[pkg-apparmor] Bug#882048: apparmor should let thunderbird use signatures from files
Simon Deziel
simon at sdeziel.info
Thu Nov 23 20:07:46 UTC 2017
On 2017-11-23 02:14 PM, intrigeri wrote:
> Hi,
>
> Vincas Dargis:
>> Looks like the culprit is this line in usr.bin.thunderbird [0]:
>
>> ```
>> deny @{HOME}/.* r,
>> ```
>
> […]
>
> Thanks for your detailed analysis!
>
>> 4. Opening a File dialog to select file to be attached, produces bunch of DENIED
>> messages in log, when user browses it's $HOME, which contains dot-files and
>> directories. I have experienced this myself, as for some reason file select dialog
>> tries to read files being displayed (probably for create/modify dates?). To avoid
>> these noisy DENIED messages, someone have put `deny @{HOME}/.* r,` rule to silence
>> it. This is my speculation.
Sound logic indeed but...
> I can't reproduce this after commenting out the "deny @{HOME}/.* r" rule.
Me neither and it's not in Firefox profile either so that's a good sign
that we can safely drop it.
> If I do that and then add a new rule:
>
> owner @{HOME}/.signature* r,
>
> … then the use case this bug report is about is fixed.
> Simon, any problem with doing that?
No, that's good, compatibility with existing behaviour is really important!
> If we do that, then we need to document in README.Debian than
> signatures can be loaded only from ~/.signature*. I'm not sure that's
> good enough to avoid creating a "AppArmor breaks basic stuff, let's
> disable it" culture in Debian, which is something I've been trying
> hard to avoid for years.
>
> I'm very tempted to propose we simply disable this profile by default:
> I have very little hope at this point that we can make it open enough
> to avoid breaking all kinds of corner cases, while keeping it strict
> enough to be meaningful at all. Opinions?
I wish Thunderbird could keep its Apparmor profile however imperfect it
is. Thunderbird is used in very different setups and I guess that like
other big graphical applications it's always going to be tough to strike
the balance between secure and functional.
That said, if the maintenance burden is too much I can't blame you from
wanting to have it opt-in instead of being enabled by default.
Regards,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20171123/c9a0785a/attachment-0001.sig>
More information about the pkg-apparmor-team
mailing list