArmor profiles denies everything what's not allowed by default.
2. Thunderbird profile has only some dot-direcories allowed to be read, like this rule: `owner
@{HOME}/.{icedove,thunderbird}/ rw,` [1].
3. In the result, there are possibly a lot of dot-files and directories in user $HOME that's will not be accessible for
Thunderbird process.
4. Opening a File dialog to select file to be attached, produces bunch of DENIED messages in log, when user browses it's
$HOME, which contains dot-files and directories. I have experienced this myself, as for some reason file select dialog
tries to read files being displayed (probably for create/modify dates?). To avoid these noisy DENIED messages, someone
have put `deny @{HOME}/.* r,` rule to silence it. This is my speculation.
This produces sort of bug that rule `/tmp/.X[0-9]*-lock r,` [2] is not actually working, as `deny` one should AFAIK
override this allow one. But that's for another topic.
Anyway, I believe change to allow Thunderbird to read arbitrary dot-files or directories will not gonna happen, so
solution would be to:
1. Rename your `/home/ben/.signature-ben at transient.nz` file so that it would not start with dot.
2. Move `.signature-ben at transient.nz` into other sub-directory, like `/home/ben/Documents/.signature-ben at transient.nz`.
It would be useful if AppArmor would have possibility to override `deny` in `/etc/apparmor.d/local/usr.bin.thunderbird`,
something like this:
`override owner @{HOME}/.signature-ben at transient.nz r,`
So user could overcome some `deny` rules... But I believe we do not have that functionality.
[0] https://anonscm.debian.org/cgit/pkg-mozilla/thunderbird.git/tree/debian/apparmor/usr.bin.thunderbird#n118
[1] https://anonscm.debian.org/cgit/pkg-mozilla/thunderbird.git/tree/debian/apparmor/usr.bin.thunderbird#n163
[2] https://anonscm.debian.org/cgit/pkg-mozilla/thunderbird.git/tree/debian/apparmor/usr.bin.thunderbird#n90
More information about the pkg-apparmor-team
mailing list