apparmor-adjust-thunderbird-profile.diff 2.74 KB
Newer Older
1
2
--- a/etc/apparmor.d/usr.bin.thunderbird	2020-06-12 13:56:44.453139641 +0200
+++ b/etc/apparmor.d/usr.bin.thunderbird	2020-06-12 14:01:43.694759478 +0200
3
@@ -15,7 +15,6 @@
4
5
6
7
   # TODO: finetune this for required accesses
   #include <abstractions/dbus>
   #include <abstractions/dbus-accessibility>
-  #include <abstractions/dbus-session>
8
   #include <abstractions/dconf>
9
10
   #include <abstractions/gnome>
   #include <abstractions/ibus>
11
@@ -24,7 +23,6 @@
12
13
14
15
16
17
18
   #include <abstractions/p11-kit>
   #include <abstractions/private-files>
   #include <abstractions/ssl_certs>
-  #include <abstractions/ubuntu-browsers>
   #include <abstractions/ubuntu-browsers.d/java>
   #include <abstractions/ubuntu-helpers>
 
19
@@ -45,32 +43,21 @@
20
 
21
22
23
   # Allow opening attachments
   # TODO: create and use abstractions for opening various file formats
-  /{usr/local/,usr/,}bin/* Cx -> sanitized_helper,
24
25
26
+  /{usr/,}bin/{[^gp],g[^p],gp[^g],p[^s]}* Cx -> sanitized_helper,
+  /usr/local/bin/{[^t],t[^o],to[^r],tor[^-],tor-[^b],tor-b[^r],tor-br[^o],tor-bro[^w],tor-brow[^s],tor-brows[^e],tor-browse[^r]}* Cx -> sanitized_helper,
+  /usr/local/bin/tor-browser Uxmr,
27
28
   /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
 
29
   # Allow opening links
30
31
32
33
34
-  # GDesktopAppInfo in GLib 2.64.x uses a very small shell script
-  # to launch .desktop files, instead of gio-launch-desktop
-  /{usr/,}bin/{dash,bash} ixr,
   # With older GLib we might still be on the fallback code path
   # (remove this after Debian 11 and Ubuntu 20.04)
35
36
   /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
 
37
38
-  # For Xubuntu to launch the browser
-  /usr/bin/exo-open ixr,
39
-  /usr/lib/@{multiarch}/xfce4/exo-[1-9]/exo-helper-[1-9] ixr,
40
41
-  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
-  /etc/xdg/xfce4/helpers.rc r,
42
-  owner @{HOME}/.config/xfce4/helpers.rc r,
43
44
45
46
-
   # for crash reports?
   ptrace (read,trace) peer=@{profile_name},
 
47
   /usr/lib/thunderbird/thunderbird{,-bin} ixr,
48
49
50
51
52
 
-  # Pulseaudio
-  /usr/bin/pulseaudio Pixr,
-
   owner @{HOME}/.{cache,config}/dconf/user rw,
53
   owner @{HOME}/.cache/thumbnails/** r,
54
   owner /run/user/[0-9]*/dconf/user rw,
55
@@ -146,6 +133,10 @@
56
57
   deny /boot/vmlinuz* r,
   deny /var/cache/fontconfig/ w,
58
59
60
61
62
 
+  # needed for GNOME Shell's on-screen keyboard
+  # Tails-specific: needed only because we disable the dbus-session abstraction
+  /etc/machine-id r,
+
63
64
65
   # noisy file dialog:
   #
   # TODO: remove these rules when file dialogs becomes "trusted helpers" that can
66
@@ -270,7 +261,6 @@
67
68
69
70
71
72
   /etc/lsb-release r,
   /etc/ssl/openssl.cnf r,
   /usr/lib/thunderbird/crashreporter ix,
-  /usr/bin/expr ix,
   /sys/devices/system/cpu/ r,
   /sys/devices/system/cpu/** r,
73
74
75
76
77
78
 
@@ -430,4 +420,3 @@
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.bin.thunderbird>
 }
-