Project

General

Profile

Bug #15610

AppArmor breaks importing public OpenPGP keys from email attachments

Added by intrigeri 4 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
05/21/2018
Due date:
% Done:

100%

QA Check:
Pass
Feature Branch:
bugfix/15602-efail
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Email Client

Description

Initially reported on #15395#note-24:

That's because we set a custom $TMPDIR in config/chroot_local-includes/usr/local/bin/thunderbird. I don't think the rationale behind this custom $TMPDIR holds: we don't deny Thunderbird access to /tmp.


Related issues

Related to Tails - Bug #15395: Enigmail & AppArmor: Cannot get key from keyserver after finding it Resolved 03/12/2018
Blocks Tails - Feature #15139: Core work 2018Q2: Foundations Team Resolved 01/01/2018

Associated revisions

Revision 80ca5660 (diff)
Added by intrigeri 3 months ago

Don't give Thunderbird its own TMPDIR anymore and drop the corresponding, incomplete AppArmor profile adjustments (refs: #15610)

The rationale provided for this customization (a1fd1f0f, #9558) does not
hold here: the AppArmor profile allows Thunderbird to access /tmp anyway.

Besides, the AppArmor profile tweaks we had in place to match this custom
TMPDIR were incomplete: for example, as reported on #15395#note-24
this broke importing public OpenPGP keys from email attachments.

Revision 163cc213
Added by intrigeri 3 months ago

Merge branch 'bugfix/15602-efail' into stable (refs: #15602, fix-committed: #15610)

History

#1 Updated by intrigeri 4 months ago

#2 Updated by intrigeri 4 months ago

  • Related to Bug #15395: Enigmail & AppArmor: Cannot get key from keyserver after finding it added

#3 Updated by intrigeri 3 months ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/15602-efail

#4 Updated by intrigeri 3 months ago

  • % Done changed from 10 to 50

Fixed on the topic branch.

#5 Updated by intrigeri 3 months ago

  • Assignee changed from intrigeri to segfault
  • QA Check set to Ready for QA

Same as #15602.

#6 Updated by segfault 3 months ago

  • QA Check changed from Ready for QA to Info Needed

I'm not sure if removing this (incompletely implemented) feature is the best solution. Couldn't we fix this by adding an AppArmor rule which allows Thunderbird access to its private tmp directory? Or don't you think that the private tmp makes sense at all? I verified that, as indicated in the comment, decrypted and opened attachements are indeed saved in this tmp directory, and I think it makes sense to not put these in /tmp, which other apparmored applications have whitelisted, but in the private tmp, which other apparmored applications are not able to access.

#7 Updated by segfault 3 months ago

  • Assignee changed from segfault to intrigeri

#8 Updated by intrigeri 3 months ago

  • Assignee changed from intrigeri to segfault
  • QA Check changed from Info Needed to Ready for QA

I'm not sure if removing this (incompletely implemented) feature is the best solution. Couldn't we fix this by adding an AppArmor rule which allows Thunderbird access to its private tmp directory? Or don't you think that the private tmp makes sense at all? I verified that, as indicated in the comment, decrypted and opened attachements are indeed saved in this tmp directory, and I think it makes sense to not put these in /tmp, which other apparmored applications have whitelisted, but in the private tmp, which other apparmored applications are not able to access.

I totally agree that would be best.

Now, some context:

  • At some point we had a sponsor deliverable about migrating to Thunderbird; when we realized the timeline of security updates in Debian conflicted with our release schedule, we decided that this deliverable required confining Thunderbird with AppArmor.
  • Therefore, Thunderbird was confined with AppArmor. It took ages because while those who were responsible for the sponsor deliverable did some preliminary work, it was never finished and I ended up spending countless hours polishing it to make it releasable.
  • That preliminary work included, for some reason, raising the bar higher than required initially, with this custom $TMPDIR thing. As we can see here, that part was never polished and now we realize that it breaks real use cases.
  • The AppArmor policy for Thunderbird is very relaxed currently; we've been discussing for a while if we wanted to make it stricter (and after years of discussion elsewhere, #11964 was created).

So now I'm focusing on making things work in the simplest possible way. Given the above history, I'm not comfortable with hardening improvements that add complexity via a bigger delta that in the end I have to maintain. Now, if someone takes responsibility for this area of Tails, decides they want to harden things further at the cost of some additional complexity and maintenance work: by all means, fine by me :) But that won't be on the Foundations Team's plate IMO.

All this being said: I very much appreciate your attention to detail here! :)

#9 Updated by intrigeri 3 months ago

#10 Updated by intrigeri 3 months ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (segfault)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Merged into stable.

#11 Updated by intrigeri 3 months ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF