Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1005023: thunderbird subprocess (glxtest) dumps core on startup (with apparmor)
192 views
Skip to first unread message
Bertram Felgenhauer
Feb 5, 2022, 11:10:03 AM2/5/22
to
Package: thunderbird
Version: 1:91.5.1-1+b2
Severity: normal
Dear Maintainer,
on startup, thunderbird generates a core dump when apparmor is enabled. Apart from that, the program works fine.
*** To reproduce:
> thunderbird
[GFX1-]: No GPUs detected via PCI
[GFX1-]: glxtest: process failed (received signal 11)
[...]
> file core
core: ELF 64-bit LSB core file, x86-64, version 1 (SYSV), SVR4-style, from '/usr/lib/thunderbird/thunderbird', real uid: 1000, effective uid: 1000, real gid: 1000, effective gid: 1000, execfn: '/usr/lib/thunderbird/thunderbird', platform: 'x86_64'
[Note: in most installations the core dumps will be managed by `systemd-coredump`, and probably need to be accessed with `coredumpctl`]
*** Local fix:
# echo '/sys/devices/pci[0-9]*/**/class r,' >> /etc/apparmor.d/local/usr.bin.thunderbird
# systemctl restart apparmor.service
This augments the existing rules for /sys/devices/pci in /etc/apparmor.d/usr.bin.thunderbird,
/sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
to include the `class` file as well.
*** Supporting analysis:
I installed the -dbgsym packages for thunderbird and libpci to obtain a backtrace:
> gdb /usr/lib/thunderbird/thunderbird core
[...]
(gdb) bt
#0 UnexpectedExit() () at ./toolkit/xre/nsAppRunner.cpp:399
#1 0x00007fa0be447f67 in __run_exit_handlers (status=status@entry=1, listp=0x7fa0be5c5738 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
#2 0x00007fa0be44810a in __GI_exit (status=status@entry=1) at exit.c:139
#3 0x00007fa0b30998e1 in pci_generic_error (msg=0x7fa0b30a1415 "Cannot open %s: %s") at init.c:131
#4 0x00007fa0b309ece2 in sysfs_get_string (d=d@entry=0x7fa0be2d2120, object=object@entry=0x7fa0b30a1bd2 "class", buf=buf@entry=0x7ffccff099a0 "0x6fb5\n", mandatory=mandatory@entry=1) at sysfs.c:103
#5 0x00007fa0b309f508 in sysfs_get_value (mandatory=1, object=0x7fa0b30a1bd2 "class", d=0x7fa0be2d2120) at sysfs.c:145
#6 sysfs_fill_info (d=0x7fa0be2d2120, flags=33) at sysfs.c:311
#7 0x00007fa0b309a27f in pci_fill_info_v35 (d=d@entry=0x7fa0be2d2120, flags=flags@entry=33) at access.c:201
#8 0x00007fa0b7a477f6 in get_pci_status() () at ./toolkit/xre/glxtest.cpp:391
#9 childgltest() () at ./toolkit/xre/glxtest.cpp:1354
#10 0x00007fa0b7a48136 in fire_glxtest_process() () at ./toolkit/xre/glxtest.cpp:1403
#11 0x00007fa0b7a3d90b in XREMain::XRE_mainInit(bool*) (this=<optimized out>, this@entry=0x7ffccff0a920, aExitFlag=aExitFlag@entry=0x7ffccff0a8af) at ./toolkit/xre/nsAppRunner.cpp:3623
#12 0x00007fa0b7a44588 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (this=this@entry=0x7ffccff0a920, argc=argc@entry=1, argv=argv@entry=0x7ffccff0bb98, aConfig=...) at ./toolkit/xre/nsAppRunner.cpp:5408
#13 0x00007fa0b7a44970 in XRE_main(int, char**, mozilla::BootstrapConfig const&) (argc=1, argv=0x7fa0b7a3e5c0 <UnexpectedExit()>, aConfig=...) at ./toolkit/xre/nsAppRunner.cpp:5493
#14 0x0000559272bf7198 in do_main(int, char**, char**) (argc=1, argv=0x7ffccff0bb98, envp=<optimized out>) at ./comm/mail/app/nsMailApp.cpp:229
#15 main(int, char**, char**) (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ./comm/mail/app/nsMailApp.cpp:368
(gdb) frame 4
(gdb) print mandatory
$1 = 1
(gdb) print (char *)namebuf
$2 = 0x7ffccff09100 "/sys/bus/pci/devices/0000:ff:15.1/class"
(gdb) q
So we're hitting this code in libpci,
https://github.com/pciutils/pciutils/blob/v3.7.0/lib/sysfs.c#L103
and because `mandatory` is set this is treated as an error by libpci.
dmesg points to apparmour as the cause:
# dmesg
[...]
[21096.091105] audit: type=1400 audit(1644074114.165:64): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci0000:ff/0000:ff:15.1/class" pid=118142 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[21096.091119] thunderbird[118142]: segfault at 0 ip 00007fa0b7a3e5e7 sp 00007ffccff08fa0 error 6 in libxul.so[7fa0b47d5000+4e9b000]
[...]
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-3-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages thunderbird depends on:
ii debianutils 5.7-0.1
ii fontconfig 2.13.1-4.4
ii libatk1.0-0 2.36.0-3
ii libbotan-2-19 2.19.1+dfsg-2
ii libbz2-1.0 1.0.8-5
ii libc6 2.33-5
ii libcairo-gobject2 1.16.0-5
ii libcairo2 1.16.0-5
ii libdbus-1-3 1.12.20-3
ii libdbus-glib-1-2 0.112-2
ii libevent-2.1-7 2.1.12-stable-1
ii libffi8 3.4.2-4
ii libfontconfig1 2.13.1-4.4
ii libfreetype6 2.11.1+dfsg-1
ii libgcc-s1 11.2.0-16
ii libgdk-pixbuf-2.0-0 2.42.6+dfsg-2
ii libglib2.0-0 2.70.3-1
ii libgtk-3-0 3.24.31-1
ii libjson-c5 0.15-2
ii libnspr4 2:4.32-3
ii libnss3 2:3.73.1-1
ii libpango-1.0-0 1.50.3+ds1-6
ii libstdc++6 11.2.0-16
ii libvpx7 1.11.0-2
ii libx11-6 2:1.7.2-2+b1
ii libx11-xcb1 2:1.7.2-2+b1
ii libxcb-shm0 1.14-3
ii libxcb1 1.14-3
ii libxext6 2:1.3.4-1
ii libxrender1 1:0.9.10-1
ii psmisc 23.4-2
ii x11-utils 7.7+5
ii zenity 3.41.0-2
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages thunderbird recommends:
ii hunspell-en-us [hunspell-dictionary] 1:2020.12.07-2
Versions of packages thunderbird suggests:
ii apparmor 3.0.3-6
ii fonts-lyx 2.3.6-1
ii libgssapi-krb5-2 1.18.3-7
-- no debconf information
Version: 1:91.5.1-1+b2
Severity: normal
Dear Maintainer,
on startup, thunderbird generates a core dump when apparmor is enabled. Apart from that, the program works fine.
*** To reproduce:
> thunderbird
[GFX1-]: No GPUs detected via PCI
[GFX1-]: glxtest: process failed (received signal 11)
[...]
> file core
core: ELF 64-bit LSB core file, x86-64, version 1 (SYSV), SVR4-style, from '/usr/lib/thunderbird/thunderbird', real uid: 1000, effective uid: 1000, real gid: 1000, effective gid: 1000, execfn: '/usr/lib/thunderbird/thunderbird', platform: 'x86_64'
[Note: in most installations the core dumps will be managed by `systemd-coredump`, and probably need to be accessed with `coredumpctl`]
*** Local fix:
# echo '/sys/devices/pci[0-9]*/**/class r,' >> /etc/apparmor.d/local/usr.bin.thunderbird
# systemctl restart apparmor.service
This augments the existing rules for /sys/devices/pci in /etc/apparmor.d/usr.bin.thunderbird,
/sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
to include the `class` file as well.
*** Supporting analysis:
I installed the -dbgsym packages for thunderbird and libpci to obtain a backtrace:
> gdb /usr/lib/thunderbird/thunderbird core
[...]
(gdb) bt
#0 UnexpectedExit() () at ./toolkit/xre/nsAppRunner.cpp:399
#1 0x00007fa0be447f67 in __run_exit_handlers (status=status@entry=1, listp=0x7fa0be5c5738 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
#2 0x00007fa0be44810a in __GI_exit (status=status@entry=1) at exit.c:139
#3 0x00007fa0b30998e1 in pci_generic_error (msg=0x7fa0b30a1415 "Cannot open %s: %s") at init.c:131
#4 0x00007fa0b309ece2 in sysfs_get_string (d=d@entry=0x7fa0be2d2120, object=object@entry=0x7fa0b30a1bd2 "class", buf=buf@entry=0x7ffccff099a0 "0x6fb5\n", mandatory=mandatory@entry=1) at sysfs.c:103
#5 0x00007fa0b309f508 in sysfs_get_value (mandatory=1, object=0x7fa0b30a1bd2 "class", d=0x7fa0be2d2120) at sysfs.c:145
#6 sysfs_fill_info (d=0x7fa0be2d2120, flags=33) at sysfs.c:311
#7 0x00007fa0b309a27f in pci_fill_info_v35 (d=d@entry=0x7fa0be2d2120, flags=flags@entry=33) at access.c:201
#8 0x00007fa0b7a477f6 in get_pci_status() () at ./toolkit/xre/glxtest.cpp:391
#9 childgltest() () at ./toolkit/xre/glxtest.cpp:1354
#10 0x00007fa0b7a48136 in fire_glxtest_process() () at ./toolkit/xre/glxtest.cpp:1403
#11 0x00007fa0b7a3d90b in XREMain::XRE_mainInit(bool*) (this=<optimized out>, this@entry=0x7ffccff0a920, aExitFlag=aExitFlag@entry=0x7ffccff0a8af) at ./toolkit/xre/nsAppRunner.cpp:3623
#12 0x00007fa0b7a44588 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (this=this@entry=0x7ffccff0a920, argc=argc@entry=1, argv=argv@entry=0x7ffccff0bb98, aConfig=...) at ./toolkit/xre/nsAppRunner.cpp:5408
#13 0x00007fa0b7a44970 in XRE_main(int, char**, mozilla::BootstrapConfig const&) (argc=1, argv=0x7fa0b7a3e5c0 <UnexpectedExit()>, aConfig=...) at ./toolkit/xre/nsAppRunner.cpp:5493
#14 0x0000559272bf7198 in do_main(int, char**, char**) (argc=1, argv=0x7ffccff0bb98, envp=<optimized out>) at ./comm/mail/app/nsMailApp.cpp:229
#15 main(int, char**, char**) (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ./comm/mail/app/nsMailApp.cpp:368
(gdb) frame 4
(gdb) print mandatory
$1 = 1
(gdb) print (char *)namebuf
$2 = 0x7ffccff09100 "/sys/bus/pci/devices/0000:ff:15.1/class"
(gdb) q
So we're hitting this code in libpci,
https://github.com/pciutils/pciutils/blob/v3.7.0/lib/sysfs.c#L103
and because `mandatory` is set this is treated as an error by libpci.
dmesg points to apparmour as the cause:
# dmesg
[...]
[21096.091105] audit: type=1400 audit(1644074114.165:64): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci0000:ff/0000:ff:15.1/class" pid=118142 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[21096.091119] thunderbird[118142]: segfault at 0 ip 00007fa0b7a3e5e7 sp 00007ffccff08fa0 error 6 in libxul.so[7fa0b47d5000+4e9b000]
[...]
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-3-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages thunderbird depends on:
ii debianutils 5.7-0.1
ii fontconfig 2.13.1-4.4
ii libatk1.0-0 2.36.0-3
ii libbotan-2-19 2.19.1+dfsg-2
ii libbz2-1.0 1.0.8-5
ii libc6 2.33-5
ii libcairo-gobject2 1.16.0-5
ii libcairo2 1.16.0-5
ii libdbus-1-3 1.12.20-3
ii libdbus-glib-1-2 0.112-2
ii libevent-2.1-7 2.1.12-stable-1
ii libffi8 3.4.2-4
ii libfontconfig1 2.13.1-4.4
ii libfreetype6 2.11.1+dfsg-1
ii libgcc-s1 11.2.0-16
ii libgdk-pixbuf-2.0-0 2.42.6+dfsg-2
ii libglib2.0-0 2.70.3-1
ii libgtk-3-0 3.24.31-1
ii libjson-c5 0.15-2
ii libnspr4 2:4.32-3
ii libnss3 2:3.73.1-1
ii libpango-1.0-0 1.50.3+ds1-6
ii libstdc++6 11.2.0-16
ii libvpx7 1.11.0-2
ii libx11-6 2:1.7.2-2+b1
ii libx11-xcb1 2:1.7.2-2+b1
ii libxcb-shm0 1.14-3
ii libxcb1 1.14-3
ii libxext6 2:1.3.4-1
ii libxrender1 1:0.9.10-1
ii psmisc 23.4-2
ii x11-utils 7.7+5
ii zenity 3.41.0-2
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages thunderbird recommends:
ii hunspell-en-us [hunspell-dictionary] 1:2020.12.07-2
Versions of packages thunderbird suggests:
ii apparmor 3.0.3-6
ii fonts-lyx 2.3.6-1
ii libgssapi-krb5-2 1.18.3-7
-- no debconf information
Fabien Orjollet
Jul 20, 2022, 7:00:04 AM7/20/22
to
Package: thunderbird
Version: 1:91.11.0-1~deb11u1
Followup-For: Bug #1005023
Hello,
I noticed the same segfault in /var/log/syslog:
kernel: [ 2425.452348] audit: type=1400 audit(1658307190.587:64): apparmor="DENIED" operation="capable" profile="thunderbird" pid=13086 comm="thunderbird" capability=21 capname="s
ys_admin"
kernel: [ 2425.470937] thunderbird[13097]: segfault at 0 ip 00007f9b094a5237 sp 00007ffd829aa710 error 6
kernel: [ 2425.470940] audit: type=1400 audit(1658307190.603:65): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci0000:00/0000:00:14.0/class" pid=130
97 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 2425.470943] in libxul.so[7f9b0629e000+4f7e000]
kernel: [ 2425.470946] Code: 0f 1f 00 48 83 ec 08 80 3d e5 14 60 04 00 74 02 58 c3 c6 05 da 14 60 04 01 48 8d 05 39 01 15 03 48 8b 0d dc 01 56 04 48 89 01 <c7> 04 25 00 00 00 00 8f
01 00 00 e8 41 39 e0 fc 66 0f 1f 84 00 00
kernel: [ 2425.646619] audit: type=1400 audit(1658307190.779:66): apparmor="DENIED" operation="open" profile="thunderbird" name="/proc/13086/cgroup" pid=13086 comm="thunderbird" re
quested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.730813] audit: type=1400 audit(1658307190.863:67): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.730993] audit: type=1400 audit(1658307190.863:68): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.731120] audit: type=1400 audit(1658307190.863:69): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.731231] audit: type=1400 audit(1658307190.863:70): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.731380] audit: type=1400 audit(1658307190.863:71): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.731487] audit: type=1400 audit(1658307190.863:72): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
This is on a system that has been installed with Stretch, then upgraded to Buster and then to Bullseye.
#> find /etc/ -name "usr.bin.thunderbird" -exec ls -l '{}' \;
-rw-r--r-- 1 root root 126 Aug 29 2017 /etc/apparmor.d/local/usr.bin.thunderbird
-rw-r--r-- 1 root root 14174 May 6 2020 /etc/apparmor.d/usr.bin.thunderbird
#> find /etc/ -name "usr.bin.thunderbird" -exec md5sum '{}' \;
99cde8fc85715eaf8d5343a7b66bf46f /etc/apparmor.d/local/usr.bin.thunderbird
9f666406d2637c3efd794bdbc67daa77 /etc/apparmor.d/usr.bin.thunderbird
#> cat /etc/apparmor.d/local/usr.bin.thunderbird
# Site-specific additions and overrides for usr.bin.thunderbird.
# For more details, please see /etc/apparmor.d/local/README.
#> cat /etc/apparmor.d/usr.bin.thunderbird
# vim:syntax=apparmor
# Author: Simon Deziel <simon.deziel at gmail_com>
# This apparmor profile is derived from firefox profile
# by Jamie Strandboge <ja...@canonical.com>
# Declare an apparmor variable to help with overrides
@{MOZ_LIBDIR}=/usr/lib/thunderbird
#include <tunables/global>
profile thunderbird /usr/lib/thunderbird/thunderbird{,-bin} {
#include <abstractions/audio>
#include <abstractions/aspell>
#include <abstractions/cups-client>
# TODO: finetune this for required accesses
#include <abstractions/dbus>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-session>
#include <abstractions/dconf>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/nvidia>
#include <abstractions/p11-kit>
#include <abstractions/private-files>
#include <abstractions/ssl_certs>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-browsers.d/java>
#include <abstractions/ubuntu-helpers>
# Backported from the mesa abstraction, available in AppArmor >2.13
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
# User files
owner @{HOME}/.cache/ w, # if user clears all caches
owner @{HOME}/.cache/mesa_shader_cache/ w,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
owner @{HOME}/.cache/mesa_shader_cache/??/ w,
owner @{HOME}/.cache/mesa_shader_cache/??/* rw,
# End of backported mesa abstraction
# Backported from the dri-enumerate abstraction, available in AppArmor 2.13
# TODO: create and use abstractions for opening various file formats
/{usr/local/,usr/,}bin/* Cx -> sanitized_helper,
/usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
# Allow opening links
# GDesktopAppInfo in GLib 2.64.x uses a very small shell script
# to launch .desktop files, instead of gio-launch-desktop
/{usr/,}bin/{dash,bash} ixr,
# With older GLib we might still be on the fallback code path
# (remove this after Debian 11 and Ubuntu 20.04)
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
# For Xubuntu to launch the browser
/usr/bin/exo-open ixr,
/usr/lib/@{multiarch}/xfce4/exo-[1-9]/exo-helper-[1-9] ixr,
/etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
/etc/xdg/xfce4/helpers.rc r,
owner @{HOME}/.config/xfce4/helpers.rc r,
# for crash reports?
ptrace (read,trace) peer=@{profile_name},
/usr/lib/thunderbird/thunderbird{,-bin} ixr,
# Pulseaudio
/usr/bin/pulseaudio Pixr,
owner @{HOME}/.{cache,config}/dconf/user rw,
owner @{HOME}/.cache/thumbnails/** r,
owner /run/user/[0-9]*/dconf/user rw,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
deny owner @{HOME}/.local/share/gvfs-metadata/* r,
# potentially extremely sensitive files
audit deny @{HOME}/.gnupg/** mrwkl,
audit deny @{HOME}/.ssh/** mrwkl,
# rw access to HOME is useful when sending/receiving attachments
owner @{HOME}/[^.]** rw,
# other commonly used locations
/{data,media,mnt,srv}/** r,
owner /{data,media,mnt,srv}/** rw,
owner @{HOME}/.signature* r,
# Required for LVM setups
/sys/devices/virtual/block/dm-[0-9]*/uevent r,
# Addons (too lax for thunderbird)
##include <abstractions/ubuntu-browsers.d/firefox>
# for networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/[0-9]*/net/wireless r,
@{PROC}/[0-9]*/net/arp r,
# should maybe be in abstractions
/etc/ r,
/etc/mime.types r,
/etc/mailcap r,
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
/etc/xfce4/defaults.list r,
/usr/share/xubuntu/applications/defaults.list r,
owner /dev/shm/org.chromium.* rw, # for Chromium IPC
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, # for Chromium IPC
owner @{HOME}/.cache/fontconfig/*.cache-* rwk,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
owner @{HOME}/.recently-used r,
/tmp/.X[0-9]*-lock r,
/etc/udev/udev.conf r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
/etc/timezone r,
/etc/wildmidi/wildmidi.cfg r,
# thunderbird specific
/etc/thunderbird/ r,
/etc/thunderbird/** r,
/etc/xul-ext/** r,
/etc/xulrunner-2.0*/ r,
/etc/xulrunner-2.0*/** r,
/etc/gre.d/ r,
/etc/gre.d/* r,
# noisy
deny @{MOZ_LIBDIR}/** w,
deny /usr/lib/thunderbird-addons/** w,
deny /usr/lib/xulrunner-addons/** w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /var/cache/fontconfig/ w,
# noisy file dialog:
#
# TODO: remove these rules when file dialogs becomes "trusted helpers" that can
# read anything, or ability to override `deny` rules is implemented [0].
#
# NOTE: modify `local/usr.bin.thunderbird` to add `deny` rules for cases not
# mentioned here when `DENIED` messages appear for dot files in kernel (or audit)
# logs. If that case is believed to be common enough, please report bug against
# package shipping this profile in order to extend this list.
#
# [0] https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/451422
deny @{HOME}/.KiCad r,
deny @{HOME}/.abbrev_defs r,
deny @{HOME}/.aspell.*.{prepl,pws} r,
deny @{HOME}/.bashrc r,
deny @{HOME}/.bash_logout r,
deny @{HOME}/.bbdb r,
deny @{HOME}/.caffrc r,
deny @{HOME}/.colordiffrc r,
deny @{HOME}/.cvpcb r,
deny @{HOME}/.cvspass r,
deny @{HOME}/.devscripts r,
deny @{HOME}/.directory r,
deny @{HOME}/.dpt.conf r,
deny @{HOME}/.dput.cf r,
deny @{HOME}/.dupload.conf r,
deny @{HOME}/.eeschema r,
deny @{HOME}/.emacs r,
deny @{HOME}/.emacs.bmk r,
deny @{HOME}/.emacs.desktop* r,
deny @{HOME}/.fehbg r,
deny @{HOME}/.forward r,
deny @{HOME}/.gbp.conf r,
deny @{HOME}/.gerbview r,
deny @{HOME}/.gitconfig r,
deny @{HOME}/.gitk r,
deny @{HOME}/.gtk-recordmydesktop r,
deny @{HOME}/.gtkrc-2.0 r,
deny @{HOME}/.i18n r,
deny @{HOME}/.ido.last r,
deny @{HOME}/.iftoprc r,
deny @{HOME}/.inputrc r,
deny @{HOME}/.jigdo-lite r,
deny @{HOME}/.kicad r,
deny @{HOME}/.kicad_common r,
deny @{HOME}/.lesshst r,
deny @{HOME}/.listadmin.ini r,
deny @{HOME}/.minicpanrc r,
deny @{HOME}/.mostrc r,
deny @{HOME}/.mrconfig r,
deny @{HOME}/.mrlog r,
deny @{HOME}/.mrtrust r,
deny @{HOME}/.my.cnf r,
deny @{HOME}/.newsrc-dribble r,
deny @{HOME}/.newsrc.eld r,
deny @{HOME}/.notmuch-config r,
deny @{HOME}/.offlineimaprc r,
deny @{HOME}/.pam_environment r,
deny @{HOME}/.pbuilderrc r,
deny @{HOME}/.pcbnew r,
deny @{HOME}/.perldb r,
deny @{HOME}/.perltidyrc r,
deny @{HOME}/.pgadmin3 r,
deny @{HOME}/.pgadmin_histoqueries r,
deny @{HOME}/.pgpass r,
deny @{HOME}/.python_history r,
deny @{HOME}/.pythonhist r,
deny @{HOME}/.quiltrc r,
deny @{HOME}/.reportbug-ng r,
deny @{HOME}/.reportbugrc r,
deny @{HOME}/.rnd r,
deny @{HOME}/.screenrc r,
deny @{HOME}/.selected_editor r,
deny @{HOME}/.steam/bin{32,64}/steam r, # through a symlink
deny @{HOME}/.steam/steam.pid r, # through a symlink
deny @{HOME}/.steam/ubuntu12_{32,64}/steam r, # through a symlink
deny @{HOME}/.sudo_as_admin_successful r,
deny @{HOME}/.swp r,
deny @{HOME}/.taskrc r,
deny @{HOME}/.tmux.conf r,
deny @{HOME}/.vboxclient-*.pid r,
deny @{HOME}/.vimrc r,
deny @{HOME}/.wget-hsts r,
deny @{HOME}/.xchm r,
deny @{HOME}/.xfce4-session.verbose-log* r,
deny @{HOME}/.xim.template r,
deny @{HOME}/.xinitrc.template r,
deny @{HOME}/.xinputrc r,
deny @{HOME}/.xscreensaver r,
deny @{HOME}/.xsession*errors* r,
deny @{HOME}/.xsessionrc r,
deny @{HOME}/.Xresources r,
deny @{HOME}/.Xsession r,
deny @{HOME}/.zcompdump r,
deny @{HOME}/.zlogout r,
deny @{HOME}/.zshrc r,
# TODO: investigate
deny /usr/bin/gconftool-2 x,
# Deny proprietary NVIDIA driver optimizations
# TODO: remove once it can be disabled via conditionals set up in nvidia abstraction
deny /tmp/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9] m,
deny /tmp/.gl?????? mrw,
deny @{HOME}/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9]{,[0-9]} m,
deny @{HOME}/.nv/.gl?????? mrw,
owner @{PROC}/[0-9]*/mountinfo r,
owner @{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/pci*/**/config r,
/sys/devices/system/node/node[0-9]*/meminfo r,
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter
owner @{PROC}/[0-9]*/environ r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/cmdline r,
/etc/lsb-release r,
/etc/ssl/openssl.cnf r,
/usr/lib/thunderbird/crashreporter ix,
/usr/bin/expr ix,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
# about:memory
owner @{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/smaps r,
# Needed for container to work in xul builds
/usr/lib/xulrunner-*/plugin-container ixr,
# allow access to documentation and other files the user may want to look
# at in /usr and /opt
/usr/ r,
/usr/** r,
/opt/ r,
/opt/** r,
# so browsing directories works
/ r,
/**/ r,
# per-user thunderbird configuration
owner @{HOME}/.{icedove,thunderbird}/ rw,
owner @{HOME}/.{icedove,thunderbird}/** rw,
owner @{HOME}/.{icedove,thunderbird}/**/storage.sdb k,
owner @{HOME}/.{icedove,thunderbird}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{icedove,thunderbird}/plugins/** rm,
owner @{HOME}/.{icedove,thunderbird}/**/plugins/** rm,
owner @{HOME}/.cache/thunderbird/ rw,
owner @{HOME}/.cache/thunderbird/** rw,
# system emails
owner /var/mail/* rwlk,
#
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.{icedove,thunderbird}/**/extensions/** mixrw,
owner @{HOME}/.mozilla/ rw,
owner @{HOME}/.mozilla/extensions/ rw,
owner @{HOME}/.mozilla/extensions/** mixr,
/usr/share/xul-ext/**/*.sqlite rk,
/usr/lib/mozilla/plugins/*.so rm,
/usr/lib/xul-ext/**/*.sqlite rk,
/usr/lib/thunderbird-addons/extensions/**/*.sqlite rk,
deny @{MOZ_LIBDIR}/update.test w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /usr/share/mozilla/ w,
/usr/bin/gpg Cx -> gpg,
/usr/bin/gpg2 Cx -> gpg,
/usr/bin/gpgconf Cx -> gpg,
/usr/bin/gpg-connect-agent Cx -> gpg,
/usr/lib/gnupg/gpg-wks-client ix,
/{,usr/}bin/ps ix,
# TB tries to create this file but has no business doing so
deny @{HOME}/.gnupg/gpg-agent.conf w,
profile gpg {
#include <abstractions/base>
# Required to import keys from keyservers
#include <abstractions/nameservice>
#include <abstractions/p11-kit>
/usr/share/xul-ext/enigmail/chrome/** r,
# silence noise from enigmail 1.9+
deny owner @{HOME}/.{icedove,thunderbird}/*/.parentlock w,
deny owner @{HOME}/.{icedove,thunderbird}/*/panacea.dat w,
deny owner @{HOME}/.{icedove,thunderbird}/*/*.mab w,
deny owner @{HOME}/.{icedove,thunderbird}/**/*.msf w,
deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,
# noise from inherited files
deny @{HOME}/.{icedove,thunderbird}/*/ImapMail/*/INBOX w,
deny /usr/{lib,share}/thunderbird/omni.ja r,
deny /usr/share/thunderbird/extensions/** r,
# For smartcards?
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* r,
# LDAP key servers
/etc/ldap/ldap.conf r,
/usr/bin/gpg mr,
/usr/bin/gpg2 mr,
/usr/bin/gpgconf mr,
/usr/bin/gpg-connect-agent mr,
/usr/lib/gnupg/gpgkeys_* ix,
/usr/lib/gnupg2/gpg2keys_* ix,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/gpg.conf r,
owner @{HOME}/.gnupg/random_seed rwk,
owner @{HOME}/.gnupg/pubring.{gpg,kbx}{,~} rw,
owner @{HOME}/.gnupg/secring.gpg rw,
owner @{HOME}/.gnupg/trustdb.gpg rw,
owner @{HOME}/.gnupg/tofu.db{,-journal} rwk,
owner @{HOME}/.gnupg/S.gpg-agent rw,
owner @{HOME}/.gnupg/S.dirmngr rw,
owner @{HOME}/.gnupg/*.{gpg,kbx}.{lock,tmp} rwl,
owner @{HOME}/.gnupg/.gpg-*.lock rwl,
owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl,
owner @{HOME}/.gnupg/.#*[0-9] rw,
owner @{HOME}/.gnupg/.#*[0-9]x rwl,
owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
owner @{HOME}/.gnupg/openpgp-revocs.d/{,[A-F0-9]*.rev} rw,
owner @{HOME}/** r,
owner @{PROC}/@{pids}/mountinfo r,
# For gpgconf
owner @{PROC}/@{pids}/fd/ r,
owner /run/user/[0-9]*/keyring-*/gpg rw,
# For encryption + signature
owner /tmp/gpgOutput.* rw,
# for inline pgp
owner /tmp/encfile rw,
owner /tmp/encfile-[0-9]* rw,
# for key import
owner /tmp/enigmail_import/.#lk0x[0-9a-f]* rw,
owner /tmp/enigmail_import/.#lk0x[0-9a-f]*x rwl,
owner /tmp/enigmail_import/{keyring,trustdb}.lock rwl,
owner /tmp/enigmail_import/{keyring,trustdb}{,~,.tmp} rw,
/usr/bin/dirmngr ix,
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
# for revocation certificate generation in the Enigmail setup wizard
owner @{HOME}/.{icedove,thunderbird}/*/0x[A-F0-9]*_rev.asc rw,
# for revocation certificate generation in the Enigmail key manager
owner @{HOME}/*0x[A-F0-9]**.asc rw,
# for signature generation
owner /tmp/nsemail.eml w,
owner /tmp/nsemail-[0-9]*.eml w,
# for signature verifications
owner /tmp/data.sig r,
owner /tmp/data-[0-9]*.sig r,
owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,
/usr/share/sounds/** r,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.thunderbird>
}
On another system directly installed with Bullseye, Thunderbird does not segfault. The difference seems to be that usr.bin.thunderbird is in /etc/apparmor.d/disable/
#> find /etc/ -name "usr.bin.thunderbird" -exec ls -l '{}' \;
lrwxrwxrwx 1 root root 35 Dec 26 2021 /etc/apparmor.d/disable/usr.bin.thunderbird -> /etc/apparmor.d/usr.bin.thunderbird
-rw-r--r-- 1 root root 14174 Sep 5 2021 /etc/apparmor.d/usr.bin.thunderbird
-rw-r--r-- 1 root root 0 Dec 26 2021 /etc/apparmor.d/local/usr.bin.thunderbird
#> find /etc/ -name "usr.bin.thunderbird" -exec md5sum '{}' \;
9f666406d2637c3efd794bdbc67daa77 /etc/apparmor.d/disable/usr.bin.thunderbird
9f666406d2637c3efd794bdbc67daa77 /etc/apparmor.d/usr.bin.thunderbird
d41d8cd98f00b204e9800998ecf8427e /etc/apparmor.d/local/usr.bin.thunderbird
Hope this can help,
Thanks
-- System Information:
Debian Release: 11.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-16-amd64 (SMP w/8 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
ii fontconfig 2.13.1-4.2
ii libatk1.0-0 2.36.0-2
ii libbotan-2-17 2.17.3+dfsg-2
ii libbz2-1.0 1.0.8-4
ii libc6 2.31-13+deb11u3
ii libdbus-glib-1-2 0.110-6
ii libevent-2.1-7 2.1.12-stable-1
ii libffi7 3.3-6
ii libfontconfig1 2.13.1-4.2
ii libfreetype6 2.10.4+dfsg-1+deb11u1
ii libgcc-s1 10.2.1-6
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii libglib2.0-0 2.66.8-1
ii libgtk-3-0 3.24.24-4+deb11u2
ii libjson-c5 0.15-2
ii libpango-1.0-0 1.46.2-3
ii libstdc++6 10.2.1-6
ii libvpx6 1.9.0-1
ii libx11-6 2:1.7.2-1
ii libx11-xcb1 2:1.7.2-1
ii zlib1g 1:1.2.11.dfsg-2+deb11u1
Versions of packages thunderbird recommends:
ii hunspell-en-us [hunspell-dictionary] 1:2019.10.06-1
ii hunspell-fr-classical [hunspell-dictionary] 1:7.0-1
Versions of packages thunderbird suggests:
ii apparmor 2.13.6-10
ii fonts-lyx 2.3.6-1
ii libgssapi-krb5-2 1.18.3-6+deb11u1
-- no debconf information
Version: 1:91.11.0-1~deb11u1
Followup-For: Bug #1005023
Hello,
I noticed the same segfault in /var/log/syslog:
kernel: [ 2425.452348] audit: type=1400 audit(1658307190.587:64): apparmor="DENIED" operation="capable" profile="thunderbird" pid=13086 comm="thunderbird" capability=21 capname="s
ys_admin"
kernel: [ 2425.470937] thunderbird[13097]: segfault at 0 ip 00007f9b094a5237 sp 00007ffd829aa710 error 6
kernel: [ 2425.470940] audit: type=1400 audit(1658307190.603:65): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci0000:00/0000:00:14.0/class" pid=130
97 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 2425.470943] in libxul.so[7f9b0629e000+4f7e000]
kernel: [ 2425.470946] Code: 0f 1f 00 48 83 ec 08 80 3d e5 14 60 04 00 74 02 58 c3 c6 05 da 14 60 04 01 48 8d 05 39 01 15 03 48 8b 0d dc 01 56 04 48 89 01 <c7> 04 25 00 00 00 00 8f
01 00 00 e8 41 39 e0 fc 66 0f 1f 84 00 00
kernel: [ 2425.646619] audit: type=1400 audit(1658307190.779:66): apparmor="DENIED" operation="open" profile="thunderbird" name="/proc/13086/cgroup" pid=13086 comm="thunderbird" re
quested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.730813] audit: type=1400 audit(1658307190.863:67): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.730993] audit: type=1400 audit(1658307190.863:68): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.731120] audit: type=1400 audit(1658307190.863:69): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.731231] audit: type=1400 audit(1658307190.863:70): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.731380] audit: type=1400 audit(1658307190.863:71): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
kernel: [ 2425.731487] audit: type=1400 audit(1658307190.863:72): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/user/.icons/default/index.theme" pid=13086 c
omm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
This is on a system that has been installed with Stretch, then upgraded to Buster and then to Bullseye.
#> find /etc/ -name "usr.bin.thunderbird" -exec ls -l '{}' \;
-rw-r--r-- 1 root root 126 Aug 29 2017 /etc/apparmor.d/local/usr.bin.thunderbird
-rw-r--r-- 1 root root 14174 May 6 2020 /etc/apparmor.d/usr.bin.thunderbird
#> find /etc/ -name "usr.bin.thunderbird" -exec md5sum '{}' \;
99cde8fc85715eaf8d5343a7b66bf46f /etc/apparmor.d/local/usr.bin.thunderbird
9f666406d2637c3efd794bdbc67daa77 /etc/apparmor.d/usr.bin.thunderbird
#> cat /etc/apparmor.d/local/usr.bin.thunderbird
# Site-specific additions and overrides for usr.bin.thunderbird.
# For more details, please see /etc/apparmor.d/local/README.
#> cat /etc/apparmor.d/usr.bin.thunderbird
# vim:syntax=apparmor
# Author: Simon Deziel <simon.deziel at gmail_com>
# This apparmor profile is derived from firefox profile
# by Jamie Strandboge <ja...@canonical.com>
# Declare an apparmor variable to help with overrides
@{MOZ_LIBDIR}=/usr/lib/thunderbird
#include <tunables/global>
profile thunderbird /usr/lib/thunderbird/thunderbird{,-bin} {
#include <abstractions/audio>
#include <abstractions/aspell>
#include <abstractions/cups-client>
# TODO: finetune this for required accesses
#include <abstractions/dbus>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-session>
#include <abstractions/dconf>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/nvidia>
#include <abstractions/p11-kit>
#include <abstractions/private-files>
#include <abstractions/ssl_certs>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-browsers.d/java>
#include <abstractions/ubuntu-helpers>
# Backported from the mesa abstraction, available in AppArmor >2.13
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
# User files
owner @{HOME}/.cache/ w, # if user clears all caches
owner @{HOME}/.cache/mesa_shader_cache/ w,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
owner @{HOME}/.cache/mesa_shader_cache/??/ w,
owner @{HOME}/.cache/mesa_shader_cache/??/* rw,
# End of backported mesa abstraction
# Backported from the dri-enumerate abstraction, available in AppArmor 2.13
/sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
# Allow opening attachments
# TODO: create and use abstractions for opening various file formats
/{usr/local/,usr/,}bin/* Cx -> sanitized_helper,
/usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
# Allow opening links
# GDesktopAppInfo in GLib 2.64.x uses a very small shell script
# to launch .desktop files, instead of gio-launch-desktop
/{usr/,}bin/{dash,bash} ixr,
# With older GLib we might still be on the fallback code path
# (remove this after Debian 11 and Ubuntu 20.04)
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
# For Xubuntu to launch the browser
/usr/bin/exo-open ixr,
/usr/lib/@{multiarch}/xfce4/exo-[1-9]/exo-helper-[1-9] ixr,
/etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
/etc/xdg/xfce4/helpers.rc r,
owner @{HOME}/.config/xfce4/helpers.rc r,
# for crash reports?
ptrace (read,trace) peer=@{profile_name},
/usr/lib/thunderbird/thunderbird{,-bin} ixr,
# Pulseaudio
/usr/bin/pulseaudio Pixr,
owner @{HOME}/.{cache,config}/dconf/user rw,
owner @{HOME}/.cache/thumbnails/** r,
owner /run/user/[0-9]*/dconf/user rw,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
deny owner @{HOME}/.local/share/gvfs-metadata/* r,
# potentially extremely sensitive files
audit deny @{HOME}/.gnupg/** mrwkl,
audit deny @{HOME}/.ssh/** mrwkl,
# rw access to HOME is useful when sending/receiving attachments
owner @{HOME}/[^.]** rw,
# other commonly used locations
/{data,media,mnt,srv}/** r,
owner /{data,media,mnt,srv}/** rw,
owner @{HOME}/.signature* r,
# Required for LVM setups
/sys/devices/virtual/block/dm-[0-9]*/uevent r,
# Addons (too lax for thunderbird)
##include <abstractions/ubuntu-browsers.d/firefox>
# for networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/[0-9]*/net/wireless r,
@{PROC}/[0-9]*/net/arp r,
# should maybe be in abstractions
/etc/ r,
/etc/mime.types r,
/etc/mailcap r,
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
/etc/xfce4/defaults.list r,
/usr/share/xubuntu/applications/defaults.list r,
owner /dev/shm/org.chromium.* rw, # for Chromium IPC
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, # for Chromium IPC
owner @{HOME}/.cache/fontconfig/*.cache-* rwk,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
owner @{HOME}/.recently-used r,
/tmp/.X[0-9]*-lock r,
/etc/udev/udev.conf r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
/etc/timezone r,
/etc/wildmidi/wildmidi.cfg r,
# thunderbird specific
/etc/thunderbird/ r,
/etc/thunderbird/** r,
/etc/xul-ext/** r,
/etc/xulrunner-2.0*/ r,
/etc/xulrunner-2.0*/** r,
/etc/gre.d/ r,
/etc/gre.d/* r,
# noisy
deny @{MOZ_LIBDIR}/** w,
deny /usr/lib/thunderbird-addons/** w,
deny /usr/lib/xulrunner-addons/** w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /var/cache/fontconfig/ w,
# noisy file dialog:
#
# TODO: remove these rules when file dialogs becomes "trusted helpers" that can
# read anything, or ability to override `deny` rules is implemented [0].
#
# NOTE: modify `local/usr.bin.thunderbird` to add `deny` rules for cases not
# mentioned here when `DENIED` messages appear for dot files in kernel (or audit)
# logs. If that case is believed to be common enough, please report bug against
# package shipping this profile in order to extend this list.
#
# [0] https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/451422
deny @{HOME}/.KiCad r,
deny @{HOME}/.abbrev_defs r,
deny @{HOME}/.aspell.*.{prepl,pws} r,
deny @{HOME}/.bashrc r,
deny @{HOME}/.bash_logout r,
deny @{HOME}/.bbdb r,
deny @{HOME}/.caffrc r,
deny @{HOME}/.colordiffrc r,
deny @{HOME}/.cvpcb r,
deny @{HOME}/.cvspass r,
deny @{HOME}/.devscripts r,
deny @{HOME}/.directory r,
deny @{HOME}/.dpt.conf r,
deny @{HOME}/.dput.cf r,
deny @{HOME}/.dupload.conf r,
deny @{HOME}/.eeschema r,
deny @{HOME}/.emacs r,
deny @{HOME}/.emacs.bmk r,
deny @{HOME}/.emacs.desktop* r,
deny @{HOME}/.fehbg r,
deny @{HOME}/.forward r,
deny @{HOME}/.gbp.conf r,
deny @{HOME}/.gerbview r,
deny @{HOME}/.gitconfig r,
deny @{HOME}/.gitk r,
deny @{HOME}/.gtk-recordmydesktop r,
deny @{HOME}/.gtkrc-2.0 r,
deny @{HOME}/.i18n r,
deny @{HOME}/.ido.last r,
deny @{HOME}/.iftoprc r,
deny @{HOME}/.inputrc r,
deny @{HOME}/.jigdo-lite r,
deny @{HOME}/.kicad r,
deny @{HOME}/.kicad_common r,
deny @{HOME}/.lesshst r,
deny @{HOME}/.listadmin.ini r,
deny @{HOME}/.minicpanrc r,
deny @{HOME}/.mostrc r,
deny @{HOME}/.mrconfig r,
deny @{HOME}/.mrlog r,
deny @{HOME}/.mrtrust r,
deny @{HOME}/.my.cnf r,
deny @{HOME}/.newsrc-dribble r,
deny @{HOME}/.newsrc.eld r,
deny @{HOME}/.notmuch-config r,
deny @{HOME}/.offlineimaprc r,
deny @{HOME}/.pam_environment r,
deny @{HOME}/.pbuilderrc r,
deny @{HOME}/.pcbnew r,
deny @{HOME}/.perldb r,
deny @{HOME}/.perltidyrc r,
deny @{HOME}/.pgadmin3 r,
deny @{HOME}/.pgadmin_histoqueries r,
deny @{HOME}/.pgpass r,
deny @{HOME}/.python_history r,
deny @{HOME}/.pythonhist r,
deny @{HOME}/.quiltrc r,
deny @{HOME}/.reportbug-ng r,
deny @{HOME}/.reportbugrc r,
deny @{HOME}/.rnd r,
deny @{HOME}/.screenrc r,
deny @{HOME}/.selected_editor r,
deny @{HOME}/.steam/bin{32,64}/steam r, # through a symlink
deny @{HOME}/.steam/steam.pid r, # through a symlink
deny @{HOME}/.steam/ubuntu12_{32,64}/steam r, # through a symlink
deny @{HOME}/.sudo_as_admin_successful r,
deny @{HOME}/.swp r,
deny @{HOME}/.taskrc r,
deny @{HOME}/.tmux.conf r,
deny @{HOME}/.vboxclient-*.pid r,
deny @{HOME}/.vimrc r,
deny @{HOME}/.wget-hsts r,
deny @{HOME}/.xchm r,
deny @{HOME}/.xfce4-session.verbose-log* r,
deny @{HOME}/.xim.template r,
deny @{HOME}/.xinitrc.template r,
deny @{HOME}/.xinputrc r,
deny @{HOME}/.xscreensaver r,
deny @{HOME}/.xsession*errors* r,
deny @{HOME}/.xsessionrc r,
deny @{HOME}/.Xresources r,
deny @{HOME}/.Xsession r,
deny @{HOME}/.zcompdump r,
deny @{HOME}/.zlogout r,
deny @{HOME}/.zshrc r,
# TODO: investigate
deny /usr/bin/gconftool-2 x,
# Deny proprietary NVIDIA driver optimizations
# TODO: remove once it can be disabled via conditionals set up in nvidia abstraction
deny /tmp/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9] m,
deny /tmp/.gl?????? mrw,
deny @{HOME}/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9]{,[0-9]} m,
deny @{HOME}/.nv/.gl?????? mrw,
owner @{PROC}/[0-9]*/mountinfo r,
owner @{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/pci*/**/config r,
/sys/devices/system/node/node[0-9]*/meminfo r,
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter
owner @{PROC}/[0-9]*/environ r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/cmdline r,
/etc/lsb-release r,
/etc/ssl/openssl.cnf r,
/usr/lib/thunderbird/crashreporter ix,
/usr/bin/expr ix,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
# about:memory
owner @{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/smaps r,
# Needed for container to work in xul builds
/usr/lib/xulrunner-*/plugin-container ixr,
# allow access to documentation and other files the user may want to look
# at in /usr and /opt
/usr/ r,
/usr/** r,
/opt/ r,
/opt/** r,
# so browsing directories works
/ r,
/**/ r,
# per-user thunderbird configuration
owner @{HOME}/.{icedove,thunderbird}/ rw,
owner @{HOME}/.{icedove,thunderbird}/** rw,
owner @{HOME}/.{icedove,thunderbird}/**/storage.sdb k,
owner @{HOME}/.{icedove,thunderbird}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{icedove,thunderbird}/plugins/** rm,
owner @{HOME}/.{icedove,thunderbird}/**/plugins/** rm,
owner @{HOME}/.cache/thunderbird/ rw,
owner @{HOME}/.cache/thunderbird/** rw,
# system emails
owner /var/mail/* rwlk,
#
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.{icedove,thunderbird}/**/extensions/** mixrw,
owner @{HOME}/.mozilla/ rw,
owner @{HOME}/.mozilla/extensions/ rw,
owner @{HOME}/.mozilla/extensions/** mixr,
/usr/share/xul-ext/**/*.sqlite rk,
/usr/lib/mozilla/plugins/*.so rm,
/usr/lib/xul-ext/**/*.sqlite rk,
/usr/lib/thunderbird-addons/extensions/**/*.sqlite rk,
deny @{MOZ_LIBDIR}/update.test w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /usr/share/mozilla/ w,
/usr/bin/gpg Cx -> gpg,
/usr/bin/gpg2 Cx -> gpg,
/usr/bin/gpgconf Cx -> gpg,
/usr/bin/gpg-connect-agent Cx -> gpg,
/usr/lib/gnupg/gpg-wks-client ix,
/{,usr/}bin/ps ix,
# TB tries to create this file but has no business doing so
deny @{HOME}/.gnupg/gpg-agent.conf w,
profile gpg {
#include <abstractions/base>
# Required to import keys from keyservers
#include <abstractions/nameservice>
#include <abstractions/p11-kit>
/usr/share/xul-ext/enigmail/chrome/** r,
# silence noise from enigmail 1.9+
deny owner @{HOME}/.{icedove,thunderbird}/*/.parentlock w,
deny owner @{HOME}/.{icedove,thunderbird}/*/panacea.dat w,
deny owner @{HOME}/.{icedove,thunderbird}/*/*.mab w,
deny owner @{HOME}/.{icedove,thunderbird}/**/*.msf w,
deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,
# noise from inherited files
deny @{HOME}/.{icedove,thunderbird}/*/ImapMail/*/INBOX w,
deny /usr/{lib,share}/thunderbird/omni.ja r,
deny /usr/share/thunderbird/extensions/** r,
# For smartcards?
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* r,
# LDAP key servers
/etc/ldap/ldap.conf r,
/usr/bin/gpg mr,
/usr/bin/gpg2 mr,
/usr/bin/gpgconf mr,
/usr/bin/gpg-connect-agent mr,
/usr/lib/gnupg/gpgkeys_* ix,
/usr/lib/gnupg2/gpg2keys_* ix,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/gpg.conf r,
owner @{HOME}/.gnupg/random_seed rwk,
owner @{HOME}/.gnupg/pubring.{gpg,kbx}{,~} rw,
owner @{HOME}/.gnupg/secring.gpg rw,
owner @{HOME}/.gnupg/trustdb.gpg rw,
owner @{HOME}/.gnupg/tofu.db{,-journal} rwk,
owner @{HOME}/.gnupg/S.gpg-agent rw,
owner @{HOME}/.gnupg/S.dirmngr rw,
owner @{HOME}/.gnupg/*.{gpg,kbx}.{lock,tmp} rwl,
owner @{HOME}/.gnupg/.gpg-*.lock rwl,
owner @{HOME}/.gnupg/gnupg_spawn_*.lock rwl,
owner @{HOME}/.gnupg/.#*[0-9] rw,
owner @{HOME}/.gnupg/.#*[0-9]x rwl,
owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
owner @{HOME}/.gnupg/openpgp-revocs.d/{,[A-F0-9]*.rev} rw,
owner @{HOME}/** r,
owner @{PROC}/@{pids}/mountinfo r,
# For gpgconf
owner @{PROC}/@{pids}/fd/ r,
owner /run/user/[0-9]*/keyring-*/gpg rw,
# For encryption + signature
owner /tmp/gpgOutput.* rw,
# for inline pgp
owner /tmp/encfile rw,
owner /tmp/encfile-[0-9]* rw,
# for key import
owner /tmp/enigmail_import/.#lk0x[0-9a-f]* rw,
owner /tmp/enigmail_import/.#lk0x[0-9a-f]*x rwl,
owner /tmp/enigmail_import/{keyring,trustdb}.lock rwl,
owner /tmp/enigmail_import/{keyring,trustdb}{,~,.tmp} rw,
/usr/bin/dirmngr ix,
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
# for revocation certificate generation in the Enigmail setup wizard
owner @{HOME}/.{icedove,thunderbird}/*/0x[A-F0-9]*_rev.asc rw,
# for revocation certificate generation in the Enigmail key manager
owner @{HOME}/*0x[A-F0-9]**.asc rw,
# for signature generation
owner /tmp/nsemail.eml w,
owner /tmp/nsemail-[0-9]*.eml w,
# for signature verifications
owner /tmp/data.sig r,
owner /tmp/data-[0-9]*.sig r,
owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,
/usr/share/sounds/** r,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.thunderbird>
}
On another system directly installed with Bullseye, Thunderbird does not segfault. The difference seems to be that usr.bin.thunderbird is in /etc/apparmor.d/disable/
#> find /etc/ -name "usr.bin.thunderbird" -exec ls -l '{}' \;
lrwxrwxrwx 1 root root 35 Dec 26 2021 /etc/apparmor.d/disable/usr.bin.thunderbird -> /etc/apparmor.d/usr.bin.thunderbird
-rw-r--r-- 1 root root 14174 Sep 5 2021 /etc/apparmor.d/usr.bin.thunderbird
-rw-r--r-- 1 root root 0 Dec 26 2021 /etc/apparmor.d/local/usr.bin.thunderbird
#> find /etc/ -name "usr.bin.thunderbird" -exec md5sum '{}' \;
9f666406d2637c3efd794bdbc67daa77 /etc/apparmor.d/disable/usr.bin.thunderbird
9f666406d2637c3efd794bdbc67daa77 /etc/apparmor.d/usr.bin.thunderbird
d41d8cd98f00b204e9800998ecf8427e /etc/apparmor.d/local/usr.bin.thunderbird
Hope this can help,
Thanks
-- System Information:
Debian Release: 11.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-16-amd64 (SMP w/8 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages thunderbird depends on:
ii debianutils 4.11.2
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages thunderbird depends on:
ii fontconfig 2.13.1-4.2
ii libatk1.0-0 2.36.0-2
ii libbotan-2-17 2.17.3+dfsg-2
ii libbz2-1.0 1.0.8-4
ii libc6 2.31-13+deb11u3
ii libcairo-gobject2 1.16.0-5
ii libcairo2 1.16.0-5
ii libdbus-1-3 1.12.20-2
ii libcairo2 1.16.0-5
ii libdbus-glib-1-2 0.110-6
ii libevent-2.1-7 2.1.12-stable-1
ii libffi7 3.3-6
ii libfontconfig1 2.13.1-4.2
ii libfreetype6 2.10.4+dfsg-1+deb11u1
ii libgcc-s1 10.2.1-6
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii libglib2.0-0 2.66.8-1
ii libgtk-3-0 3.24.24-4+deb11u2
ii libjson-c5 0.15-2
ii libpango-1.0-0 1.46.2-3
ii libstdc++6 10.2.1-6
ii libvpx6 1.9.0-1
ii libx11-6 2:1.7.2-1
ii libx11-xcb1 2:1.7.2-1
ii libxcb-shm0 1.14-3
ii libxcb1 1.14-3
ii libxext6 2:1.3.3-1.1
ii libxcb1 1.14-3
ii libxrender1 1:0.9.10-1
ii psmisc 23.4-2
ii x11-utils 7.7+5
ii zenity 3.32.0-6
ii psmisc 23.4-2
ii x11-utils 7.7+5
ii zlib1g 1:1.2.11.dfsg-2+deb11u1
Versions of packages thunderbird recommends:
ii hunspell-fr-classical [hunspell-dictionary] 1:7.0-1
Versions of packages thunderbird suggests:
ii fonts-lyx 2.3.6-1
ii libgssapi-krb5-2 1.18.3-6+deb11u1
-- no debconf information
Bertram Felgenhauer
Jan 27, 2023, 8:10:04 AM1/27/23
to
This appears to be fixed in thunderbird 1:102.6.0-1 which
includes the following in /etc/apparmor.d/usr.bin.thunderbird:
# Imported from the opencl abstraction, which we cannot include
# due to conflicting "x"
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r,
I have not checked which version first contained these lines.
I'm not closing this bug report yet because bullseye is still affected.
includes the following in /etc/apparmor.d/usr.bin.thunderbird:
# Imported from the opencl abstraction, which we cannot include
# due to conflicting "x"
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r,
I have not checked which version first contained these lines.
I'm not closing this bug report yet because bullseye is still affected.
0 new messages