Public bug reported: There is a new apparmor profile for mbsync.
- It restricts the binary to operating under the user's $HOME/Mail directory. However, there is no default configuration nor documentation instructing users to use that directory for their local Maildirs AFAICT (i.e., one would need to understand they are being restricted by apparmor and read the apparmor profile in order to be able to use mbsync). - It only allows reading the configuration file from ~/.mbsyncrc. The newest version in the archive (rr) explicitly says (manpage) that the preferred configuration file path is under ~/.config/isyncrc. This also hinders the -c option to pass a custom configuration file. - Finally, it hinders usage of some features such as PassCmd and UserCmd to run specific commands to fetch authentication data (e.g., from the gnome keyring) I understand that the profile provides a great security layer, but in this case, isn't it being too restrictive to the point it hinders usage? IMHO we should either loosen the restrictions or document the restrictions within the isync package, probably in the mbsync manpage as well, and possibly ship the profile with isync instead to give users more visibility. See users having issues with the profile in https://askubuntu.com/questions/1549571/mbsync-has-stopped-working-with- weird-permission-error LP: #2111196 is also related ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Affects: isync (Ubuntu) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Description changed: There is a new apparmor profile for mbsync. - It restricts the binary to operating under the user's $HOME/Mail directory. However, there is no default configuration nor documentation instructing users to use that directory for their local Maildirs AFAICT (i.e., one would need to understand they are being restricted by apparmor and read the apparmor profile in order to be able to use mbsync). - It only allows reading the configuration file from ~/.mbsyncrc. The newest version in the archive (rr) explicitly says (manpage) that the preferred configuration file path is under ~/.config/isyncrc. This also hinders the -c option to pass a custom configuration file. - Finally, it hinders usage of some features such as PassCmd and UserCmd to run specific commands to fetch authentication data (e.g., from the gnome keyring) I understand that the profile provides a great security layer, but in this case, isn't it being too restrictive to the point it hinders usage? IMHO we should either loosen the restrictions or document the restrictions within the isync package, probably in the mbsync manpage as well, and possibly ship the profile with isync instead to give users more visibility. + See users having issues with the profile in https://askubuntu.com/questions/1549571/mbsync-has-stopped-working-with- weird-permission-error LP: #2111196 is also related -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2130393 Title: Too restrictive mbsync apparmor profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2130393/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
