Hi, On Tue, Oct 31, 2017 at 01:46:40PM +0100, Philipp Kern wrote: > Hi Carsten, > > thanks for your reply! > > On 10/31/2017 07:54 AM, Carsten Schoenert wrote: > > For Thunderbird intrigeri and myself came to the conclusion that > > especially for the apparmor profile someone from the apparmor team > > should be able to contribute changes to the profile directly to the git > > tree. So intrigeri has become a member of the pkg-mozilla group to be > > able to push changes by himself. I trust intrigeri enough that he will > > do good contributions. For now it's the best we can do. This at all is > > for sure improvable and we should talk about this on upcoming Debian > > events or directly via email. > > Okay, filed the bugs, lets see where they go. :) I was especially > concerned about the browser part. > > > ... > >> [1] e.g. > >> [ 3459.624852] audit: type=1400 audit(1509283082.571:59): > >> apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" > >> name="/usr/share/thunderbird/omni.ja" pid=24720 comm="gpg2" > >> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > > Filed as #880425[1]. > > >> [2] e.g. > >> [ 3795.153239] audit: type=1400 audit(1509283418.100:64): > >> apparmor="DENIED" operation="exec" profile="thunderbird" > >> name="/opt/google/chrome-beta/google-chrome-beta" pid=31896 > >> comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 > > Filed as #880424[0]. I think there is a deeper question here as to how > to handle the browser abstraction for AppArmor in general.
There is /etc/apparmor.d/abstractions/ubuntu-browsers. The name isn't very nice it's a start if we rename it to /etc/apparmor.d/abstractions/browsers. Cheers, -- Guido > > > I suggest to open a bug report for each of such issues against > > thunderbird with a description what was done and what was expected. > > As above. :) > > Kind regards and thanks > Philipp Kern > > [0] https://bugs.debian.org/880424 > [1] https://bugs.debian.org/880425 >