Package: thunderbird Version: 1:45.8.0-3 Followup-For: Bug #859179 Was this bug really fixed in 1:52.1.1-1?
The debian/changelog mentions:
* [5d5392b] apparmor/usr.bin.thunderbird: update for version 52
(cherry-picked from upstream)
(Closes: #859179)
However commit 5d5392b doesn't have anything to do with enigmail/gnupg
(although it does indeed update the apparmor profile).
The debian/apparmor/usr.bin.thunderbird file in the debian/sid (9ebc11d)
branch and debian/1%52.1.1-1 tag still have the old/broken gpg/gpg2
split.
FWIW today I upgraded a system from jessie to stretch, this system has
apparmor enabled, and I use the enigmail add-on. Enigmail is no longer
able to verify signatures, and apparmor denials are logged like:
audit: type=1400 audit(1497376491.671:74): apparmor="DENIED" operation="open"
profile="thunderbird//gpg" name="/tmp/data.sig" pid=18767 comm="gpg2"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
I fixed it by locally modifying /etc/apparmor.d/usr.bin.thunderbird, but
unlike Felix Geyer's suggestion of merging gpg/gpg2 sub-profiles, I
simply mapped /usr/bin/gpg to "gpg2" sub-profile, and mapped
/usr/bin/gpg1 to [renamed] "gpg1" sub-profile.
Then I discovered another denial about gpg2 trying to map
/usr/bin/gpgconf:
audit: type=1400 audit(1497389311.854:178): apparmor="DENIED"
operation="file_mmap" profile="thunderbird//gpg2" name="/usr/bin/gpgconf"
pid=3820 comm="gpgconf" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
So I added an additional "/usr/bin/gpgconf mr," rule to the "gpg2"
profile. I believe Felix's patch is missing this last piece.
After getting thunderbird/enigmail/gnupg to work locally, I gbp cloned
https://anonscm.debian.org/cgit/pkg-mozilla/icedove.git and prepared the
attached patch.
Luckily I found this existing bug while running reportbug :)
--
Gerald Turner <gtur...@unzane.com> Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
From 6f5f9f3bcf01e304092f07210e4ca437545de2aa Mon Sep 17 00:00:00 2001
From: Gerald Turner <gtur...@unzane.com>
Date: Tue, 13 Jun 2017 16:11:21 -0700
Subject: [PATCH] Modify thunderbird apparmor profile so that enigmail add-on
may work with gnupg since the transition to "modern" GnuPG (gnupg
2.1.11-7+exp1): /usr/bin/gpg is part of thunderbird's "gpg2" profile,
/usr/bin/gpg1 is part of [renamed] "gpg1" profile, and allow execution of
/usr/bin/gpgconf by "gpg2" profile;
---
debian/apparmor/usr.bin.thunderbird | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/debian/apparmor/usr.bin.thunderbird b/debian/apparmor/usr.bin.thunderbird
index 7cd064717b..272b54b8de 100644
--- a/debian/apparmor/usr.bin.thunderbird
+++ b/debian/apparmor/usr.bin.thunderbird
@@ -191,9 +191,9 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
/bin/uname Uxr,
/usr/bin/locale Uxr,
- /usr/bin/gpg Cx -> gpg,
+ /usr/bin/gpg1 Cx -> gpg1,
- profile gpg {
+ profile gpg1 {
#include <abstractions/base>
# Required to import keys from keyservers
@@ -210,7 +210,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
# LDAP key servers
/etc/ldap/ldap.conf r,
- /usr/bin/gpg mr,
+ /usr/bin/gpg1 mr,
/usr/lib/gnupg/gpgkeys_* ix,
owner @{HOME}/.gnupg r,
owner @{HOME}/.gnupg/gpg.conf r,
@@ -232,7 +232,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
/usr/share/sounds/** r,
}
- /usr/bin/gpg2 Cx -> gpg2,
+ /usr/bin/gpg Cx -> gpg2,
/usr/bin/gpgconf Cx -> gpg2,
/usr/bin/gpg-connect-agent Cx -> gpg2,
@@ -268,7 +268,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
owner @{HOME}/.gnupg/S.gpg-agent rw,
owner @{HOME}/.gnupg/S.dirmngr rw,
- /usr/bin/gpg2 mr,
+ /usr/bin/gpg mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/gpg.conf r,
owner @{HOME}/.gnupg/random_seed rwk,
@@ -283,6 +283,8 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
owner @{HOME}/** r,
owner @{PROC}/@{pids}/mountinfo r,
+ /usr/bin/gpgconf mr,
+
# for inline pgp
owner /tmp/encfile rw,
owner /tmp/encfile-[0-9]* rw,
--
2.11.0
signature.asc
Description: PGP signature
