# vim:syntax=apparmor # Author: Simon Deziel # This apparmor profile is derived from firefox profile # by Jamie Strandboge # Declare an apparmor variable to help with overrides @{MOZ_LIBDIR}=/usr/lib/thunderbird @{thunderbird_executable} = /usr/lib/thunderbird/thunderbird{,-bin} #include profile thunderbird @{thunderbird_executable} { #include #include #include # TODO: finetune this for required accesses #include #include #include #include #include #include #include #include #include #include #include #include #include #include # Backported from the dri-enumerate abstraction, available in AppArmor 2.13 /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, # Allow opening attachments # TODO: create and use abstractions for opening various file formats /{usr/local/,usr/,}bin/* Cx -> sanitized_helper, /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper, # For Xubuntu to launch the browser /usr/bin/exo-open ixr, /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, /etc/xdg/xfce4/helpers.rc r, # for crash reports? ptrace (read,trace) peer=@{profile_name}, @{thunderbird_executable} ixr, # Pulseaudio /usr/bin/pulseaudio Pixr, owner @{HOME}/.{cache,config}/dconf/user rw, owner @{HOME}/.cache/thumbnails/** r, owner /run/user/[0-9]*/dconf/user rw, owner @{HOME}/.config/gtk-3.0/bookmarks r, deny owner @{HOME}/.local/share/gvfs-metadata/* r, # potentially extremely sensitive files audit deny @{HOME}/.gnupg/** mrwkl, audit deny @{HOME}/.ssh/** mrwkl, # rw access to HOME is useful when sending/receiving attachments owner @{HOME}/** rw, # other commonly used locations /{data,media,mnt,srv}/** r, owner /{data,media,mnt,srv}/** rw, owner @{HOME}/.signature* r, # Required for LVM setups /sys/devices/virtual/block/dm-[0-9]*/uevent r, # Addons (too lax for thunderbird) ##include # for networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, @{PROC}/[0-9]*/net/dev r, @{PROC}/[0-9]*/net/wireless r, @{PROC}/[0-9]*/net/arp r, # should maybe be in abstractions /etc/ r, /etc/mime.types r, /etc/mailcap r, /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives /etc/xfce4/defaults.list r, /usr/share/xubuntu/applications/defaults.list r, owner /dev/shm/org.chromium.* rw, # for Chromium IPC owner @{HOME}/.cache/fontconfig/*.cache-* rwk, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeapps.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, owner @{HOME}/.recently-used r, /tmp/.X[0-9]*-lock r, /etc/udev/udev.conf r, # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. # Possibly move to an abstraction if anything else needs it. deny /run/udev/data/** r, /etc/timezone r, /etc/wildmidi/wildmidi.cfg r, # thunderbird specific /etc/thunderbird/ r, /etc/thunderbird/** r, /etc/xul-ext/** r, /etc/xulrunner-2.0*/ r, /etc/xulrunner-2.0*/** r, /etc/gre.d/ r, /etc/gre.d/* r, # noisy deny @{MOZ_LIBDIR}/** w, deny /usr/lib/thunderbird-addons/** w, deny /usr/lib/xulrunner-addons/** w, deny /usr/lib/xulrunner-*/components/*.tmp w, deny /.suspended r, deny /boot/initrd.img* r, deny /boot/vmlinuz* r, deny /var/cache/fontconfig/ w, deny @{HOME}/.local/share/recently-used.xbel r, deny @{HOME}/.* r, # TODO: investigate deny /usr/bin/gconftool-2 x, owner @{PROC}/[0-9]*/mountinfo r, owner @{PROC}/[0-9]*/stat r, owner @{PROC}/[0-9]*/task/[0-9]*/stat r, /sys/devices/pci[0-9]*/**/uevent r, /sys/devices/pci*/**/config r, /sys/devices/system/node/node[0-9]*/meminfo r, /etc/mtab r, /etc/fstab r, # Needed for the crash reporter owner @{PROC}/[0-9]*/environ r, owner @{PROC}/[0-9]*/auxv r, owner @{PROC}/[0-9]*/status r, owner @{PROC}/[0-9]*/cmdline r, /etc/lsb-release r, /etc/ssl/openssl.cnf r, /usr/lib/thunderbird/crashreporter ix, /usr/bin/expr ix, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r, # about:memory owner @{PROC}/[0-9]*/statm r, owner @{PROC}/[0-9]*/smaps r, # Needed for container to work in xul builds /usr/lib/xulrunner-*/plugin-container ixr, # allow access to documentation and other files the user may want to look # at in /usr and /opt /usr/ r, /usr/** r, /opt/ r, /opt/** r, # so browsing directories works / r, /**/ r, # per-user thunderbird configuration owner @{HOME}/.{icedove,thunderbird}/ rw, owner @{HOME}/.{icedove,thunderbird}/** rw, owner @{HOME}/.{icedove,thunderbird}/**/storage.sdb k, owner @{HOME}/.{icedove,thunderbird}/**/*.{db,parentlock,sqlite}* k, owner @{HOME}/.{icedove,thunderbird}/plugins/** rm, owner @{HOME}/.{icedove,thunderbird}/**/plugins/** rm, owner @{HOME}/.cache/thunderbird/ rw, owner @{HOME}/.cache/thunderbird/** rw, # system emails owner /var/mail/* rwlk, # # Extensions # /usr/share/.../extensions/... is already covered by '/usr/** r', above. # Allow 'x' for downloaded extensions, but inherit policy for safety owner @{HOME}/.{icedove,thunderbird}/**/extensions/** mixrw, owner @{HOME}/.mozilla/ rw, owner @{HOME}/.mozilla/extensions/ rw, owner @{HOME}/.mozilla/extensions/** mixr, /usr/share/xul-ext/**/*.sqlite rk, /usr/lib/mozilla/plugins/*.so rm, /usr/lib/xul-ext/**/*.sqlite rk, /usr/lib/thunderbird-addons/extensions/**/*.sqlite rk, deny @{MOZ_LIBDIR}/update.test w, deny /usr/lib/mozilla/extensions/**/ w, deny /usr/lib/xulrunner-addons/extensions/**/ w, deny /usr/share/mozilla/extensions/**/ w, deny /usr/share/mozilla/ w, /usr/bin/gpg Cx -> gpg, /usr/bin/gpg2 Cx -> gpg, /usr/bin/gpgconf Cx -> gpg, /usr/bin/gpg-connect-agent Cx -> gpg, # TB tries to create this file but has no business doing so deny @{HOME}/.gnupg/gpg-agent.conf w, profile gpg { #include # Required to import keys from keyservers #include #include /usr/share/xul-ext/enigmail/chrome/** r, # silence noise from enigmail 1.9+ deny owner @{HOME}/.{icedove,thunderbird}/*/.parentlock w, deny owner @{HOME}/.{icedove,thunderbird}/*/panacea.dat w, deny owner @{HOME}/.{icedove,thunderbird}/*/*.mab w, deny owner @{HOME}/.{icedove,thunderbird}/**/*.msf w, deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w, # noise from inherited files deny @{HOME}/.{icedove,thunderbird}/*/ImapMail/*/INBOX w, deny /usr/{lib,share}/thunderbird/omni.ja r, deny /usr/share/thunderbird/extensions/** r, # For smartcards? /dev/bus/usb/ r, /dev/bus/usb/[0-9]*/ r, /dev/bus/usb/[0-9]*/[0-9]* r, # LDAP key servers /etc/ldap/ldap.conf r, /usr/bin/gpg mr, /usr/bin/gpg2 mr, /usr/bin/gpgconf mr, /usr/bin/gpg-connect-agent mr, /usr/lib/gnupg/gpgkeys_* ix, /usr/lib/gnupg2/gpg2keys_* ix, /usr/share/gnupg2/*.pem r, owner @{HOME}/.gnupg/ rw, owner @{HOME}/.gnupg/gpg.conf r, owner @{HOME}/.gnupg/random_seed rwk, owner @{HOME}/.gnupg/pubring.{gpg,kbx}{,~} rw, owner @{HOME}/.gnupg/secring.gpg rw, owner @{HOME}/.gnupg/trustdb.gpg rw, owner @{HOME}/.gnupg/tofu.db{,-journal} rwk, owner @{HOME}/.gnupg/S.gpg-agent rw, owner @{HOME}/.gnupg/S.dirmngr rw, owner @{HOME}/.gnupg/*.{gpg,kbx}.{lock,tmp} rwl, owner @{HOME}/.gnupg/.gpg-*.lock rwl, owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl, owner @{HOME}/.gnupg/.#*[0-9] rw, owner @{HOME}/.gnupg/.#*[0-9]x rwl, owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl, owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw, owner @{HOME}/.gnupg/openpgp-revocs.d/{,[A-F0-9]*.rev} rw, owner @{HOME}/** r, owner @{PROC}/@{pids}/mountinfo r, # For gpgconf owner @{PROC}/@{pids}/fd/ r, owner /run/user/[0-9]*/keyring-*/gpg rw, # For encryption + signature /tmp/gpgOutput.* rw, # for inline pgp owner /tmp/encfile rw, owner /tmp/encfile-[0-9]* rw, # for key import owner /tmp/enigmail_import/.#lk0x[0-9a-f]* rw, owner /tmp/enigmail_import/.#lk0x[0-9a-f]*x rwl, owner /tmp/enigmail_import/{keyring,trustdb}.lock rwl, owner /tmp/enigmail_import/{keyring,trustdb}{,~,.tmp} rw, /usr/bin/dirmngr ix, owner @{PROC}/@{pids}/task/@{tid}/comm rw, # for revocation certificate generation in the Enigmail setup wizard owner @{HOME}/.{icedove,thunderbird}/*/0x[A-F0-9]*_rev.asc rw, # for revocation certificate generation in the Enigmail key manager owner @{HOME}/*0x[A-F0-9]**.asc rw, # for signature generation owner /tmp/nsemail.eml w, owner /tmp/nsemail-[0-9]*.eml w, # for signature verifications owner /tmp/data.sig r, owner /tmp/data-[0-9]*.sig r, owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw, /usr/share/sounds/** r, } # Site-specific additions and overrides. See local/README for details. #include }