Dear Maintainer,
I am suggesting to fix this issue by providing @{thunderbird_user_dirs} variable, that could be modified by the user to
add addition paths, such `/home/me/Archives` or `/mnt/foo`. This kind of functionality is discussed in AppArmor mailing
list [0].
I have tested with `/etc/apparmor.d/local/tunables/usr.bin.thunderbird` having
this content:
```
@{thunderbird_user_dirs} += /mnt/foo /home/vincas/Archive/
```
And it solves this issue, provided that profile has patch applied of course.
_The question is_, will you agree to ship empty file `/etc/apparmor.d/local/tunables/usr.bin.thunderbird`? We do not
have "#include_if_exists" or similar mechanism in AppArmor parser to avoid that yet.
Additionally, maybe Thunderbird's README could have useful information about
this customization point.
I have attached WIP patch that I will propose to AppArmor pull request myself,
but only if you agree with this plan.
[0] https://lists.ubuntu.com/archives/apparmor/2017-December/011350.html
diff --git a/ubuntu/18.04/usr.bin.thunderbird b/ubuntu/18.04/usr.bin.thunderbird
index b656108..4d1f3cc 100644
--- a/ubuntu/18.04/usr.bin.thunderbird
+++ b/ubuntu/18.04/usr.bin.thunderbird
@@ -8,6 +8,11 @@
#include <tunables/global>
+# Directories where .thunderbird directory might reside in
+@{thunderbird_user_dirs} = @{HOME}
+
+#include <local/tunables/usr.bin.thunderbird>
+
profile thunderbird /usr/lib/thunderbird/thunderbird {
#include <abstractions/audio>
#include <abstractions/aspell>
@@ -160,12 +165,12 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
/**/ r,
# per-user thunderbird configuration
- owner @{HOME}/.{icedove,thunderbird}/ rw,
- owner @{HOME}/.{icedove,thunderbird}/** rw,
- owner @{HOME}/.{icedove,thunderbird}/**/storage.sdb k,
- owner @{HOME}/.{icedove,thunderbird}/**/*.{db,parentlock,sqlite}* k,
- owner @{HOME}/.{icedove,thunderbird}/plugins/** rm,
- owner @{HOME}/.{icedove,thunderbird}/**/plugins/** rm,
+ owner @{thunderbird_user_dirs}/.{icedove,thunderbird}/ rw,
+ owner @{thunderbird_user_dirs}/.{icedove,thunderbird}/** rw,
+ owner @{thunderbird_user_dirs}/.{icedove,thunderbird}/**/storage.sdb k,
+ owner @{thunderbird_user_dirs}/.{icedove,thunderbird}/**/*.{db,parentlock,sqlite}* k,
+ owner @{thunderbird_user_dirs}/.{icedove,thunderbird}/plugins/** rm,
+ owner @{thunderbird_user_dirs}/.{icedove,thunderbird}/**/plugins/** rm,
owner @{HOME}/.cache/thunderbird/ rw,
owner @{HOME}/.cache/thunderbird/** rw,
@@ -176,7 +181,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
- owner @{HOME}/.{icedove,thunderbird}/**/extensions/** mixrw,
+ owner @{thunderbird_user_dirs}/.{icedove,thunderbird}/**/extensions/** mixrw,
owner @{HOME}/.mozilla/extensions/** mixr,
/usr/share/xul-ext/**/*.sqlite rk,
/usr/lib/mozilla/plugins/*.so rm,
@@ -216,10 +221,10 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
/usr/share/xul-ext/enigmail/chrome/enigmail.jar r,
# silence noise from enigmail 1.9+
- deny owner @{HOME}/.{icedove,thunderbird}/*/.parentlock w,
- deny owner @{HOME}/.{icedove,thunderbird}/*/panacea.dat w,
- deny owner @{HOME}/.{icedove,thunderbird}/*/*.mab w,
- deny owner @{HOME}/.{icedove,thunderbird}/**/*.msf w,
+ deny owner @{thunderbird_user_dirs}/.{icedove,thunderbird}/*/.parentlock w,
+ deny owner @{thunderbird_user_dirs}/.{icedove,thunderbird}/*/panacea.dat w,
+ deny owner @{thunderbird_user_dirs}/.{icedove,thunderbird}/*/*.mab w,
+ deny owner @{thunderbird_user_dirs}/.{icedove,thunderbird}/**/*.msf w,
deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,
# noise from inherited files
