[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile into lp:apparmor-profiles
Seth Arnold
seth.arnold at canonical.com
Wed Jan 13 00:35:12 UTC 2016
Thanks! I have some thoughts inline.
Diff comments:
> === added file 'ubuntu/16.04/usr.bin.thunderbird'
> --- ubuntu/16.04/usr.bin.thunderbird 1970-01-01 00:00:00 +0000
> +++ ubuntu/16.04/usr.bin.thunderbird 2016-01-12 22:16:34 +0000
> @@ -0,0 +1,274 @@
> +# vim:syntax=apparmor
> +# Author: Simon Deziel <simon.deziel at gmail_com>
> +# This apparmor profile is provided as-is
> +
> +# Declare an apparmor variable to help with overrides
> +@{MOZ_LIBDIR}=/usr/lib/thunderbird
> +
> +#include <tunables/global>
> +
> +# We want to confine the binaries that match:
> +# /usr/lib/thunderbird/thunderbird
> +# /usr/lib/thunderbird/thunderbird
> +# but not:
> +# /usr/lib/thunderbird/thunderbird.sh
> +/usr/lib/thunderbird/thunderbird{,*[^s][^h]} {
I don't understand what the first two "we want to match" lines mean, they look identical to me no matter how much I squint :) -- but I really dislike this profile name. If the attachment specification has to be this complicated, please give the profile a specific profile name like "thunderbird":
profile thunderbird /usr/lib/whatnot { ...
We made the mistake of giving firefox a terrible profile name and it upsets me every time I see it. Maybe we can fix it before 16.04 LTS is released...
> + #include <abstractions/audio>
> + #include <abstractions/aspell>
> + #include <abstractions/cups-client>
> + # TODO: finetune this for required accesses
> + #include <abstractions/dbus>
> + #include <abstractions/dbus-accessibility>
> + #include <abstractions/dbus-session>
> + #include <abstractions/gnome>
> + #include <abstractions/ibus>
> + #include <abstractions/nameservice>
> + #include <abstractions/p11-kit>
> + #include <abstractions/private-files>
> + #include <abstractions/ssl_certs>
> + #include <abstractions/ubuntu-browsers>
> + #include <abstractions/ubuntu-helpers>
> +
> + # for crash reports?
> + ptrace (read,trace) peer=/usr/lib/thunderbird/thunderbird{,*[^s][^h]},
This could be peer=@{profile_name}
> +
> + # Pulseaudio
> + /usr/bin/pulseaudio Pixr,
> +
> + owner @{HOME}/.{cache,config}/dconf/user rw,
> + owner /run/user/[0-9]*/dconf/user rw,
> + owner @{HOME}/.config/gtk-3.0/bookmarks r,
> + deny owner @{HOME}/.local/share/gvfs-metadata/* r,
> +
> + # potentially extremely sensitive files
> + audit deny @{HOME}/.gnupg/** mrwkl,
> + audit deny @{HOME}/.ssh/** mrwkl,
> +
> + # rw access to HOME is useful when sending/receiving attachments
> + owner @{HOME}/** rw,
> +
> + # Required for LVM setups
> + /sys/devices/virtual/block/dm-[0-9]*/uevent r,
> +
> + # Addons (too lax for thunderbird)
> + ##include <abstractions/ubuntu-browsers.d/firefox>
> +
> + # for networking
> + network inet stream,
> + network inet6 stream,
> + @{PROC}/[0-9]*/net/if_inet6 r,
> + @{PROC}/[0-9]*/net/ipv6_route r,
> + @{PROC}/[0-9]*/net/dev r,
> + @{PROC}/[0-9]*/net/wireless r,
> +
> + # should maybe be in abstractions
> + /etc/ r,
> + /etc/mime.types r,
> + /etc/mailcap r,
> + /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
> + /etc/xfce4/defaults.list r,
> + /usr/share/xubuntu/applications/defaults.list r,
> + owner @{HOME}/.local/share/applications/defaults.list r,
> + owner @{HOME}/.local/share/applications/mimeapps.list r,
> + owner @{HOME}/.local/share/applications/mimeinfo.cache r,
> + owner /tmp/** m,
> + owner /var/tmp/** m,
> + /tmp/.X[0-9]*-lock r,
> + /etc/udev/udev.conf r,
> + # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
> + # Possibly move to an abstraction if anything else needs it.
> + deny /run/udev/data/** r,
> +
> + /etc/timezone r,
> + /etc/wildmidi/wildmidi.cfg r,
> +
> + # thunderbird specific
> + /etc/thunderbird/ r,
> + /etc/thunderbird/** r,
> + /etc/xul-ext/** r,
> + /etc/xulrunner-2.0*/ r,
> + /etc/xulrunner-2.0*/** r,
> + /etc/gre.d/ r,
> + /etc/gre.d/* r,
> +
> + # noisy
> + deny @{MOZ_LIBDIR}/** w,
> + deny /usr/lib/thunderbird-addons/** w,
> + deny /usr/lib/xulrunner-addons/** w,
> + deny /usr/lib/xulrunner-*/components/*.tmp w,
> + deny /.suspended r,
Wow. What the heck are they even trying to do??
> + deny /boot/initrd.img* r,
> + deny /boot/vmlinuz* r,
> + deny /var/cache/fontconfig/ w,
> + deny @{HOME}/.local/share/recently-used.xbel r,
> + deny @{HOME}/.* r,
> +
> + # TODO: investigate
> + deny /usr/bin/gconftool-2 x,
> +
> + # These are needed when a new user starts thunderbird and thunderbird.sh is used
> + @{MOZ_LIBDIR}/** ixr,
> + /usr/bin/basename ixr,
> + /usr/bin/dirname ixr,
> + /usr/bin/pwd ixr,
> + /sbin/killall5 ixr,
> + /bin/which ixr,
> + /usr/bin/tr ixr,
> + @{PROC}/ r,
> + @{PROC}/[0-9]*/cmdline r,
> + @{PROC}/[0-9]*/mountinfo r,
> + @{PROC}/[0-9]*/stat r,
> + owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
> + @{PROC}/[0-9]*/status r,
> + @{PROC}/filesystems r,
> + /sys/devices/pci[0-9]*/**/uevent r,
> + owner @{HOME}/.thumbnails/*/*.png r,
> + owner @{HOME}/.cache/thumbnails/*/*.png r,
> + deny @{HOME}/.cache/thumbnails/fail/*.png r,
What's wrong with allowing this?
> +
> + /etc/mtab r,
> + /etc/fstab r,
> +
> + # Needed for the crash reporter
> + owner @{PROC}/[0-9]*/environ r,
> + owner @{PROC}/[0-9]*/auxv r,
> + /etc/lsb-release r,
> + /usr/bin/expr ix,
> + /sys/devices/system/cpu/ r,
> + /sys/devices/system/cpu/** r,
> +
> + # about:memory
> + owner @{PROC}/[0-9]*/statm r,
> + owner @{PROC}/[0-9]*/smaps r,
> +
> + # Needed for container to work in xul builds
> + /usr/lib/xulrunner-*/plugin-container ixr,
> +
> + # allow access to documentation and other files the user may want to look
> + # at in /usr and /opt
> + /usr/ r,
> + /usr/** r,
> + /opt/ r,
> + /opt/** r,
> +
> + # so browsing directories works
> + / r,
> + /**/ r,
> +
> + # per-user thunderbird configuration
> + owner @{HOME}/.thunderbird/ rw,
> + owner @{HOME}/.thunderbird/** rw,
> + owner @{HOME}/.thunderbird/**/storage.sdb k,
> + owner @{HOME}/.thunderbird/**/*.{db,parentlock,sqlite}* k,
> + owner @{HOME}/.thunderbird/plugins/** rm,
> + owner @{HOME}/.thunderbird/**/plugins/** rm,
> + owner @{HOME}/.cache/thunderbird/ rw,
> + owner @{HOME}/.cache/thunderbird/** rw,
> +
> + #
> + # Extensions
> + # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
> + # Allow 'x' for downloaded extensions, but inherit policy for safety
> + owner @{HOME}/.thunderbird/**/extensions/** mixrw,
> + owner @{HOME}/.mozilla/extensions/** mixr,
> + /usr/share/xul-ext/**/*.sqlite rk,
> + /usr/lib/xul-ext/**/*.sqlite rk,
> + /usr/lib/thunderbird-addons/extensions/**/*.sqlite rk,
> +
> + deny @{MOZ_LIBDIR}/update.test w,
> + deny /usr/lib/mozilla/extensions/**/ w,
> + deny /usr/lib/xulrunner-addons/extensions/**/ w,
> + deny /usr/share/mozilla/extensions/**/ w,
> + deny /usr/share/mozilla/ w,
> +
> + # Miscellaneous (to be abstracted)
> + # Ideally these would use a child profile. They are all ELF executables
> + # so running with 'Ux', while not ideal, is ok because we will at least
> + # benefit from glibc's secure execute.
> + /usr/bin/mkfifo Uxr, # investigate
> + /bin/ps Uxr,
> + /bin/uname Uxr,
> +
> + /usr/bin/gpg Cx -> gpg,
> +
> + profile gpg {
> + #include <abstractions/base>
> +
> + # Required to import keys from keyservers
> + #include <abstractions/nameservice>
> + #include <abstractions/p11-kit>
> +
> + # For smartcards?
> + /dev/bus/usb/ r,
> + /dev/bus/usb/[0-9]*/ r,
> + /dev/bus/usb/[0-9]*/[0-9]* r,
> +
> + # LDAP key servers
> + /etc/ldap/ldap.conf r,
> +
> + /usr/bin/gpg mr,
> + /usr/lib/gnupg/gpgkeys_* ix,
> + owner @{HOME}/.gnupg r,
> + owner @{HOME}/.gnupg/gpg.conf r,
> + owner @{HOME}/.gnupg/random_seed rwk,
> + owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
> + owner @{HOME}/.gnupg/secring.gpg rw,
> + owner @{HOME}/.gnupg/trustdb.gpg rw,
> + owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
> + owner @{HOME}/.gnupg/.#*[0-9] rw,
> + owner @{HOME}/.gnupg/.#*[0-9]x rwl,
> + owner /run/user/[0-9]*/keyring-*/gpg rw,
> +
> + owner @{HOME}/** r,
> + owner /tmp/** r,
> + owner /tmp/encfile wr,
Well now, this is interesting. Normally when you see a hardcoded path in /tmp/ like this you also find an exploitable security bug. We might have Yama to prevent this but other people may not. I wonder if Kurt's seen this yet.
> + owner /tmp/encfile-[0-9]* wr,
> + }
> +
> + /usr/bin/gpg2 Cx -> gpg2,
> + /usr/bin/gpgconf Cx -> gpg2,
> + /usr/bin/gpg-connect-agent Cx -> gpg2,
> +
> + # TB tries to create this file but has no business doing so
> + deny @{HOME}/.gnupg/gpg-agent.conf w,
> +
> + profile gpg2 {
> + #include <abstractions/base>
> +
> + # Required to import keys from keyservers
> + #include <abstractions/nameservice>
> + #include <abstractions/p11-kit>
> + /usr/lib/gnupg2/gpg2keys_hkp ix,
> +
> + # For smartcards?
> + /dev/bus/usb/ r,
> + /dev/bus/usb/[0-9]*/ r,
> + /dev/bus/usb/[0-9]*/[0-9]* r,
> +
> + # LDAP key servers
> + /etc/ldap/ldap.conf r,
> +
> + /usr/bin/gpg-connect-agent mr,
> +
> + /usr/bin/gpg2 mr,
> + owner @{HOME}/.gnupg/ rw,
> + owner @{HOME}/.gnupg/gpg.conf r,
> + owner @{HOME}/.gnupg/random_seed rwk,
> + owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
> + owner @{HOME}/.gnupg/secring.gpg rw,
> + owner @{HOME}/.gnupg/trustdb.gpg rw,
> + owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
> + owner @{HOME}/.gnupg/.#*[0-9] rw,
> + owner @{HOME}/.gnupg/.#*[0-9]x rwl,
> +
> + owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,
> +
> + owner @{HOME}/** r,
> + owner /tmp/encfile wr,
> + owner /tmp/encfile-[0-9]* wr,
> + owner /tmp/data.sig r,
> + }
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.bin.thunderbird>
> +}
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile/+merge/282383
Your team AppArmor Developers is requested to review the proposed merge of lp:~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile into lp:apparmor-profiles.
More information about the AppArmor
mailing list