[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/thunderbird-enigmail-1.9 into lp:apparmor-profiles

Mon, 18 Apr 2016 13:15:08 -0700 

Simon Déziel has proposed merging 
lp:~sdeziel/apparmor-profiles/thunderbird-enigmail-1.9 into 
lp:apparmor-profiles.

Requested reviews:
  AppArmor Developers (apparmor-dev)

For more details, see:
https://code.launchpad.net/~sdeziel/apparmor-profiles/thunderbird-enigmail-1.9/+merge/292191

This updates the thunderbird//gpg2 profile to support the enigmail version 1.9 
that landed in Xenial recently.

While at it, give thunderbird access to /usr/bin/locale that is sometimes 
needed.
-- 
Your team AppArmor Developers is requested to review the proposed merge of 
lp:~sdeziel/apparmor-profiles/thunderbird-enigmail-1.9 into 
lp:apparmor-profiles.

=== modified file 'ubuntu/16.04/usr.bin.thunderbird'
--- ubuntu/16.04/usr.bin.thunderbird	2016-04-05 20:06:07 +0000
+++ ubuntu/16.04/usr.bin.thunderbird	2016-04-18 20:13:43 +0000
@@ -168,6 +168,7 @@
   /usr/bin/mkfifo Uxr,  # investigate
   /bin/ps Uxr,
   /bin/uname Uxr,
+  /usr/bin/locale Uxr,
 
   /usr/bin/gpg Cx -> gpg,
 
@@ -221,6 +222,13 @@
     #include <abstractions/p11-kit>
     /usr/lib/gnupg2/gpg2keys_hkp ix,
 
+    # silence noise from enigmail 1.9+
+    deny owner @{HOME}/.thunderbird/*/.parentlock w,
+    deny owner @{HOME}/.thunderbird/*/panacea.dat w,
+    deny owner @{HOME}/.thunderbird/*/*.mab w,
+    deny owner @{HOME}/.thunderbird/**/*.msf w,
+    deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,
+
     # For smartcards?
     /dev/bus/usb/ r,
     /dev/bus/usb/[0-9]*/ r,
@@ -251,6 +259,10 @@
     owner /tmp/encfile rw,
     owner /tmp/encfile-[0-9]* rw,
 
+    # for signature generation
+    owner /tmp/nsemail.eml w,
+    owner /tmp/nsemail-[0-9]*.eml w,
+
     # for signature verifications
     owner /tmp/data.sig r,
     owner /tmp/data-[0-9]*.sig r,


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to