# vim:syntax=apparmor
# Author: Simon Deziel <simon.deziel at gmail_com>
# This apparmor profile is derived from firefox profile
# by Jamie Strandboge <jamie@canonical.com>

# Declare an apparmor variable to help with overrides
@{MOZ_LIBDIR}=/usr/lib/thunderbird
@{thunderbird_executable} = /usr/lib/thunderbird/thunderbird{,-bin}

#include <tunables/global>

profile thunderbird @{thunderbird_executable} {
  #include <abstractions/audio>
  #include <abstractions/aspell>
  #include <abstractions/cups-client>
  # TODO: finetune this for required accesses
  #include <abstractions/dbus>
  #include <abstractions/dbus-accessibility>
  #include <abstractions/dbus-session>
  #include <abstractions/dconf>
  #include <abstractions/gnome>
  #include <abstractions/ibus>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/p11-kit>
  #include <abstractions/private-files>
  #include <abstractions/ssl_certs>
  #include <abstractions/ubuntu-browsers>
  #include <abstractions/ubuntu-browsers.d/java>
  #include <abstractions/ubuntu-helpers>

  # Backported from the dri-enumerate abstraction, available in AppArmor 2.13
  /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,

  # Allow opening attachments
  # TODO: create and use abstractions for opening various file formats
  /{usr/local/,usr/,}bin/* Cx -> sanitized_helper,
  /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,

  # For Xubuntu to launch the browser
  /usr/bin/exo-open ixr,
  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
  /etc/xdg/xfce4/helpers.rc r,

  # for crash reports?
  ptrace (read,trace) peer=@{profile_name},

  @{thunderbird_executable} ixr,

  # Pulseaudio
  /usr/bin/pulseaudio Pixr,

  owner @{HOME}/.{cache,config}/dconf/user rw,
  owner @{HOME}/.cache/thumbnails/** r,
  owner /run/user/[0-9]*/dconf/user rw,
  owner @{HOME}/.config/gtk-3.0/bookmarks r,
  deny owner @{HOME}/.local/share/gvfs-metadata/* r,

  # potentially extremely sensitive files
  audit deny @{HOME}/.gnupg/** mrwkl,
  audit deny @{HOME}/.ssh/** mrwkl,

  # rw access to HOME is useful when sending/receiving attachments
  owner @{HOME}/** rw,

  # other commonly used locations
  /{data,media,mnt,srv}/** r,
  owner /{data,media,mnt,srv}/** rw,
  owner @{HOME}/.signature* r,

  # Required for LVM setups
  /sys/devices/virtual/block/dm-[0-9]*/uevent r,

  # Addons (too lax for thunderbird)
  ##include <abstractions/ubuntu-browsers.d/firefox>

  # for networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,
  @{PROC}/[0-9]*/net/dev r,
  @{PROC}/[0-9]*/net/wireless r,
  @{PROC}/[0-9]*/net/arp r,

  # should maybe be in abstractions
  /etc/ r,
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/xdg/*buntu/applications/defaults.list    r, # for all derivatives
  /etc/xfce4/defaults.list r,
  /usr/share/xubuntu/applications/defaults.list r,
  owner /dev/shm/org.chromium.* rw, # for Chromium IPC
  owner @{HOME}/.cache/fontconfig/*.cache-* rwk,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeapps.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  owner @{HOME}/.recently-used r,
  /tmp/.X[0-9]*-lock r,
  /etc/udev/udev.conf r,
  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
  # Possibly move to an abstraction if anything else needs it.
  deny /run/udev/data/** r,

  /etc/timezone r,
  /etc/wildmidi/wildmidi.cfg r,

  # thunderbird specific
  /etc/thunderbird/ r,
  /etc/thunderbird/** r,
  /etc/xul-ext/** r,
  /etc/xulrunner-2.0*/ r,
  /etc/xulrunner-2.0*/** r,
  /etc/gre.d/ r,
  /etc/gre.d/* r,

  # noisy
  deny @{MOZ_LIBDIR}/** w,
  deny /usr/lib/thunderbird-addons/** w,
  deny /usr/lib/xulrunner-addons/** w,
  deny /usr/lib/xulrunner-*/components/*.tmp w,
  deny /.suspended r,
  deny /boot/initrd.img* r,
  deny /boot/vmlinuz* r,
  deny /var/cache/fontconfig/ w,
  deny @{HOME}/.local/share/recently-used.xbel r,
  deny @{HOME}/.* r,

  # TODO: investigate
  deny /usr/bin/gconftool-2 x,

  owner @{PROC}/[0-9]*/mountinfo r,
  owner @{PROC}/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  /sys/devices/pci[0-9]*/**/uevent r,
  /sys/devices/pci*/**/config r,
  /sys/devices/system/node/node[0-9]*/meminfo r,
  /etc/mtab r,
  /etc/fstab r,

  # Needed for the crash reporter
  owner @{PROC}/[0-9]*/environ r,
  owner @{PROC}/[0-9]*/auxv r,
  owner @{PROC}/[0-9]*/status r,
  owner @{PROC}/[0-9]*/cmdline r,
  /etc/lsb-release r,
  /etc/ssl/openssl.cnf r,
  /usr/lib/thunderbird/crashreporter ix,
  /usr/bin/expr ix,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/** r,

  # about:memory
  owner @{PROC}/[0-9]*/statm r,
  owner @{PROC}/[0-9]*/smaps r,

  # Needed for container to work in xul builds
  /usr/lib/xulrunner-*/plugin-container ixr,

  # allow access to documentation and other files the user may want to look
  # at in /usr and /opt
  /usr/ r,
  /usr/** r,
  /opt/ r,
  /opt/** r,

  # so browsing directories works
  / r,
  /**/ r,

  # per-user thunderbird configuration
  owner @{HOME}/.{icedove,thunderbird}/ rw,
  owner @{HOME}/.{icedove,thunderbird}/** rw,
  owner @{HOME}/.{icedove,thunderbird}/**/storage.sdb k,
  owner @{HOME}/.{icedove,thunderbird}/**/*.{db,parentlock,sqlite}* k,
  owner @{HOME}/.{icedove,thunderbird}/plugins/** rm,
  owner @{HOME}/.{icedove,thunderbird}/**/plugins/** rm,
  owner @{HOME}/.cache/thunderbird/ rw,
  owner @{HOME}/.cache/thunderbird/** rw,

  # system emails
  owner /var/mail/* rwlk,

  #
  # Extensions
  # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
  # Allow 'x' for downloaded extensions, but inherit policy for safety
  owner @{HOME}/.{icedove,thunderbird}/**/extensions/** mixrw,
  owner @{HOME}/.mozilla/ rw,
  owner @{HOME}/.mozilla/extensions/          rw,
  owner @{HOME}/.mozilla/extensions/**        mixr,
  /usr/share/xul-ext/**/*.sqlite              rk,
  /usr/lib/mozilla/plugins/*.so               rm,
  /usr/lib/xul-ext/**/*.sqlite                rk,
  /usr/lib/thunderbird-addons/extensions/**/*.sqlite rk,

  deny @{MOZ_LIBDIR}/update.test w,
  deny /usr/lib/mozilla/extensions/**/ w,
  deny /usr/lib/xulrunner-addons/extensions/**/ w,
  deny /usr/share/mozilla/extensions/**/ w,
  deny /usr/share/mozilla/ w,

  /usr/bin/gpg               Cx -> gpg,
  /usr/bin/gpg2              Cx -> gpg,
  /usr/bin/gpgconf           Cx -> gpg,
  /usr/bin/gpg-connect-agent Cx -> gpg,

  # TB tries to create this file but has no business doing so
  deny @{HOME}/.gnupg/gpg-agent.conf w,

  profile gpg {
    #include <abstractions/base>

    # Required to import keys from keyservers
    #include <abstractions/nameservice>
    #include <abstractions/p11-kit>

    /usr/share/xul-ext/enigmail/chrome/** r,

    # silence noise from enigmail 1.9+
    deny owner @{HOME}/.{icedove,thunderbird}/*/.parentlock w,
    deny owner @{HOME}/.{icedove,thunderbird}/*/panacea.dat w,
    deny owner @{HOME}/.{icedove,thunderbird}/*/*.mab w,
    deny owner @{HOME}/.{icedove,thunderbird}/**/*.msf w,
    deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,

    # noise from inherited files
    deny @{HOME}/.{icedove,thunderbird}/*/ImapMail/*/INBOX w,
    deny /usr/{lib,share}/thunderbird/omni.ja r,
    deny /usr/share/thunderbird/extensions/** r,

    # For smartcards?
    /dev/bus/usb/ r,
    /dev/bus/usb/[0-9]*/ r,
    /dev/bus/usb/[0-9]*/[0-9]* r,

    # LDAP key servers
    /etc/ldap/ldap.conf r,

    /usr/bin/gpg mr,
    /usr/bin/gpg2 mr,
    /usr/bin/gpgconf mr,
    /usr/bin/gpg-connect-agent mr,
    /usr/lib/gnupg/gpgkeys_* ix,
    /usr/lib/gnupg2/gpg2keys_* ix,
    /usr/share/gnupg2/*.pem r,
    owner @{HOME}/.gnupg/ rw,
    owner @{HOME}/.gnupg/gpg.conf r,
    owner @{HOME}/.gnupg/random_seed rwk,
    owner @{HOME}/.gnupg/pubring.{gpg,kbx}{,~} rw,
    owner @{HOME}/.gnupg/secring.gpg rw,
    owner @{HOME}/.gnupg/trustdb.gpg rw,
    owner @{HOME}/.gnupg/tofu.db{,-journal} rwk,
    owner @{HOME}/.gnupg/S.gpg-agent rw,
    owner @{HOME}/.gnupg/S.dirmngr rw,
    owner @{HOME}/.gnupg/*.{gpg,kbx}.{lock,tmp} rwl,
    owner @{HOME}/.gnupg/.gpg-*.lock rwl,
    owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl,
    owner @{HOME}/.gnupg/.#*[0-9]  rw,
    owner @{HOME}/.gnupg/.#*[0-9]x rwl,
    owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
    owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
    owner @{HOME}/.gnupg/openpgp-revocs.d/{,[A-F0-9]*.rev} rw,
    owner @{HOME}/** r,
    owner @{PROC}/@{pids}/mountinfo r,

    # For gpgconf
    owner @{PROC}/@{pids}/fd/ r,

    owner /run/user/[0-9]*/keyring-*/gpg rw,

    # For encryption + signature
    /tmp/gpgOutput.* rw,

    # for inline pgp
    owner /tmp/encfile rw,
    owner /tmp/encfile-[0-9]* rw,

    # for key import
    owner /tmp/enigmail_import/.#lk0x[0-9a-f]*  rw,
    owner /tmp/enigmail_import/.#lk0x[0-9a-f]*x rwl,
    owner /tmp/enigmail_import/{keyring,trustdb}.lock rwl,
    owner /tmp/enigmail_import/{keyring,trustdb}{,~,.tmp} rw,
    /usr/bin/dirmngr ix,
    owner @{PROC}/@{pids}/task/@{tid}/comm rw,

    # for revocation certificate generation in the Enigmail setup wizard
    owner @{HOME}/.{icedove,thunderbird}/*/0x[A-F0-9]*_rev.asc rw,
    # for revocation certificate generation in the Enigmail key manager
    owner @{HOME}/*0x[A-F0-9]**.asc rw,

    # for signature generation
    owner /tmp/nsemail.eml w,
    owner /tmp/nsemail-[0-9]*.eml w,

    # for signature verifications
    owner /tmp/data.sig r,
    owner /tmp/data-[0-9]*.sig r,

    owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,

    /usr/share/sounds/** r,
  }

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.thunderbird>
}