Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-11-12 Thread Vincas Dargis 

I am removing variable usage in Thunderbird profile name:
https://gitlab.com/apparmor/apparmor-profiles/merge_requests/31

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-10-24 Thread Christian Boltz 
Hello,

Am Sonntag, 21. Oktober 2018, 16:49:29 CEST schrieb Christian Boltz:
> As usual if I do some tests, I found more issues:
> - the attachment won't be checked if a profile has a name (so using a
>   variable currently doesn't matter ;-)
> - aa-complain first does a "which thunderbird" and then checks with
> the full path, so the profile name also won't match - "thunderbird"
> != "/usr/bin/thunderbird"
> - profile names with alternations (without attachment specification)
>   will also not match because aa.py get_profile_filename() doesn't use
> AARE

I worked on this in the last days, and as expected, it really resulted 
in "bigger changes". On the positive side, the new code now 
distinguishes between profile name and attachment (which avoids 
accidential matches and documents what each section of the code is 
using) and between active (/etc/apparmor.d/) and inactive/extra 
(/usr/share/share/apparmor/extra-profiles) profiles which fixes another 
sourse of problems. Oh, and the ProfileList class is covered by unit 
tests :-)

All changes survived my testing, but getting more testers always helps. 
If you want to test and/or review my changes, you can get them from
https://gitlab.com/apparmor/apparmor/merge_requests/249

Note that variables in the profile name still don't get expanded/
matched.

> Maybe (additionally) matching the aa-complain parameter against the
> profile name would be an easy option/workaround, but I'm undecided if
> this is a good idea because it could also cause false positives -
> opinions?
> 
> Or to ask the other way round - assuming you have
> profile foo /bin/bar { ... }
> should   aa-complain foo   find that profile?

For now, I decided not to support that, so aa-complain will continue to 
interpret all parameters as attachment.


Regards,

Christian Boltz
-- 
> Was muß man tun um auf NTFS schreiben zu können. In der fstab
> hab ich schon auf rw gesetzt. Was muß man noch tun?
1. Beten.
2. MS veranlassen, die Spezifikationen offenzulegen.
3. Weiterbeten.
[> Stefan und Bernd Obermayr in suse-linux]


signature.asc
Description: This is a digitally signed message part.

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-10-22 Thread Vincas Dargis 

I believe I would just revert that change which introduced variable in profile 
name.

It was just a way to reduce small duplication, it's not critical at all. Change was made in the 
spirit of "RFC: using variables to make profiles more flexible" tread [0], but looks like we just 
need to wait a bit for the better tooling support.



[0] https://lists.ubuntu.com/archives/apparmor/2017-December/011350.html

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-10-21 Thread Christian Boltz 
Hello,

Am Sonntag, 21. Oktober 2018, 09:29:09 CEST schrieb intrigeri:
> With 2.13.1:
> 
>   # aa-complain thunderbird
>   Setting /usr/bin/thunderbird to complain mode.
> 
>   ERROR: /etc/apparmor.d/usr.bin.thunderbird doesn't contain a valid
> profile for /usr/bin/thunderbird (syntax error?)
> 
> … and the profile is not set to complain mode.

I had a look at the profile in apparmor-profiles/ubuntu/18.10.
Vincas found a new, creative way to confuse aa-complain ;-)

@{thunderbird_executable} = /usr/lib/thunderbird/thunderbird{,-bin}
# ...
profile thunderbird @{thunderbird_executable} {

The tools currently don't expand variables when matching the profile 
name, therefore it's not surprising that the profile isn't found. 

Additionally, checking the profile name "thunderbird" will also fail 
because aa-complain first does a "which thunderbird" and then checks 
with the full path (tools.py get_next_to_profile()).

As usual if I do some tests, I found more issues:
- the attachment won't be checked if a profile has a name (so using a 
  variable currently doesn't matter ;-)
- aa-complain first does a "which thunderbird" and then checks with the 
  full path, so the profile name also won't match - "thunderbird" != 
  "/usr/bin/thunderbird"
- profile names with alternations (without attachment specification) 
  will also not match because aa.py get_profile_filename() doesn't use 
  AARE

Unfortunately fixing that will need some bigger changes - I'll need to 
replace the existing_profiles dict with something better before I can 
even start to work on adding AARE support etc. Well, actually that 
"something better" will probably handle AARE internally, but I'll still 
need to adjust all places that use existing_profiles to use the 
"something better" ;-)

Unfortunately "bigger changes" also means that backporting might be 
risky :-( - but that still sounds better than keeping all the bugs 
mentioned above.


Maybe (additionally) matching the aa-complain parameter against the 
profile name would be an easy option/workaround, but I'm undecided if 
this is a good idea because it could also cause false positives - 
opinions?

Or to ask the other way round - assuming you have
profile foo /bin/bar { ... }
should   aa-complain foo   find that profile?

> However, "aa-complain /etc/apparmor.d/usr.bin.thunderbird" works just
> fine: it sets both the thunderbird profile and its child gpg profile
> to complain mode :)  

Right. Currently this way works much better than giving the executable 
as parameter.

> I find this surprising given aa-complain(8) does
> not mention this is possible at all.

Indeed, nice catch ;-)

Can you please open a merge request to update the manpage?
(probably also affects aa-enforce, aa-audit and aa-disable)

While on it, please also adjust the --help of these tools ;-)


Regards,

Christian Boltz
-- 
I fear that we'll get a shouting match - "my fonts look ugly";
"no, they don't!"; "yes, they do!" :)  [Federico Mena Quintero
in https://bugzilla.novell.com/show_bug.cgi?id=220814]


signature.asc
Description: This is a digitally signed message part.

Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-10-21 Thread intrigeri 
Control: notforwarded -1

Vincas Dargis:
> On 6/13/18 6:00 PM, intrigeri wrote:
>> For the record, with 2.13-1 I see a different error:
>> 
>># aa-complain thunderbird
>>Setting /usr/bin/thunderbird to complain mode.
>> 
>>ERROR: Path doesn't start with / or variable: gpg
>> 
>> i.e. aa-complain chokes on the "gpg" named child profile.

With 2.13.1:

  # aa-complain thunderbird
  Setting /usr/bin/thunderbird to complain mode.

  ERROR: /etc/apparmor.d/usr.bin.thunderbird doesn't contain a valid profile 
for /usr/bin/thunderbird (syntax error?)

… and the profile is not set to complain mode.

However, "aa-complain /etc/apparmor.d/usr.bin.thunderbird" works just
fine: it sets both the thunderbird profile and its child gpg profile
to complain mode :)  I find this surprising given aa-complain(8) does
not mention this is possible at all.

> Same with gst_plugin_scanner when using 2.13:

> $ sudo aa-enforce /etc/apparmor.d/*
> < ...skipped... >
> Setting /etc/apparmor.d/gst_plugin_scanner to enforce mode.

> ERROR: Path doesn't start with / or variable: gst_plugin_scanner

This is fixed in 2.13.1, most likely thanks to the changes for
https://bugs.launchpad.net/apparmor/+bug/1775591 i.e.
https://gitlab.com/apparmor/apparmor/merge_requests/142

So I'm removing the "forwarded" indication: that upstream bug was
fixed but it only partly fixes what this bug report is about.

Cheers,
-- 
intrigeri

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-08-04 Thread Vincas Dargis 



On 8/4/18 6:39 PM, intrigeri wrote:

Vincas Dargis:

Also, some temporary files like 
"usr.lib.libreoffice.program.soffice.binc3d3lu5x~"
are left when aa-enforce fails:


Could you please report a bug upstream
(https://bugs.launchpad.net/apparmor/+filebug)
or worst case a dedicated one in Debian about this?


https://bugs.launchpad.net/apparmor/+bug/1785403

P.S. Sorry for double-posting, I thought I failed to send first message.

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-08-04 Thread intrigeri 
Vincas Dargis:
> Also, some temporary files like 
> "usr.lib.libreoffice.program.soffice.binc3d3lu5x~"
> are left when aa-enforce fails:

Could you please report a bug upstream
(https://bugs.launchpad.net/apparmor/+filebug)
or worst case a dedicated one in Debian about this?

Thanks in advance!

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-08-04 Thread Vincas Dargis 

Also, some junk files (like `usr.lib.libreoffice.program.soffice.binzrz7ukcd~`) 
are left over:

```
$ ls usr.lib.libreoffice.program.soffice.bin*
usr.lib.libreoffice.program.soffice.bin
$ sudo aa-enforce usr.lib.libreoffice.program.soffice.bin
Setting /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin to enforce mode.

ERROR: Path doesn't start with / or variable: gpg
$ ls usr.lib.libreoffice.program.soffice.bin*
usr.lib.libreoffice.program.soffice.bin  
usr.lib.libreoffice.program.soffice.binzrz7ukcd~

```

intrigeri, maybe we should have blocked from entering Testing..?

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-08-04 Thread Vincas Dargis 
Also, some temporary files like "usr.lib.libreoffice.program.soffice.binc3d3lu5x~" are left when 
aa-enforce fails:


```
$ sudo aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin
Setting /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin to enforce mode.

ERROR: Path doesn't start with / or variable: gpg
$ ls /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin*
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin 
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.binc3d3lu5x~

```

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-06-15 Thread Christian Boltz 
Hello,

Am Mittwoch, 13. Juni 2018, 17:00:35 CEST schrieb intrigeri:
> intrigeri:
> > Ben Caradoc-Davies:
> >> On 20/11/17 09:38, Christian Boltz wrote:
> >>> Thanks, but unfortunately I still can't reproduce the problem :-(
> >>> Can you add a bit of debugging code in aa.py, please? […]
> >> 
> >> Sure. As requested:
> >> 
> >> # aa-complain thunderbird
> >> Setting /usr/bin/thunderbird to complain mode.
> >> looking for /etc/apparmor.d/usr.bin.thunderbird
> >> /usr/bin/thunderbird
> >> reading file /etc/apparmor.d/usr.bin.thunderbird
> >> found RE_PROFILE_START in profile thunderbird
> >> /usr/lib/thunderbird/thunderbird {
> >> 
> >> thunderbird None
> >> found RE_PROFILE_START in   profile gpg {
> >> 
> >> gpg None
> >> found RE_PROFILE_START in   profile lsb_release {
> >> 
> >> lsb_release None
> >> no profile /etc/apparmor.d/usr.bin.thunderbird /usr/bin/thunderbird
> >> 
> >> ERROR: /etc/apparmor.d/usr.bin.thunderbird contains no profile
> > 
> > Is this enough to help you debug this problem or do you need more
> > info?

I think it's enough - looks like aa-complain fails to follow 
symlinks before looking for the profile :-(
(and sorry for the late reply on this part)

Until I have time to fix this, use
aa-complain /etc/apparmor.d/$whatever
(where $whatever is the profile filename)

> For the record, with 2.13-1 I see a different error:
> 
>   # aa-complain thunderbird
>   Setting /usr/bin/thunderbird to complain mode.
> 
>   ERROR: Path doesn't start with / or variable: gpg
> 
> i.e. aa-complain chokes on the "gpg" named child profile.

That's a known regression in 2.13, unfortunately I didn't have time yet 
to check what exactly happens. The upstream bugreport is 
https://bugs.launchpad.net/apparmor/+bug/1775591


Regards,

Christian Boltz
-- 
Vi ist für Leute, deren Hände für Emacs zu klein sind. [Florian Diesch]


signature.asc
Description: This is a digitally signed message part.

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-06-13 Thread Vincas Dargis 

On 6/13/18 6:00 PM, intrigeri wrote:

For the record, with 2.13-1 I see a different error:

   # aa-complain thunderbird
   Setting /usr/bin/thunderbird to complain mode.

   ERROR: Path doesn't start with / or variable: gpg

i.e. aa-complain chokes on the "gpg" named child profile.

Cheers,



Same with gst_plugin_scanner when using 2.13:

$ sudo aa-enforce /etc/apparmor.d/*
< ...skipped... >
Setting /etc/apparmor.d/gst_plugin_scanner to enforce mode.

ERROR: Path doesn't start with / or variable: gst_plugin_scanner

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-06-13 Thread intrigeri 
intrigeri:
> Ben Caradoc-Davies:
>> On 20/11/17 09:38, Christian Boltz wrote:
>>> Thanks, but unfortunately I still can't reproduce the problem :-(
>>> Can you add a bit of debugging code in aa.py, please? […]

>> Sure. As requested:

>> # aa-complain thunderbird
>> Setting /usr/bin/thunderbird to complain mode.
>> looking for /etc/apparmor.d/usr.bin.thunderbird /usr/bin/thunderbird
>> reading file /etc/apparmor.d/usr.bin.thunderbird
>> found RE_PROFILE_START in profile thunderbird 
>> /usr/lib/thunderbird/thunderbird {

>> thunderbird None
>> found RE_PROFILE_START in   profile gpg {

>> gpg None
>> found RE_PROFILE_START in   profile lsb_release {

>> lsb_release None
>> no profile /etc/apparmor.d/usr.bin.thunderbird /usr/bin/thunderbird

>> ERROR: /etc/apparmor.d/usr.bin.thunderbird contains no profile

> Is this enough to help you debug this problem or do you need more info?

For the record, with 2.13-1 I see a different error:

  # aa-complain thunderbird
  Setting /usr/bin/thunderbird to complain mode.

  ERROR: Path doesn't start with / or variable: gpg

i.e. aa-complain chokes on the "gpg" named child profile.

Cheers,
-- 
intrigeri

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-01-07 Thread intrigeri 
Hi Christian! (and happy new year :)

Ben Caradoc-Davies:
> On 20/11/17 09:38, Christian Boltz wrote:
>> Thanks, but unfortunately I still can't reproduce the problem :-(
>> Can you add a bit of debugging code in aa.py, please? […]

> Sure. As requested:

> # aa-complain thunderbird
> Setting /usr/bin/thunderbird to complain mode.
> looking for /etc/apparmor.d/usr.bin.thunderbird /usr/bin/thunderbird
> reading file /etc/apparmor.d/usr.bin.thunderbird
> found RE_PROFILE_START in profile thunderbird 
> /usr/lib/thunderbird/thunderbird {

> thunderbird None
> found RE_PROFILE_START in   profile gpg {

> gpg None
> found RE_PROFILE_START in   profile lsb_release {

> lsb_release None
> no profile /etc/apparmor.d/usr.bin.thunderbird /usr/bin/thunderbird

> ERROR: /etc/apparmor.d/usr.bin.thunderbird contains no profile

Is this enough to help you debug this problem or do you need more info?

Cheers,
-- 
intrigeri

Bug#882047: apparmor-utils: aa-complain thunderbird fails

2017-12-07 Thread intrigeri 
Ben Caradoc-Davies:
> # aa-complain thunderbird
> Setting /usr/bin/thunderbird to complain mode.
> looking for /etc/apparmor.d/usr.bin.thunderbird /usr/bin/thunderbird
> reading file /etc/apparmor.d/usr.bin.thunderbird
> found RE_PROFILE_START in profile thunderbird 
> /usr/lib/thunderbird/thunderbird {

> thunderbird None
> found RE_PROFILE_START in   profile gpg {

> gpg None
> found RE_PROFILE_START in   profile lsb_release {

> lsb_release None
> no profile /etc/apparmor.d/usr.bin.thunderbird /usr/bin/thunderbird

> ERROR: /etc/apparmor.d/usr.bin.thunderbird contains no profile

Might it be because the profile is about
/usr/lib/thunderbird/thunderbird and not /usr/bin/thunderbird?

Note that with
https://gitlab.com/apparmor/apparmor-profiles/merge_requests/5 it got
a bit more complex.

But `aa-complain /usr/lib/thunderbird/thunderbird' would work (before
the change that prompted the aforementioned merge request)
as documented.

Shall we simply modify aa-complain(8) to make it clearer that one is
supposed to pass the path to the binary that's being confined by the
profile, and not anything else?

Cheers,
-- 
intrigeri

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

2017-11-19 Thread Ben Caradoc-Davies 

On 20/11/17 09:38, Christian Boltz wrote:

Thanks, but unfortunately I still can't reproduce the problem :-(
Can you add a bit of debugging code in aa.py, please?
Search for
 def get_profile_flags(filename, program):
and add the lines marked with "# added" (or just replace the function
with the code below) 
def get_profile_flags(filename, program):

 # To-Do
 # XXX If more than one profile in a file then second one is being ignored 
XXX
 # Do we return flags for both or
 print('looking for', filename, program)  # added
 flags = ''
 with open_file_read(filename) as f_in:
 print('reading file %s' % filename)  # added
 for line in f_in:
 if RE_PROFILE_START.search(line):
 matches = parse_profile_start_line(line, filename)
 profile = matches['profile']
 flags = matches['flags']
 print('found RE_PROFILE_START in %s' % line)  # added
 print(profile, flags)  # added
 if profile == program or program is None:
 print('match, returning flags')  # added
 return flags
 print('no profile', filename, program)  # added
 raise AppArmorException(_('%s contains no profile') % filename)
Then run   aa-complain thunderbird   again and send the output.


Sure. As requested:


# aa-complain thunderbird
Setting /usr/bin/thunderbird to complain mode.
looking for /etc/apparmor.d/usr.bin.thunderbird /usr/bin/thunderbird
reading file /etc/apparmor.d/usr.bin.thunderbird
found RE_PROFILE_START in profile thunderbird 
/usr/lib/thunderbird/thunderbird {


thunderbird None
found RE_PROFILE_START in   profile gpg {

gpg None
found RE_PROFILE_START in   profile lsb_release {

lsb_release None
no profile /etc/apparmor.d/usr.bin.thunderbird /usr/bin/thunderbird

ERROR: /etc/apparmor.d/usr.bin.thunderbird contains no profile


Kind regards,

--
Ben Caradoc-Davies 
Director
Transient Software Limited 
New Zealand

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

2017-11-19 Thread Christian Boltz 
Hello,

Am Samstag, 18. November 2017, 22:25:40 CET schrieb Ben Caradoc-Davies:
> On 19/11/17 07:47, Christian Boltz wrote:
> > Can you please send (to me or the bugreport) your
> > /etc/apparmor.d/usr.bin.thunderbird profile so that I have the
> > correct profile to test?
> 
> Attached.

Thanks, but unfortunately I still can't reproduce the problem :-(

Can you add a bit of debugging code in aa.py, please?

Search for

def get_profile_flags(filename, program):

and add the lines marked with "# added" (or just replace the function 
with the code below)


def get_profile_flags(filename, program):
# To-Do
# XXX If more than one profile in a file then second one is being ignored 
XXX
# Do we return flags for both or
print('looking for', filename, program)  # added
flags = ''
with open_file_read(filename) as f_in:
print('reading file %s' % filename)  # added
for line in f_in:
if RE_PROFILE_START.search(line):
matches = parse_profile_start_line(line, filename)
profile = matches['profile']
flags = matches['flags']
print('found RE_PROFILE_START in %s' % line)  # added
print(profile, flags)  # added

if profile == program or program is None:
print('match, returning flags')  # added
return flags

print('no profile', filename, program)  # added
raise AppArmorException(_('%s contains no profile') % filename)


Then run   aa-complain thunderbird   again and send the output.


Regards,

Christian Boltz
-- 
> +1. sysvinit vs systemd is the new emacs vs vim.  
>   
>   
>
heh, the difference is that systemd still doesnt implement a whole OS   


   
yet :-D [> Will Stephenson and Cristian Rodríguez in opensuse-factory]  


   

signature.asc
Description: This is a digitally signed message part.

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2017-11-18 Thread Ben Caradoc-Davies 

On 19/11/17 07:47, Christian Boltz wrote:

Can you please send (to me or the bugreport) your
/etc/apparmor.d/usr.bin.thunderbird profile so that I have the correct
profile to test?


Attached.

Kind regards,

--
Ben Caradoc-Davies 
Director
Transient Software Limited 
New Zealand
# vim:syntax=apparmor
# Author: Simon Deziel 
# This apparmor profile is derived from firefox profile
# by Jamie Strandboge 

# Declare an apparmor variable to help with overrides
@{MOZ_LIBDIR}=/usr/lib/thunderbird

#include 

profile thunderbird /usr/lib/thunderbird/thunderbird {
  #include 
  #include 
  #include 
  # TODO: finetune this for required accesses
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  # For Xubuntu to launch the browser
  /usr/bin/exo-open ixr,
  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
  /etc/xdg/xfce4/helpers.rc r,

  # for crash reports?
  ptrace (read,trace) peer=@{profile_name},

  /usr/lib/thunderbird/thunderbird ixr,

  # Pulseaudio
  /usr/bin/pulseaudio Pixr,

  owner @{HOME}/.{cache,config}/dconf/user rw,
  owner /run/user/[0-9]*/dconf/user rw,
  owner @{HOME}/.config/gtk-3.0/bookmarks r,
  deny owner @{HOME}/.local/share/gvfs-metadata/* r,

  # potentially extremely sensitive files
  audit deny @{HOME}/.gnupg/** mrwkl,
  audit deny @{HOME}/.ssh/** mrwkl,

  # rw access to HOME is useful when sending/receiving attachments
  owner @{HOME}/** rw,

  # other commonly used locations
  /{data,media,mnt,srv}/** r,
  owner /{data,media,mnt,srv}/** rw,

  # Required for LVM setups
  /sys/devices/virtual/block/dm-[0-9]*/uevent r,

  # Addons (too lax for thunderbird)
  ##include 

  # for networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,
  @{PROC}/[0-9]*/net/dev r,
  @{PROC}/[0-9]*/net/wireless r,
  @{PROC}/[0-9]*/net/arp r,

  # should maybe be in abstractions
  /etc/ r,
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/xdg/*buntu/applications/defaults.listr, # for all derivatives
  /etc/xfce4/defaults.list r,
  /usr/share/xubuntu/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeapps.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  owner /tmp/** m,
  owner /var/tmp/** m,
  /tmp/.X[0-9]*-lock r,
  /etc/udev/udev.conf r,
  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
  # Possibly move to an abstraction if anything else needs it.
  deny /run/udev/data/** r,

  /etc/timezone r,
  /etc/wildmidi/wildmidi.cfg r,

  # thunderbird specific
  /etc/thunderbird/ r,
  /etc/thunderbird/** r,
  /etc/xul-ext/** r,
  /etc/xulrunner-2.0*/ r,
  /etc/xulrunner-2.0*/** r,
  /etc/gre.d/ r,
  /etc/gre.d/* r,

  # noisy
  deny @{MOZ_LIBDIR}/** w,
  deny /usr/lib/thunderbird-addons/** w,
  deny /usr/lib/xulrunner-addons/** w,
  deny /usr/lib/xulrunner-*/components/*.tmp w,
  deny /.suspended r,
  deny /boot/initrd.img* r,
  deny /boot/vmlinuz* r,
  deny /var/cache/fontconfig/ w,
  deny @{HOME}/.local/share/recently-used.xbel r,
  deny @{HOME}/.* r,

  # TODO: investigate
  deny /usr/bin/gconftool-2 x,

  owner @{PROC}/[0-9]*/mountinfo r,
  owner @{PROC}/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  /sys/devices/pci[0-9]*/**/uevent r,
  /sys/devices/pci*/**/config r,
  /sys/devices/system/node/node[0-9]*/meminfo r,
  /etc/mtab r,
  /etc/fstab r,

  # Needed for the crash reporter
  owner @{PROC}/[0-9]*/environ r,
  owner @{PROC}/[0-9]*/auxv r,
  owner @{PROC}/[0-9]*/status r,
  owner @{PROC}/[0-9]*/cmdline r,
  /etc/lsb-release r,
  /etc/ssl/openssl.cnf r,
  /usr/lib/thunderbird/crashreporter ix,
  /usr/bin/expr ix,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/** r,

  # about:memory
  owner @{PROC}/[0-9]*/statm r,
  owner @{PROC}/[0-9]*/smaps r,

  # Needed for container to work in xul builds
  /usr/lib/xulrunner-*/plugin-container ixr,

  # allow access to documentation and other files the user may want to look
  # at in /usr and /opt
  /usr/ r,
  /usr/** r,
  /opt/ r,
  /opt/** r,

  # so browsing directories works
  / r,
  /**/ r,

  # per-user thunderbird configuration
  owner @{HOME}/.{icedove,thunderbird}/ rw,
  owner @{HOME}/.{icedove,thunderbird}/** rw,
  owner @{HOME}/.{icedove,thunderbird}/**/storage.sdb k,
  owner @{HOME}/.{icedove,thunderbird}/**/*.{db,parentlock,sqlite}* k,
  owner @{HOME}/.{icedove,thunderbird}/plugins/** rm,
  owner @{HOME}/.{icedove,thunderbird}/**/plugins/** rm,
  owner @{HOME}/.cache/thunderbird/ rw,
  owner @{HOME}/.cache/thunderbird/** rw,

  # system emails
  owner /var/mail/* rwlk,

  #
  # Extensions
  # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
  # Allow 'x' for downloaded extensions, but inherit policy for safety
  owner

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2017-11-18 Thread Christian Boltz 
Hello,

Am Samstag, 18. November 2017, 02:48:30 CET schrieb Ben Caradoc-Davies:
> # aa-complain thunderbird
> Setting /usr/bin/thunderbird to complain mode.
> 
> ERROR: /etc/apparmor.d/usr.bin.thunderbird contains no profile

That means it fails in the get_profile_flags() function in aa.py (the 
only place where this error message is used).

I just tried myself (by fetching the profile from packages.debian.org 
and testing it on my openSUSE system ;-)  but get a different error 
message (yes, there are known issues with named profiles) so your 
profile probably differs from what I found.

Can you please send (to me or the bugreport) your 
/etc/apparmor.d/usr.bin.thunderbird profile so that I have the correct 
profile to test?


As a workaround, you can use
aa-complain /etc/apparmor.d/usr.bin.thunderbird

Another workaround is to create a symlink in 
/etc/apparmor.d/force-complain

> aa-complain only works if profile is named precisely for executable
> https://bugs.launchpad.net/apparmor/+bug/1128468

That's an old bug that was fixed long ago. It's unrelated, even if it 
looks somewhat similar ;-)


Regards,

Christian Boltz
-- 
Microsoft is a cross between The Borg and the Ferengi. Unfortunately
they use Borg to do their marketing and Ferengi to do their programming.
[Simon Slavin in the SDM]


signature.asc
Description: This is a digitally signed message part.

Bug#882047: apparmor-utils: aa-complain thunderbird fails

2017-11-17 Thread Ben Caradoc-Davies 
Package: apparmor-utils
Version: 2.11.1-3
Severity: normal

Dear Maintainer,

# aa-complain thunderbird
Setting /usr/bin/thunderbird to complain mode.

ERROR: /etc/apparmor.d/usr.bin.thunderbird contains no profile


Guessing that it might be the same as this upstream, but we do not have a
tracking bug in Debian as far as I can tell:

aa-complain only works if profile is named precisely for executable
https://bugs.launchpad.net/apparmor/+bug/1128468

Kind regards,
Ben.



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor-utils depends on:
ii  apparmor  2.11.1-3
ii  python3   3.6.3-2
ii  python3-apparmor  2.11.1-3

apparmor-utils recommends no packages.

Versions of packages apparmor-utils suggests:
pn  vim-addon-manager  

-- no debconf information