From a7d92e1d8b541bffc2e2ceda4a070bc7cb4267e5 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Mon, 31 Jul 2023 11:22:31 +0000
Subject: thunderbird: D-Bus hardening (#5913)

---
 etc/profile-m-z/thunderbird.profile | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'etc/profile-m-z')

diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index f2405a7d3..17e2f0856 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -8,9 +8,17 @@ include globals.local
 
 ignore include whitelist-runuser-common.inc
 
-# writable-run-user and dbus are needed by enigmail
+# TB stopped supporting enigmail in 2020 (v78) - let's harden D-Bus
+# https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
 ignore dbus-user none
-ignore dbus-system none
+dbus-user filter
+dbus-user.own org.mozilla.thunderbird.*
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+# e2ee email needs writable-run-user
+# https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption
 writable-run-user
 
 # If you want to read local mail stored in /var/mail edit /etc/apparmor.d/firejail-default accordingly
-- 
cgit v1.2.3-70-g09d2