Package: icedove Version: 1:45.2.0-2 Severity: normal Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? use of icedove with apparmor * What exactly did you do (or not do) that was effective (or ineffective)? impossible to read local mail * What was the outcome of this action? error message in icedove, notification of apparmor * What outcome did you expect instead? read local mail in icedove *** End of the template - remove these template lines *** -- System Information: Debian Release: stretch/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages icedove depends on: ii debianutils 4.8 ii fontconfig 2.11.0-6.4 ii libasound2 1.1.1-2 ii libatk1.0-0 2.20.0-1 ii libc6 2.23-4 ii libcairo2 1.14.6-1+b1 ii libdbus-1-3 1.10.8-1 ii libdbus-glib-1-2 0.106-1 ii libevent-2.0-5 2.0.21-stable-2+b1 ii libffi6 3.2.1-4 ii libfontconfig1 2.11.94-0ubuntu1 ii libfreetype6 2.6.3-3+b1 ii libgcc1 1:6.1.1-10 ii libgdk-pixbuf2.0-0 2.34.0-1 ii libglib2.0-0 2.48.1-2 ii libgtk2.0-0 2.24.30-4 ii libhunspell-1.4-0 1.4.1-2 ii libicu55 55.1-7 ii libnspr4 2:4.12-2 ii libnss3 2:3.23-2 ii libpango-1.0-0 1.40.1-1 ii libpangocairo-1.0-0 1.40.1-1 ii libpangoft2-1.0-0 1.40.1-1 ii libpixman-1-0 0.33.6-1 ii libsqlite3-0 3.13.0-1 ii libstartup-notification0 0.12-4 ii libstdc++6 6.1.1-10 ii libvpx3 1.5.0-3 ii libx11-6 2:1.6.3-1 ii libxcomposite1 1:0.4.4-1 ii libxdamage1 1:1.1.4-2+b1 ii libxext6 2:1.3.3-1 ii libxfixes3 1:5.0.2-1 ii libxrender1 1:0.9.9-2 ii libxt6 1:1.1.5-1 ii psmisc 22.21-2.1+b1 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages icedove recommends: ii hunspell-en-us [hunspell-dictionary] 20070829-6 ii hunspell-fr-classical [hunspell-dictionary] 1:5.6-1 ii iceowl-extension 1:45.2.0-2 Versions of packages icedove suggests: ii apparmor 2.10.95-4 pn fonts-lyx <none> ii libgssapi-krb5-2 1.14.2+dfsg-1 -- Configuration Files: /etc/apparmor.d/usr.bin.icedove changed: @{MOZ_LIBDIR}=/usr/lib/icedove profile icedove /usr/lib/icedove/icedove { #include <abstractions/audio> #include <abstractions/aspell> #include <abstractions/cups-client> # TODO: finetune this for required accesses #include <abstractions/dbus> #include <abstractions/dbus-accessibility> #include <abstractions/dbus-session> #include <abstractions/gnome> #include <abstractions/ibus> #include <abstractions/nameservice> #include <abstractions/p11-kit> #include <abstractions/private-files> #include <abstractions/ssl_certs> #include <abstractions/ubuntu-browsers> #include <abstractions/ubuntu-helpers> # for crash reports? ptrace (read,trace) peer=@{profile_name}, # Pulseaudio /usr/bin/pulseaudio Pixr, owner @{HOME}/.{cache,config}/dconf/user rw, owner /run/user/[0-9]*/dconf/user rw, owner @{HOME}/.config/gtk-3.0/bookmarks r, deny owner @{HOME}/.local/share/gvfs-metadata/* r, # potentially extremely sensitive files audit deny @{HOME}/.gnupg/** mrwkl, audit deny @{HOME}/.ssh/** mrwkl, # rw access to HOME is useful when sending/receiving attachments owner @{HOME}/** rw, # Required for LVM setups /sys/devices/virtual/block/dm-[0-9]*/uevent r, # Addons (too lax for icedove) ##include <abstractions/ubuntu-browsers.d/firefox> # for networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, @{PROC}/[0-9]*/net/dev r, @{PROC}/[0-9]*/net/wireless r, # should maybe be in abstractions /etc/ r, /etc/mime.types r, /etc/mailcap r, /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives /etc/xfce4/defaults.list r, /usr/share/xubuntu/applications/defaults.list r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeapps.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, owner /tmp/** m, owner /var/tmp/** m, /tmp/.X[0-9]*-lock r, /etc/udev/udev.conf r, # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. # Possibly move to an abstraction if anything else needs it. deny /run/udev/data/** r, /etc/timezone r, /etc/wildmidi/wildmidi.cfg r, # icedove specific /etc/icedove/ r, /etc/icedove/** r, /etc/xul-ext/** r, /etc/xulrunner-2.0*/ r, /etc/xulrunner-2.0*/** r, /etc/gre.d/ r, /etc/gre.d/* r, # noisy deny @{MOZ_LIBDIR}/** w, deny /usr/lib/icedove-addons/** w, deny /usr/lib/xulrunner-addons/** w, deny /usr/lib/xulrunner-*/components/*.tmp w, deny /.suspended r, deny /boot/initrd.img* r, deny /boot/vmlinuz* r, deny /var/cache/fontconfig/ w, deny @{HOME}/.local/share/recently-used.xbel r, deny @{HOME}/.* r, # TODO: investigate deny /usr/bin/gconftool-2 x, owner @{PROC}/[0-9]*/mountinfo r, owner @{PROC}/[0-9]*/stat r, owner @{PROC}/[0-9]*/task/[0-9]*/stat r, /sys/devices/pci[0-9]*/**/uevent r, /etc/mtab r, /etc/fstab r, # Needed for the crash reporter owner @{PROC}/[0-9]*/environ r, owner @{PROC}/[0-9]*/auxv r, /etc/lsb-release r, /usr/bin/expr ix, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r, # about:memory owner @{PROC}/[0-9]*/statm r, owner @{PROC}/[0-9]*/smaps r, # Needed for container to work in xul builds /usr/lib/xulrunner-*/plugin-container ixr, # allow access to documentation and other files the user may want to look # at in /usr and /opt /usr/ r, /usr/** r, /opt/ r, /opt/** r, # allow access to local mail /var/mail/ rwlk, /var/mail/** rwlk, # so browsing directories works / r, /**/ r, # per-user icedove configuration owner @{HOME}/.icedove/ rw, owner @{HOME}/.icedove/** rw, owner @{HOME}/.icedove/**/storage.sdb k, owner @{HOME}/.icedove/**/*.{db,parentlock,sqlite}* k, owner @{HOME}/.icedove/plugins/** rm, owner @{HOME}/.icedove/**/plugins/** rm, owner @{HOME}/.cache/icedove/ rw, owner @{HOME}/.cache/icedove/** rw, # # Extensions # /usr/share/.../extensions/... is already covered by '/usr/** r', above. # Allow 'x' for downloaded extensions, but inherit policy for safety owner @{HOME}/.icedove/**/extensions/** mixrw, owner @{HOME}/.mozilla/extensions/** mixr, /usr/share/xul-ext/**/*.sqlite rk, /usr/lib/xul-ext/**/*.sqlite rk, /usr/lib/icedove-addons/extensions/**/*.sqlite rk, deny @{MOZ_LIBDIR}/update.test w, deny /usr/lib/mozilla/extensions/**/ w, deny /usr/lib/xulrunner-addons/extensions/**/ w, deny /usr/share/mozilla/extensions/**/ w, deny /usr/share/mozilla/ w, # Miscellaneous (to be abstracted) # Ideally these would use a child profile. They are all ELF executables # so running with 'Ux', while not ideal, is ok because we will at least # benefit from glibc's secure execute. /usr/bin/mkfifo Uxr, # investigate /bin/ps Uxr, /bin/uname Uxr, /usr/bin/locale Uxr, /usr/bin/gpg Cx -> gpg, profile gpg { #include <abstractions/base> # Required to import keys from keyservers #include <abstractions/nameservice> #include <abstractions/p11-kit> # For smartcards? /dev/bus/usb/ r, /dev/bus/usb/[0-9]*/ r, /dev/bus/usb/[0-9]*/[0-9]* r, # LDAP key servers /etc/ldap/ldap.conf r, /usr/bin/gpg mr, /usr/lib/gnupg/gpgkeys_* ix, owner @{HOME}/.gnupg r, owner @{HOME}/.gnupg/gpg.conf r, owner @{HOME}/.gnupg/random_seed rwk, owner @{HOME}/.gnupg/pubring.gpg{,~} rw, owner @{HOME}/.gnupg/secring.gpg rw, owner @{HOME}/.gnupg/trustdb.gpg rw, owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl, owner @{HOME}/.gnupg/.#*[0-9] rw, owner @{HOME}/.gnupg/.#*[0-9]x rwl, owner @{HOME}/** r, owner /run/user/[0-9]*/keyring-*/gpg rw, # for inline pgp owner /tmp/encfile rw, owner /tmp/encfile-[0-9]* rw, } /usr/bin/gpg2 Cx -> gpg2, /usr/bin/gpgconf Cx -> gpg2, /usr/bin/gpg-connect-agent Cx -> gpg2, # TB tries to create this file but has no business doing so deny @{HOME}/.gnupg/gpg-agent.conf w, profile gpg2 { #include <abstractions/base> # Required to import keys from keyservers #include <abstractions/nameservice> #include <abstractions/p11-kit> /usr/lib/gnupg2/gpg2keys_hkp ix, # silence noise from enigmail 1.9+ deny owner @{HOME}/.icedove/*/.parentlock w, deny owner @{HOME}/.icedove/*/panacea.dat w, deny owner @{HOME}/.icedove/*/*.mab w, deny owner @{HOME}/.icedove/**/*.msf w, deny owner @{HOME}/.cache/icedove/**/_CACHE_* w, /usr/share/xul-ext/enigmail/chrome/enigmail.jar r, # For smartcards? /dev/bus/usb/ r, /dev/bus/usb/[0-9]*/ r, /dev/bus/usb/[0-9]*/[0-9]* r, # LDAP key servers /etc/ldap/ldap.conf r, /usr/bin/gpg-connect-agent mr, owner @{HOME}/.gnupg/S.gpg-agent rw, owner @{HOME}/.gnupg/S.dirmngr rw, /usr/bin/gpg2 mr, owner @{HOME}/.gnupg/ rw, owner @{HOME}/.gnupg/gpg.conf r, owner @{HOME}/.gnupg/random_seed rwk, owner @{HOME}/.gnupg/pubring.gpg{,~} rw, owner @{HOME}/.gnupg/secring.gpg rw, owner @{HOME}/.gnupg/trustdb.gpg rw, owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl, owner @{HOME}/.gnupg/.gpg-*.lock rwl, owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl, owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl, owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw, owner @{HOME}/** r, owner @{PROC}/@{pids}/mountinfo r, # for inline pgp owner /tmp/encfile rw, owner /tmp/encfile-[0-9]* rw, # for signature generation owner /tmp/nsemail.eml w, owner /tmp/nsemail-[0-9]*.eml w, # for signature verifications owner /tmp/data.sig r, owner /tmp/data-[0-9]*.sig r, owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw, } # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.icedove> } -- no debconf information