[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile into lp:apparmor-profiles
Simon Deziel
simon.deziel at gmail.com
Wed Jan 13 21:49:01 UTC 2016
On 2016-01-13 03:21 PM, Jamie Strandboge wrote:
> On 01/12/2016 07:18 PM, Simon Déziel wrote:
>> On 2016-01-12 07:35 PM, Seth Arnold wrote:
>>> Thanks! I have some thoughts inline.
>>
>> I should have made it explicit that this started as a copy of the
>> Firefox profile. I tried to kept them relatively in sync.
>>
>>> Diff comments:
>>>
>>>> === added file 'ubuntu/16.04/usr.bin.thunderbird'
>>>> --- ubuntu/16.04/usr.bin.thunderbird 1970-01-01 00:00:00 +0000
>>>> +++ ubuntu/16.04/usr.bin.thunderbird 2016-01-12 22:16:34 +0000
>>>> @@ -0,0 +1,274 @@
>>>> +# vim:syntax=apparmor
>>>> +# Author: Simon Deziel <simon.deziel at gmail_com>
>>>> +# This apparmor profile is provided as-is
>>>> +
>>>> +# Declare an apparmor variable to help with overrides
>>>> +@{MOZ_LIBDIR}=/usr/lib/thunderbird
>>>> +
>>>> +#include <tunables/global>
>>>> +
>>>> +# We want to confine the binaries that match:
>>>> +# /usr/lib/thunderbird/thunderbird
>>>> +# /usr/lib/thunderbird/thunderbird
>>>> +# but not:
>>>> +# /usr/lib/thunderbird/thunderbird.sh
>>>> +/usr/lib/thunderbird/thunderbird{,*[^s][^h]} {
>>>
>>> I don't understand what the first two "we want to match" lines mean, they look identical to me no matter how much I squint :) -- but I really dislike this profile name. If the attachment specification has to be this complicated, please give the profile a specific profile name like "thunderbird":
>>
>> Honestly, I never understood the need for this complicated name.
>>
> This comes from how Ubuntu (and I believe Debian) launch the binary.
> /usr/bin/thunderbird is a symlink to /usr/lib/thunderbird/thunderbird.sh. We
> didn't want to confine this file but instead /usr/lib/thunderbird/thunderbird.
I used "profile /usr/lib/thunderbird/thunderbird { ..." and it tested
fine when launched via /usr/bin/thunderbird and
/usr/lib/thunderbird/thunderbird.sh. Only the binary was confined.
> The glob is there because iirc ppa builds and older releases might use something
> different than /usr/lib/thunderbird/thunderbird.
Right, I don't know what sort of magic happens on PPA builders.
>>> profile thunderbird /usr/lib/whatnot { ...
>>>
>>> We made the mistake of giving firefox a terrible profile name and it upsets me every time I see it. Maybe we can fix it before 16.04 LTS is released...
>>
>> That would be great. I will try with TB ASAP.
>>
> 'profile thunderbird /usr/lib/whatnot' is fine by me. There is no reason I can
> think of that the firefox profile can't be adjusted similarly.
I'm fine with either versions. Just let me know which one you guys prefer.
Regards,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160113/907aa9ca/attachment.pgp>
More information about the AppArmor
mailing list