Package: icedove
Version: 1:45.2.0-2
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
use of icedove with apparmor
* What exactly did you do (or not do) that was effective (or
ineffective)?
impossible to read local mail
* What was the outcome of this action?
error message in icedove, notification of apparmor
* What outcome did you expect instead?
read local mail in icedove
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: stretch/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages icedove depends on:
ii debianutils 4.8
ii fontconfig 2.11.0-6.4
ii libasound2 1.1.1-2
ii libatk1.0-0 2.20.0-1
ii libc6 2.23-4
ii libcairo2 1.14.6-1+b1
ii libdbus-1-3 1.10.8-1
ii libdbus-glib-1-2 0.106-1
ii libevent-2.0-5 2.0.21-stable-2+b1
ii libffi6 3.2.1-4
ii libfontconfig1 2.11.94-0ubuntu1
ii libfreetype6 2.6.3-3+b1
ii libgcc1 1:6.1.1-10
ii libgdk-pixbuf2.0-0 2.34.0-1
ii libglib2.0-0 2.48.1-2
ii libgtk2.0-0 2.24.30-4
ii libhunspell-1.4-0 1.4.1-2
ii libicu55 55.1-7
ii libnspr4 2:4.12-2
ii libnss3 2:3.23-2
ii libpango-1.0-0 1.40.1-1
ii libpangocairo-1.0-0 1.40.1-1
ii libpangoft2-1.0-0 1.40.1-1
ii libpixman-1-0 0.33.6-1
ii libsqlite3-0 3.13.0-1
ii libstartup-notification0 0.12-4
ii libstdc++6 6.1.1-10
ii libvpx3 1.5.0-3
ii libx11-6 2:1.6.3-1
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.2-1
ii libxrender1 1:0.9.9-2
ii libxt6 1:1.1.5-1
ii psmisc 22.21-2.1+b1
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages icedove recommends:
ii hunspell-en-us [hunspell-dictionary] 20070829-6
ii hunspell-fr-classical [hunspell-dictionary] 1:5.6-1
ii iceowl-extension 1:45.2.0-2
Versions of packages icedove suggests:
ii apparmor 2.10.95-4
pn fonts-lyx <none>
ii libgssapi-krb5-2 1.14.2+dfsg-1
-- Configuration Files:
/etc/apparmor.d/usr.bin.icedove changed:
@{MOZ_LIBDIR}=/usr/lib/icedove
profile icedove /usr/lib/icedove/icedove {
#include <abstractions/audio>
#include <abstractions/aspell>
#include <abstractions/cups-client>
# TODO: finetune this for required accesses
#include <abstractions/dbus>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-session>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/p11-kit>
#include <abstractions/private-files>
#include <abstractions/ssl_certs>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-helpers>
# for crash reports?
ptrace (read,trace) peer=@{profile_name},
# Pulseaudio
/usr/bin/pulseaudio Pixr,
owner @{HOME}/.{cache,config}/dconf/user rw,
owner /run/user/[0-9]*/dconf/user rw,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
deny owner @{HOME}/.local/share/gvfs-metadata/* r,
# potentially extremely sensitive files
audit deny @{HOME}/.gnupg/** mrwkl,
audit deny @{HOME}/.ssh/** mrwkl,
# rw access to HOME is useful when sending/receiving attachments
owner @{HOME}/** rw,
# Required for LVM setups
/sys/devices/virtual/block/dm-[0-9]*/uevent r,
# Addons (too lax for icedove)
##include <abstractions/ubuntu-browsers.d/firefox>
# for networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/[0-9]*/net/wireless r,
# should maybe be in abstractions
/etc/ r,
/etc/mime.types r,
/etc/mailcap r,
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
/etc/xfce4/defaults.list r,
/usr/share/xubuntu/applications/defaults.list r,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
owner /tmp/** m,
owner /var/tmp/** m,
/tmp/.X[0-9]*-lock r,
/etc/udev/udev.conf r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
/etc/timezone r,
/etc/wildmidi/wildmidi.cfg r,
# icedove specific
/etc/icedove/ r,
/etc/icedove/** r,
/etc/xul-ext/** r,
/etc/xulrunner-2.0*/ r,
/etc/xulrunner-2.0*/** r,
/etc/gre.d/ r,
/etc/gre.d/* r,
# noisy
deny @{MOZ_LIBDIR}/** w,
deny /usr/lib/icedove-addons/** w,
deny /usr/lib/xulrunner-addons/** w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /var/cache/fontconfig/ w,
deny @{HOME}/.local/share/recently-used.xbel r,
deny @{HOME}/.* r,
# TODO: investigate
deny /usr/bin/gconftool-2 x,
owner @{PROC}/[0-9]*/mountinfo r,
owner @{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
/sys/devices/pci[0-9]*/**/uevent r,
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter
owner @{PROC}/[0-9]*/environ r,
owner @{PROC}/[0-9]*/auxv r,
/etc/lsb-release r,
/usr/bin/expr ix,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
# about:memory
owner @{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/smaps r,
# Needed for container to work in xul builds
/usr/lib/xulrunner-*/plugin-container ixr,
# allow access to documentation and other files the user may want to look
# at in /usr and /opt
/usr/ r,
/usr/** r,
/opt/ r,
/opt/** r,
# allow access to local mail
/var/mail/ rwlk,
/var/mail/** rwlk,
# so browsing directories works
/ r,
/**/ r,
# per-user icedove configuration
owner @{HOME}/.icedove/ rw,
owner @{HOME}/.icedove/** rw,
owner @{HOME}/.icedove/**/storage.sdb k,
owner @{HOME}/.icedove/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.icedove/plugins/** rm,
owner @{HOME}/.icedove/**/plugins/** rm,
owner @{HOME}/.cache/icedove/ rw,
owner @{HOME}/.cache/icedove/** rw,
#
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.icedove/**/extensions/** mixrw,
owner @{HOME}/.mozilla/extensions/** mixr,
/usr/share/xul-ext/**/*.sqlite rk,
/usr/lib/xul-ext/**/*.sqlite rk,
/usr/lib/icedove-addons/extensions/**/*.sqlite rk,
deny @{MOZ_LIBDIR}/update.test w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /usr/share/mozilla/ w,
# Miscellaneous (to be abstracted)
# Ideally these would use a child profile. They are all ELF executables
# so running with 'Ux', while not ideal, is ok because we will at least
# benefit from glibc's secure execute.
/usr/bin/mkfifo Uxr, # investigate
/bin/ps Uxr,
/bin/uname Uxr,
/usr/bin/locale Uxr,
/usr/bin/gpg Cx -> gpg,
profile gpg {
#include <abstractions/base>
# Required to import keys from keyservers
#include <abstractions/nameservice>
#include <abstractions/p11-kit>
# For smartcards?
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* r,
# LDAP key servers
/etc/ldap/ldap.conf r,
/usr/bin/gpg mr,
/usr/lib/gnupg/gpgkeys_* ix,
owner @{HOME}/.gnupg r,
owner @{HOME}/.gnupg/gpg.conf r,
owner @{HOME}/.gnupg/random_seed rwk,
owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
owner @{HOME}/.gnupg/secring.gpg rw,
owner @{HOME}/.gnupg/trustdb.gpg rw,
owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
owner @{HOME}/.gnupg/.#*[0-9] rw,
owner @{HOME}/.gnupg/.#*[0-9]x rwl,
owner @{HOME}/** r,
owner /run/user/[0-9]*/keyring-*/gpg rw,
# for inline pgp
owner /tmp/encfile rw,
owner /tmp/encfile-[0-9]* rw,
}
/usr/bin/gpg2 Cx -> gpg2,
/usr/bin/gpgconf Cx -> gpg2,
/usr/bin/gpg-connect-agent Cx -> gpg2,
# TB tries to create this file but has no business doing so
deny @{HOME}/.gnupg/gpg-agent.conf w,
profile gpg2 {
#include <abstractions/base>
# Required to import keys from keyservers
#include <abstractions/nameservice>
#include <abstractions/p11-kit>
/usr/lib/gnupg2/gpg2keys_hkp ix,
# silence noise from enigmail 1.9+
deny owner @{HOME}/.icedove/*/.parentlock w,
deny owner @{HOME}/.icedove/*/panacea.dat w,
deny owner @{HOME}/.icedove/*/*.mab w,
deny owner @{HOME}/.icedove/**/*.msf w,
deny owner @{HOME}/.cache/icedove/**/_CACHE_* w,
/usr/share/xul-ext/enigmail/chrome/enigmail.jar r,
# For smartcards?
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* r,
# LDAP key servers
/etc/ldap/ldap.conf r,
/usr/bin/gpg-connect-agent mr,
owner @{HOME}/.gnupg/S.gpg-agent rw,
owner @{HOME}/.gnupg/S.dirmngr rw,
/usr/bin/gpg2 mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/gpg.conf r,
owner @{HOME}/.gnupg/random_seed rwk,
owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
owner @{HOME}/.gnupg/secring.gpg rw,
owner @{HOME}/.gnupg/trustdb.gpg rw,
owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
owner @{HOME}/.gnupg/.gpg-*.lock rwl,
owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl,
owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
owner @{HOME}/** r,
owner @{PROC}/@{pids}/mountinfo r,
# for inline pgp
owner /tmp/encfile rw,
owner /tmp/encfile-[0-9]* rw,
# for signature generation
owner /tmp/nsemail.eml w,
owner /tmp/nsemail-[0-9]*.eml w,
# for signature verifications
owner /tmp/data.sig r,
owner /tmp/data-[0-9]*.sig r,
owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.icedove>
}
-- no debconf information
