Project

General

Profile

Bug #11964

The Thunderbird AppArmor profile should prevent users from opening attachments

Added by u about 1 year ago. Updated 2 months ago.

Status:
In Progress
Priority:
Elevated
Assignee:
Category:
-
Target version:
Start date:
11/19/2016
Due date:
% Done:

30%

QA Check:
Dev Needed
Feature Branch:
icedove:tails/stretch
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Email Client

Description

We need to document this or fix it in Debian.

First step: research what's in the log and if it can be fixed.
Second step: Document it or upstream the fix to Debian.


Related issues

Related to Tails - Bug #10750: Ship an AppArmor profile for Icedove in Tails Resolved 02/05/2016
Blocked by Tails - Bug #11712: Have Icedove built from Stretch with our patchset applied in Tails 3.0 Resolved 08/24/2016
Blocks Tails - Bug #11973: Confine Thunderbird with AppArmor In Progress 11/20/2016
Blocks Tails - Feature #13245: Core work 2018Q1: Foundations Team Confirmed 06/29/2017

Associated revisions

Revision e0b8ef9f (diff)
Added by anonym 7 months ago

Enable the feature-11712-thunderbird APT overlay.

This will install thunderbird 1:45.8.0-3+tails2 built for amd64 on
Debian Stretch. Naturally it is a first step for the Icedove →
Thunderbird migration as well. And this package contains an AppArmor
profile (unlike the Debian Jessie package).

Refs: #12242
Will-fix: #11712, #11973

These packages also has the patch from the following upstream ticket
applied:

https://bugzilla.mozilla.org/show_bug.cgi?id=1281959

We enable browser.download.forbid_open_with so the "Open with..."
option is hidden in the attachment download dialog, since
Thunderbird's AppArmor profile does not allow starting applications in
Tails.

Refs: #11964

Revision 4f98782b (diff)
Added by anonym 7 months ago

Thunderbird: hide the "Open with..." option in the download dialog.

I.e. the dialog opened when double-clicking an attachment. "Open
with..." will not work since Thunderbird's AppArmor confinement
disallows starting applications.

Refs: #11964

Revision 5d848fb9 (diff)
Added by anonym 7 months ago

Revert "Thunderbird: hide the "Open with..." option in the download dialog."

This reverts commit 4f98782bb9c1adf937fb98e1bc12affaff4e9b5a.

We have postponed #11964 until after 3.0~rc1, and we want the rest of
the feature/11712-thunderbird branch merged for that.

Refs: #11964

Revision cc3b16ea (diff)
Added by intrigeri 7 months ago

Disable the Thunderbird AppArmor profile (refs: #11712, #12242, #11973, #11964).

The corresponding documentation is missing and I haven't seen this coordinated
with our tech writers:

I'd rather not break parts of the UX without a clear plan to explain
it to our users.

History

#1 Updated by intrigeri about 1 year ago

  • Related to Bug #10750: Ship an AppArmor profile for Icedove in Tails added

#2 Updated by intrigeri about 1 year ago

I guess that's strongly related to the UX work that we've done when we confined Tor Browser.

#3 Updated by u 11 months ago

  • Blocks Bug #11973: Confine Thunderbird with AppArmor added

#4 Updated by intrigeri 9 months ago

  • Target version set to Tails_3.0

I believe this will be a behavior change in Tails 3.0, that will include the AppArmor profile => setting Target version accordingly so it's on our radar.

#5 Updated by intrigeri 9 months ago

  • Blocks deleted (Bug #11973: Confine Thunderbird with AppArmor)

#6 Updated by intrigeri 9 months ago

  • Related to Bug #11973: Confine Thunderbird with AppArmor added

#7 Updated by u 9 months ago

  • Priority changed from Low to Elevated

#8 Updated by u 9 months ago

I've seen that Carsten has marked this as fixed here https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855346 but I need to investigate how it was fixed exactly.

#9 Updated by u 9 months ago

After some research and testing, this is not fixed in Debian.

The idea would be to make the Debian profile more permissive and allow launching eog, file-roller, libre-office, evince, gedit.

But in Tails, we will ideally want Icedove not to display the possibility of opening attachments directly. It should rather use the same fix as Torbrowser (upstreamed in FF50), using

// Given our AppArmor sandboxing, Tor Browser will not be allowed to
// open external applications, so let's not offer the option to the user,
// and instead only propose them to save downloaded files.
pref("browser.download.forbid_open_with", true);

found in: /etc/tor-browser/profile/preferences/0000tails.js

https://bugzilla.mozilla.org/show_bug.cgi?id=1281959

#10 Updated by u 9 months ago

I've proposed a more permissive file Upstream: https://code.launchpad.net/~u-d/apparmor-profiles/+git/apparmor-profiles/+merge/320276

This concerns only the Debian side of things. In Tails, we will want to remove this part of the profile.

Next steps: work on integrating the patch for Tails' Icedove.

#11 Updated by u 9 months ago

  • Assignee changed from u to anonym
  • QA Check set to Ready for QA
  • Feature Branch set to icedove:tails/jessie

u wrote:

After some research and testing, this is not fixed in Debian.

The idea would be to make the Debian profile more permissive and allow launching eog, file-roller, libre-office, evince, gedit.

But in Tails, we will ideally want Icedove not to display the possibility of opening attachments directly. It should rather use the same fix as Torbrowser (upstreamed in FF50), using
[...]

https://bugzilla.mozilla.org/show_bug.cgi?id=1281959

I'll continue to take care of the Debian side of things.

Meanwhile, I'd like anonym to review and test my modifications in the tails/jessie branch.

#12 Updated by intrigeri 8 months ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

Note that this new restriction may require some new documentation => please coordinate this with sajolida before merging :)

#13 Updated by intrigeri 8 months ago

  • Related to deleted (Bug #11973: Confine Thunderbird with AppArmor)

#14 Updated by intrigeri 8 months ago

  • Blocks Bug #11712: Have Icedove built from Stretch with our patchset applied in Tails 3.0 added

#15 Updated by intrigeri 8 months ago

  • Target version changed from Tails_3.0 to Tails_3.0~rc1

#16 Updated by anonym 7 months ago

  • Type of work changed from Research to Code

u wrote:

Meanwhile, I'd like anonym to review and test my modifications in the tails/jessie branch.

Where did you get the patch you imported? I'm wondering, cause it contains two syntax errors! From your commit 7e3ba02 that imports the patch:

+-    if (shouldntRememberChoice && !this.openWithDefaultOK()) {
++    if (shouldntRememberChoice && !this.openWithDefaultOK()) ||
++        Services.prefs.getBoolPref("browser.download.forbid_open_with")) {)

As you can see, the patched file will contain one syntax error because there is an opening parenthesis missing (so the || becomes dangling) which seems to have been misplaced to the opening of the conditional's body (where it is unmatched) causing yet another syntax error. It should be:

+-    if (shouldntRememberChoice && !this.openWithDefaultOK()) {
++    if ((shouldntRememberChoice && !this.openWithDefaultOK()) ||
++        Services.prefs.getBoolPref("browser.download.forbid_open_with")) {

and that was indeed how my original patch looked when I submitted to the Tor Browser devs (that they got upstreamed into Firefox). Neither the patch on the Mozilla tracker, nor the one in Tor Browser has this syntax error. Interesting! :)

Any way, I've fixed it in the tails/stretch branch that I'm currently working on. I'll build new packages and test the this soon.

#17 Updated by anonym 7 months ago

  • % Done changed from 10 to 30
  • QA Check changed from Ready for QA to Dev Needed
  • Feature Branch changed from icedove:tails/jessie to icedove:tails/stretch tails:feature/11712-thunderbird

My fix worked. However, if I right-click on an attached .txt, select "Open", then it opens in Gedit; in other words, we are still missing the AppArmor profile overrides. I casually tried adding these to /etc/apparmor.d/local/usr.bin.thunderbird:

  audit deny /usr/bin/exo-open xr,
  audit deny /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 xr,
  audit deny /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
  audit deny /etc/xdg/xfce4/helpers.rc r,

but it did seemingly nothing. I'll look into it with intrigeri, I suppose, unless you, u, see this and fix it ASAP (please push to the Tails feature branch in that case).

#18 Updated by intrigeri 7 months ago

Before I review'n'merge this, I'd like to see a summary of what the intent is, i.e. what operations will be accepted/denied (and when denied, what's the user story you have in mind). Thanks in advance!

#19 Updated by intrigeri 7 months ago

  • Subject changed from Icedove's AppArmor profile prevents users from opening attachments to Icedove's AppArmor profile should prevent users from opening attachments

Retitling to express what we're trying to achieve here.

#20 Updated by intrigeri 7 months ago

  • Blocks deleted (Bug #11712: Have Icedove built from Stretch with our patchset applied in Tails 3.0)

#21 Updated by intrigeri 7 months ago

  • Blocked by Bug #11712: Have Icedove built from Stretch with our patchset applied in Tails 3.0 added

#22 Updated by intrigeri 7 months ago

  • Target version changed from Tails_3.0~rc1 to Tails_3.0

It seems that the AppArmor changes needed to prevent users from opening attachments have not been done anywhere yet. Correct? So let's postpone to 3.0. This doesn't block #11712 AFAICT (we can very well first ship a permissive profile, and later harden it).

#23 Updated by anonym 7 months ago

  • Feature Branch changed from icedove:tails/stretch tails:feature/11712-thunderbird to icedove:tails/stretch

I've reverted the only commit relevant to this ticket in tails:feature/11712-thunderbird. So 5d848fb956b4628ee79006a2a994d212b69fca48 should be reverted to enable this again.

#24 Updated by intrigeri 7 months ago

  • Related to Bug #11973: Confine Thunderbird with AppArmor added

#25 Updated by intrigeri 7 months ago

intrigeri wrote:

It seems that the AppArmor changes needed to prevent users from opening attachments have not been done anywhere yet.

I was wrong, sorry! As documented on #11973#note-24 the AppArmor profile included in Stretch already prevents attachments from being opened on Tails/Stretch. Assuming this is what we wanted (and IIRC it was), next steps are:

  • revert 5d848fb956b4628ee79006a2a994d212b69fca48 to hide the "Open with..." option in the dialog that opens when one double-clicks an attachment
  • have the end-user doc explain why we think this behaviour is preferable, and how one is supposed to open their attachments, as requested earlier (#11964#note-12)

I'll let you folks pick a suitable target version: I'd be fine with merging this in 3.0 if our doc writers are fine with it and a mergeable branch (including doc!) is ready by the end of May: this means it won't see much testing (except if we do a 3.0~rc2, not clear yet) and it will leave very little time for translators to do their job, but well... I really would like us to do a step forward on this topic, both to protect our users from some attacks, and to make us developers happy to have delivered something :)

#26 Updated by intrigeri 7 months ago

  • Related to deleted (Bug #11973: Confine Thunderbird with AppArmor)

#27 Updated by intrigeri 7 months ago

  • Blocks Bug #11973: Confine Thunderbird with AppArmor added

#28 Updated by anonym 7 months ago

intrigeri wrote:

intrigeri wrote:

It seems that the AppArmor changes needed to prevent users from opening attachments have not been done anywhere yet.

I was wrong, sorry! As documented on #11973#note-24 the AppArmor profile included in Stretch already prevents attachments from being opened on Tails/Stretch.

... except for files that will open in Gedit (e.g. .txt files). See #11973#note-27 for details.

#29 Updated by intrigeri 7 months ago

  • Subject changed from Icedove's AppArmor profile should prevent users from opening attachments to The Thunderbird AppArmor profile should prevent users from opening attachments

#30 Updated by anonym 6 months ago

  • Target version changed from Tails_3.0 to Tails_3.2

Since this change doesn't only depend on me, and I doubt I'll be able to coordinate with everyone else to get this done before 3.0.,I'll postpone this to the next major release.

#31 Updated by intrigeri 6 months ago

#32 Updated by intrigeri 3 months ago

  • Target version changed from Tails_3.2 to Tails_3.5

(As per #11973#note-42.)

#33 Updated by intrigeri 2 months ago

#34 Updated by intrigeri 2 months ago

#35 Updated by intrigeri 2 months ago

  • Target version changed from Tails_3.5 to Tails_3.6

(3.4 will be a bugfix release)

Also available in: Atom PDF