I wanted to let you folks know this.
amnesia@amnesia:~$ cat /etc/apparmor.d/local/usr.bin.thunderbird
Shows nothing
The Thunderbird apparmor profile via cat
/etc/apparmor.d/usr.bin.thunderbird shows that it does not block reading
the files under `/sys/class/net` and `/sys/devices/virtual/dmi/id/`
The presence of /**/ r, (plus the surrounding broad / r, and /usr/** r,
lines) is the concrete part of the profile that “grants read access to
essentially the whole filesystem”, making the MAC‑address files under
`sys/class/net` and the DMI files under `/sys/devices/virtual/dmi/id/`
reachable by Thunderbird correct?
I don't see a later deny in the profile that overrides it to essentially
blocking read access to these two paths?
Why does Tor Browser aa profile block access but not Thunderbird? Why
shouldn't the profile be any different for Thunderbird in this regard?
On 9/2/25 15:16, Topi Toosi via Tails-dev wrote:
>
>
> David A. Wheeler:
>>
>> I'm not a member of the Tails release group. However, this doesn't
>> seem to be specific to Thunderbird or Tails. This is, in some sense,
>> the inevitable result of being a distribution, that is, packaging
>> software developed by many others who have their own schedule.
>
> The problem is specific to Thunderbird in that the security updates for
> it are typically released by Mozilla on the same day as the updates for
> Firefox.
>
> As Tails releases follow the Firefox update cycle, but Thunderbird is
> not updated at the same time, Thunderbird is almost always one release
> behind. I.e. there is no time when there are no publicly known
> vulnerabilities in the Tails version of Thunderbird.
>
>
>> If it *is* vulnerable to expected use (e.g., merely receiving &
>> reading an email would cause a takeover), I'd hope that the Tails team
>> would do an emergency release.
>
> To my knowledge Tails has never had an emergency release related to
> Thunderbird. Even when there have been vulnerabilities in Thunderbird
> which would have compromised the anonymity of the users.
>
>
>> I can imagine them doing some other things to compensate:
>> * making it easier to update from Debian directly
>> * working with Debian to compile with more hardening flags, to make it
>> harder to attack
>> * sandboxing Thunderbird
>
> Agreed. I would hope that actions such as these would be taken and
> documented somewhere.
>
>
>
> Cheers,
>
> Topi
>
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://www.autistici.org/mailman/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to Tails-dev-unsubscribe@???.
--
Blessings,
- James M.
