Re: Let's enable AppArmor by default (why not?)

To: Philipp Kern <phil@philkern.de>
Cc: Carsten Schoenert <c.schoenert@t-online.de>, debian-devel@lists.debian.org, Simon Deziel <simon.deziel@gmail.com>, intrigeri@debian.org
Subject: Re: Let's enable AppArmor by default (why not?)
From: Guido Günther <agx@sigxcpu.org>
Date: Tue, 31 Oct 2017 16:27:41 +0100
Message-id: <[🔎] 20171031152741.xfuvnomnjnsrnv6e@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Philipp Kern <phil@philkern.de>, Carsten Schoenert <c.schoenert@t-online.de>, debian-devel@lists.debian.org, Simon Deziel <simon.deziel@gmail.com>, intrigeri@debian.org
In-reply-to: <[🔎] 23473de1-4b90-80eb-9e1f-2485aa9db1a8@philkern.de>
References: <857eyij4fb.fsf@boum.org> <[🔎] fbb325ce-c21a-84f8-bece-d3e1696b66c7@debian.org> <[🔎] ff7330ca-d813-5497-84fb-dff0e709bd32@t-online.de> <[🔎] 23473de1-4b90-80eb-9e1f-2485aa9db1a8@philkern.de>

Hi,
On Tue, Oct 31, 2017 at 01:46:40PM +0100, Philipp Kern wrote:
> Hi Carsten,
> 
> thanks for your reply!
> 
> On 10/31/2017 07:54 AM, Carsten Schoenert wrote:
> > For Thunderbird intrigeri and myself came to the conclusion that
> > especially for the apparmor profile someone from the apparmor team
> > should be able to contribute changes to the profile directly to the git
> > tree. So intrigeri has become a member of the pkg-mozilla group to be
> > able to push changes by himself. I trust intrigeri enough that he will
> > do good contributions. For now it's the best we can do. This at all is
> > for sure improvable and we should talk about this on upcoming Debian
> > events or directly via email.
> 
> Okay, filed the bugs, lets see where they go. :) I was especially
> concerned about the browser part.
> 
> > ...
> >> [1] e.g.
> >> [ 3459.624852] audit: type=1400 audit(1509283082.571:59):
> >> apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg"
> >> name="/usr/share/thunderbird/omni.ja" pid=24720 comm="gpg2"
> >> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> 
> Filed as #880425[1].
> 
> >> [2] e.g.
> >> [ 3795.153239] audit: type=1400 audit(1509283418.100:64):
> >> apparmor="DENIED" operation="exec" profile="thunderbird"
> >> name="/opt/google/chrome-beta/google-chrome-beta" pid=31896
> >> comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> 
> Filed as #880424[0]. I think there is a deeper question here as to how
> to handle the browser abstraction for AppArmor in general.

There is /etc/apparmor.d/abstractions/ubuntu-browsers. The name isn't
very nice it's a start if we rename it to
/etc/apparmor.d/abstractions/browsers.

Cheers,
 -- Guido

> 
> > I suggest to open a bug report for each of such issues against
> > thunderbird with a description what was done and what was expected.
> 
> As above. :)
> 
> Kind regards and thanks
> Philipp Kern
> 
> [0] https://bugs.debian.org/880424
> [1] https://bugs.debian.org/880425
>

Reply to:

References:
- Re: Let's enable AppArmor by default (why not?)
  - From: Philipp Kern <pkern@debian.org>
- Re: Let's enable AppArmor by default (why not?)
  - From: Carsten Schoenert <c.schoenert@t-online.de>
- Re: Let's enable AppArmor by default (why not?)
  - From: Philipp Kern <phil@philkern.de>

Prev by Date: Re: Let's enable AppArmor by default (why not?)
Next by Date: Bug#880444: ITP: dde-qt-dbus-factory -- Qt DBus interface library for Deepin software
Previous by thread: Re: Let's enable AppArmor by default (why not?)
Next by thread: Re: Let's enable AppArmor by default (why not?)
Index(es):
- Date
- Thread