Re: Let's enable AppArmor by default (why not?)
On Tue, Oct 31, 2017 at 01:46:40PM +0100, Philipp Kern wrote:
> Hi Carsten,
> thanks for your reply!
> On 10/31/2017 07:54 AM, Carsten Schoenert wrote:
> > For Thunderbird intrigeri and myself came to the conclusion that
> > especially for the apparmor profile someone from the apparmor team
> > should be able to contribute changes to the profile directly to the git
> > tree. So intrigeri has become a member of the pkg-mozilla group to be
> > able to push changes by himself. I trust intrigeri enough that he will
> > do good contributions. For now it's the best we can do. This at all is
> > for sure improvable and we should talk about this on upcoming Debian
> > events or directly via email.
> Okay, filed the bugs, lets see where they go. :) I was especially
> concerned about the browser part.
> > ...
> >>  e.g.
> >> [ 3459.624852] audit: type=1400 audit(1509283082.571:59):
> >> apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg"
> >> name="/usr/share/thunderbird/omni.ja" pid=24720 comm="gpg2"
> >> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> Filed as #880425.
> >>  e.g.
> >> [ 3795.153239] audit: type=1400 audit(1509283418.100:64):
> >> apparmor="DENIED" operation="exec" profile="thunderbird"
> >> name="/opt/google/chrome-beta/google-chrome-beta" pid=31896
> >> comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> Filed as #880424. I think there is a deeper question here as to how
> to handle the browser abstraction for AppArmor in general.
There is /etc/apparmor.d/abstractions/ubuntu-browsers. The name isn't
very nice it's a start if we rename it to
> > I suggest to open a bug report for each of such issues against
> > thunderbird with a description what was done and what was expected.
> As above. :)
> Kind regards and thanks
> Philipp Kern
>  https://bugs.debian.org/880424
>  https://bugs.debian.org/880425