These were originally posted in the Apparmor & Firefox thread, but that would appear OT. Code: # Last Modified: Sat Nov 30 10:55:06 2019 #include <tunables/global> /usr/lib/thunderbird { #include <abstractions/base> } Code: # Last Modified: Sun Dec 1 08:39:41 2019 #include <tunables/global> /usr/lib/thunderbird/thunderbird-bin { #include <abstractions/base> #include <abstractions/gnome> #include <abstractions/lightdm> #include <abstractions/totem> /home/*/Documents/*.profile r, /proc/*/net/arp r, /proc/*/net/route r, /proc/cpuinfo r, /proc/filesystems r, owner "/home/*/.thunderbird/Crash Reports/InstallTime*" r, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Contacts Folder.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Deleted Items.sbd/*.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Deleted Messages.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/INBOX.sbd/emails with attachments" r, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/INBOX.sbd/emails with attachments.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Junk E-mail.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Junk E-mail1.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Sent Items.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Sent Messages.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/Mail/Local Folders/Unsent Messages.msf" rw, owner /home/*/.ICEauthority r, owner /home/*/.Xauthority r, owner /home/*/.bash_history r, owner /home/*/.bash_logout r, owner /home/*/.bashrc r, owner /home/*/.cache/fontconfig/*.cache-* r, owner /home/*/.cache/mesa_shader_cache/index rw, owner /home/*/.cache/thunderbird/zi96dvqd.default/.startup-incomplete w, owner /home/*/.cache/thunderbird/zi96dvqd.default/cache2/doomed/ rw, owner /home/*/.cache/thunderbird/zi96dvqd.default/cache2/doomed/?????* r, owner /home/*/.cache/thunderbird/zi96dvqd.default/cache2/doomed/?????* w, owner /home/*/.cache/thunderbird/zi96dvqd.default/cache2/entries/??????????* rw, owner /home/*/.cache/thunderbird/zi96dvqd.default/cache2/trash????*/ rw, owner /home/*/.cache/thunderbird/zi96dvqd.default/cache2/trash????*/??????* w, owner /home/*/.cache/thunderbird/zi96dvqd.default/startupCache/startupCache.* r, owner /home/*/.cache/thunderbird/zi96dvqd.default/startupCache/startupCache.* w, owner /home/*/.config/*.dirs r, owner /home/*/.config/*.list r, owner /home/*/.config/dconf/user r, owner /home/*/.config/gtk-3.0/*.css r, owner /home/*/.config/gtk-3.0/bookmarks r, owner /home/*/.dmrc r, owner /home/*/.fonts/.uuid r, owner /home/*/.local/share/applications/*.list r, owner /home/*/.local/share/gvfs-metadata/*.log r, owner /home/*/.local/share/gvfs-metadata/home r, owner /home/*/.local/share/recently-used.xbel rw, owner /home/*/.local/share/recently-used.xbel.* rw, owner /home/*/.profile r, owner /home/*/.thunderbird/*.ini r, owner /home/*/.thunderbird/zi96dvqd.default/*.dat rw, owner /home/*/.thunderbird/zi96dvqd.default/*.ini r, owner /home/*/.thunderbird/zi96dvqd.default/*.json rw, owner /home/*/.thunderbird/zi96dvqd.default/*.json.mozlz4 r, owner /home/*/.thunderbird/zi96dvqd.default/*.json.tmp rw, owner /home/*/.thunderbird/zi96dvqd.default/*.txt rw, owner /home/*/.thunderbird/zi96dvqd.default/*.xml r, owner /home/*/.thunderbird/zi96dvqd.default/.parentlock wk, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/*.dat r, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/*.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Archive.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/INBOX rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/INBOX.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Sent-1 rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Sent-1.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/SentMail.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Trash rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Trash.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/sent-mail.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/abook.mab rw, owner /home/*/.thunderbird/zi96dvqd.default/addonStartup.json.* r, owner /home/*/.thunderbird/zi96dvqd.default/blist.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/cert9.db rwk, owner /home/*/.thunderbird/zi96dvqd.default/cert9.db-journal rw, owner /home/*/.thunderbird/zi96dvqd.default/content-prefs.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/cookies.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/cookies.sqlite-* rwk, owner /home/*/.thunderbird/zi96dvqd.default/cookies.sqlite-wal rw, owner /home/*/.thunderbird/zi96dvqd.default/crashes/store.json.mozlz4 rw, owner /home/*/.thunderbird/zi96dvqd.default/crashes/store.json.mozlz4.tmp rw, owner /home/*/.thunderbird/zi96dvqd.default/datareporting/*.json rw, owner /home/*/.thunderbird/zi96dvqd.default/datareporting/aborted-session-ping w, owner /home/*/.thunderbird/zi96dvqd.default/datareporting/aborted-session-ping.tmp rw, owner /home/*/.thunderbird/zi96dvqd.default/datareporting/session-state.json.tmp rw, owner /home/*/.thunderbird/zi96dvqd.default/favicons.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/favicons.sqlite-shm rwk, owner /home/*/.thunderbird/zi96dvqd.default/favicons.sqlite-wal rw, owner /home/*/.thunderbird/zi96dvqd.default/global-messages-db.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/global-messages-db.sqlite-journal rw, owner /home/*/.thunderbird/zi96dvqd.default/history.mab rw, owner /home/*/.thunderbird/zi96dvqd.default/key4.db rwk, owner /home/*/.thunderbird/zi96dvqd.default/lock w, owner /home/*/.thunderbird/zi96dvqd.default/permissions.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/places.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/places.sqlite-shm rwk, owner /home/*/.thunderbird/zi96dvqd.default/places.sqlite-wal rw, owner /home/*/.thunderbird/zi96dvqd.default/prefs-*.js rw, owner /home/*/.thunderbird/zi96dvqd.default/prefs.js rw, owner /home/*/.thunderbird/zi96dvqd.default/sessionCheckpoints.json rw, owner /home/*/.thunderbird/zi96dvqd.default/webappsstore.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/webappsstore.sqlite-shm rwk, owner /home/*/.thunderbird/zi96dvqd.default/webappsstore.sqlite-wal rw, owner /home/*/.thunderbird/zi96dvqd.default/xulstore.json rw, owner /home/*/.xscreensaver r, owner /home/*/.xsession-errors r, owner /home/*/Documents/*.jpg w, owner /home/*/Documents/*.json.tmp r, owner /home/*/Documents/opt.firefox.firefox-bin r, owner /home/*/Documents/opt.google.chrome.chrome r, owner /home/*/Documents/usr.local.bin.firefox r, owner /home/*/Documents/usr.sbin.NetworkManager r, owner /proc/*/maps r, owner /proc/*/mountinfo r, owner /proc/*/stat r, owner /proc/*/task/*/stat r, } Code: # Last Modified: Sat Nov 30 11:25:14 2019 #include <tunables/global> /usr/bin/thunderbird { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/consoles> #include <abstractions/lightdm> #include <abstractions/totem> /home/*/Documents/*.profile r, /proc/*/net/arp r, /proc/*/net/route r, /proc/cpuinfo r, /proc/filesystems r, /usr/lib/thunderbird/thunderbird-bin Px, owner "/home/*/.thunderbird/Crash Reports/InstallTime*" r, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Contacts Folder.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Deleted Items.sbd/*.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Deleted Messages.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/INBOX.sbd/emails with attachments.msf" rw, owner "/home/*/.thunderbird/zi96dvqd.default/Mail/Local Folders/Unsent Messages.msf" rw, owner /home/*/.ICEauthority r, owner /home/*/.Xauthority r, owner /home/*/.bash_history r, owner /home/*/.bash_logout r, owner /home/*/.bashrc r, owner /home/*/.cache/fontconfig/*.cache-* r, owner /home/*/.cache/thunderbird/zi96dvqd.default/**.8.little r, owner /home/*/.cache/thunderbird/zi96dvqd.default/.startup-incomplete w, owner /home/*/.cache/thunderbird/zi96dvqd.default/cache2/entries/????????* rw, owner /home/*/.config/*.dirs r, owner /home/*/.config/*.list r, owner /home/*/.config/dconf/user r, owner /home/*/.config/gtk-3.0/*.css r, owner /home/*/.config/gtk-3.0/bookmarks r, owner /home/*/.dmrc r, owner /home/*/.fonts/.uuid r, owner /home/*/.local/share/applications/*.list r, owner /home/*/.local/share/gvfs-metadata/*.log r, owner /home/*/.local/share/gvfs-metadata/home r, owner /home/*/.local/share/recently-used.xbel rw, owner /home/*/.local/share/recently-used.xbel.* rw, owner /home/*/.profile r, owner /home/*/.thunderbird/*.ini r, owner /home/*/.thunderbird/zi96dvqd.default/*.dat rw, owner /home/*/.thunderbird/zi96dvqd.default/*.ini r, owner /home/*/.thunderbird/zi96dvqd.default/*.json rw, owner /home/*/.thunderbird/zi96dvqd.default/*.json.lz4 r, owner /home/*/.thunderbird/zi96dvqd.default/*.json.mozlz4 r, owner /home/*/.thunderbird/zi96dvqd.default/*.json.tmp rw, owner /home/*/.thunderbird/zi96dvqd.default/*.txt rw, owner /home/*/.thunderbird/zi96dvqd.default/*.xml r, owner /home/*/.thunderbird/zi96dvqd.default/.parentlock wk, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/*.dat r, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/*.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Archive.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/INBOX rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/INBOX.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/INBOX.sbd/emails* r, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Sent-1 rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/SentMail.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/Trash rw, owner /home/*/.thunderbird/zi96dvqd.default/ImapMail/imap.telus.net/sent-mail.msf rw, owner /home/*/.thunderbird/zi96dvqd.default/abook.mab rw, owner /home/*/.thunderbird/zi96dvqd.default/blist.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/cert9.db rwk, owner /home/*/.thunderbird/zi96dvqd.default/cert9.db-journal rw, owner /home/*/.thunderbird/zi96dvqd.default/content-prefs.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/cookies.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/cookies.sqlite-shm rwk, owner /home/*/.thunderbird/zi96dvqd.default/cookies.sqlite-wal rw, owner /home/*/.thunderbird/zi96dvqd.default/crashes/*.json.mozlz4 rw, owner /home/*/.thunderbird/zi96dvqd.default/crashes/*.json.mozlz4.tmp rw, owner /home/*/.thunderbird/zi96dvqd.default/datareporting/*.json rw, owner /home/*/.thunderbird/zi96dvqd.default/datareporting/*.json.tmp rw, owner /home/*/.thunderbird/zi96dvqd.default/datareporting/aborted-session-ping w, owner /home/*/.thunderbird/zi96dvqd.default/datareporting/aborted-session-ping.tmp rw, owner /home/*/.thunderbird/zi96dvqd.default/favicons.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/favicons.sqlite-shm rwk, owner /home/*/.thunderbird/zi96dvqd.default/favicons.sqlite-wal rw, owner /home/*/.thunderbird/zi96dvqd.default/global-messages-db.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/global-messages-db.sqlite-journal rw, owner /home/*/.thunderbird/zi96dvqd.default/history.mab rw, owner /home/*/.thunderbird/zi96dvqd.default/key4.db rwk, owner /home/*/.thunderbird/zi96dvqd.default/lock w, owner /home/*/.thunderbird/zi96dvqd.default/permissions.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/places.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/places.sqlite-shm rwk, owner /home/*/.thunderbird/zi96dvqd.default/places.sqlite-wal rw, owner /home/*/.thunderbird/zi96dvqd.default/prefs-1.js rw, owner /home/*/.thunderbird/zi96dvqd.default/prefs.js rw, owner /home/*/.thunderbird/zi96dvqd.default/sessionCheckpoints.json rw, owner /home/*/.thunderbird/zi96dvqd.default/sessionCheckpoints.json.tmp rw, owner /home/*/.thunderbird/zi96dvqd.default/webappsstore.sqlite rwk, owner /home/*/.thunderbird/zi96dvqd.default/webappsstore.sqlite-shm rwk, owner /home/*/.thunderbird/zi96dvqd.default/webappsstore.sqlite-wal rw, owner /home/*/.thunderbird/zi96dvqd.default/xulstore.json rw, owner /home/*/.xscreensaver r, owner /home/*/.xsession-errors r, owner /home/*/Documents/*.jpg w, owner /home/*/Documents/*.json.tmp r, owner /home/*/Documents/opt.* r, owner /home/*/Documents/usr.* r, owner /proc/*/maps r, owner /proc/*/mountinfo r, owner /proc/*/stat r, owner /proc/*/task/*/stat r, } Significant modifying of the profile so links could be launched directly in Firefox worked, but ended up irrevocably breaking Firefox' bookmarks, so I've decided to simply copy links and paste them into the browser's address field. Maybe it is meant to be, as directly launching email links can cause malicious consequences.
Opening links in Firefox works for me by adding the rule Code: /usr/lib/firefox/firefox Px, but only if seccomp is disabled in the Firejail profile for Thunderbird. (Similarly I also added Px rules for libreoffice.) I'm still trying to get around this problem.
I tried the similar rule: Code: /opt/firefox/firefox Px, but no luck. I'm not even using Firejail for Thunderbird or Firefox now that they're both under Apparmor. I'll just copy/paste links to Firefox for the few times I may need to do so. Thanks!
Which action is defined in the Thunderbird settings for opening http and https file types? EDIT: Perhaps your problem is also related to your having 2 profiles for Firefox: /opt/firefox/firefox and /opt/firefox/firefox-bin. I have only one profile.
Hey it works now! All I had to do was put the rule: /opt/firefox/firefox Px, into the profile: usr.lib.thunderbird.thunderbird-bin. The links launch in apparmored Firefox Thanks!
Great that it works now for you! Regarding abstractions: We agree that one should not use too many of them and inspect them before adding them. For example, <abstractions/ubuntu-browsers.d/user-files> allows read and write access to all files in $HOME - ouch! But there are some abstractions which are useful, IMO. One example is private-files which contains deny rules and protects sensitive files/folders (private-files-strict should be used for office suites, pdf readers, image viewers etc.). One might argue that an application has no access to those files/folders anyhow without corresponding rules. However, if one (unintentionally) allows to read/write all files in $HOME to an application it's good to know that this stuff is protected - a second line of defense, so to speak. Btw. (not related but still very useful), in the LibreOffice profile from somewhere on the AppArmor gitlab sites I found this interesting approach: Code: #Defines all common supported file formats #Some obscure ones we're excluded (mostly input) #Generic @{libreoffice_ext} = [tT][xX][tT] #.txt @{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF] #All the open document format @{libreoffice_ext} += [xX][mMsS][lL] #.xml and xsl @{libreoffice_ext} += [pP][dD][fF] #.pdf @{libreoffice_ext} += [uU][oO][fFtTsSpP] #Unified office format @{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L} #(x)htm(l) #Images @{libreoffice_ext} += [jJ][pP][gG] @{libreoffice_ext} += [jJ][pP][eE][gG] @{libreoffice_ext} += [pP][nN][gG] @{libreoffice_ext} += [sS][vV][gG] @{libreoffice_ext} += [sS][vV][gG][zZ] @{libreoffice_ext} += [tT][iI][fF] @{libreoffice_ext} += [tT][iI][fF][fF] #Writer @{libreoffice_ext} += [dD][oO][cCtT]{,x,X} @{libreoffice_ext} += [rR][tT][fF] #Calc @{libreoffice_ext} += [xX][lL][sSwWtT]{,x,X} @{libreoffice_ext} += [dD][iIbB][fF] #.dif dbf @{libreoffice_ext} += [cCtT][sS][vV] #.tsv .csv @{libreoffice_ext} += [sS][lL][kK] #Impress/Draw @{libreoffice_ext} += [pP][pP][tTsS]{,x,X} @{libreoffice_ext} += [pP][oO][tT]{,m,M} @{libreoffice_ext} += [sS][wW][fF] #Flash @{libreoffice_ext} += [pP][sS][dD] #Photoshop #Math @{libreoffice_ext} += [mM][mM][lL] @{libo_user_dirs} = @{HOME} /mnt /media combined with this rule: Code: owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts I think that's a neat trick to make a profile more easily readable and editable. Needless to say that this is a very useful approach in profiles for pdf readers, image viewers, audio and video players and the likes as well. I had mentioned earlier that I hadn't used AppArmor for some years. Detecting such stuff is a good learning effect.
Indeed, though the one that's hard to do without is lightdm for Firefox. It's very powerful in terms of all the numerous directories and files it has rules for, but when I tried to do without it or even modified it to eliminate some of the directories, the subsequent profiling created all kinds of cumbersome rules, and I still was not able to launch Firefox, so I re-enabled it as is. Besides, it looks as though the directories it references has write protection from users, so that's good.
Sorry, my remark was not meant to critisize you but was unclear phrasing. As a matter of fact you're using only few abstractions which is good!
HaHa no worries, I understood. I had really wanted to either ditch lightdm or at least whittle it down some, but doing so created too many problems.
