Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#949450: thunderbird: apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/org.chromium.*"
180 views
Skip to first unread message
Dmitry Smirnov
Jan 20, 2020, 7:00:03 PM1/20/20
to
Package: thunderbird
Version: 1:68.4.1-1~deb10u1
Severity: minor
While Thunderbird is being used, kernel repeatedly logs the following:
```
audit: type=1400 audit(1579563490.921:660): apparmor="DENIED"
operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/
org.chromium.9d3eJz" pid=23349 comm="gpg" requested_mask="r" denied_mask="r"
fsuid=1001 ouid=1001
```
Please advise.
--
Best wishes,
Dmitry Smirnov
---
Belief is the death of intelligence.
-- Robert Anton Wilson
Version: 1:68.4.1-1~deb10u1
Severity: minor
While Thunderbird is being used, kernel repeatedly logs the following:
```
audit: type=1400 audit(1579563490.921:660): apparmor="DENIED"
operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/
org.chromium.9d3eJz" pid=23349 comm="gpg" requested_mask="r" denied_mask="r"
fsuid=1001 ouid=1001
```
Please advise.
--
Best wishes,
Dmitry Smirnov
---
Belief is the death of intelligence.
-- Robert Anton Wilson
dimi...@stinpriza.org
Jan 27, 2020, 6:40:03 AM1/27/20
to
Package: thunderbird
Version: 1:68.4.2-1
Followup-For: Bug #949450
hey,
i think severity should be raised to important or even grave.
thunderbird/enigmail is unusable with default apparmor profile enabled.. this
particular message is one of many, makes encrypt/decrypt/signing completely
unusable. tried to add exceptions to apparmor, but new DENIED msgs rise.. and
not just for thunderbird/gpg.
eg. /OfflineCache/index.sqlite DENIED, filterlog.html DENIED..
atm, i've disabled apparmor profile and got back to a usable tb/enigmail. i
could send more details/messages if needed or a new bug report(?).
thanks,
d.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.14-gnu (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages thunderbird depends on:
ii debianutils 4.9.1
ii fontconfig 2.13.1-2+b1
ii libatk1.0-0 2.34.1-1
ii libc6 2.29-9
ii libcairo-gobject2 1.16.0-4
ii libcairo2 1.16.0-4
ii libdbus-1-3 1.12.16-2
ii libdbus-glib-1-2 0.110-5
ii libevent-2.1-7 2.1.11-stable-1
ii libffi7 3.3-3
ii libfontconfig1 2.13.1-2+b1
ii libfreetype6 2.10.1-2
ii libgcc1 1:9.2.1-25
ii libgdk-pixbuf2.0-0 2.40.0+dfsg-2
ii libglib2.0-0 2.62.4-1+b1
ii libgtk-3-0 3.24.13-1
ii libgtk2.0-0 2.24.32-4
ii libicu63 63.2-2
ii libjsoncpp1 1.7.4-3.1
ii libnspr4 2:4.24-1
ii libnss3 2:3.49.1-1
ii libpango-1.0-0 1.42.4-8
ii libsqlite3-0 3.31.0+really3.30.1+fossil191229-1
ii libstartup-notification0 0.12-6
ii libstdc++6 9.2.1-25
ii libvpx6 1.8.2-1
ii libx11-6 2:1.6.8-1
ii libx11-xcb1 2:1.6.8-1
ii libxcb-shm0 1.13.1-3
ii libxcb1 1.13.1-3
ii libxext6 2:1.3.3-1+b2
ii libxrender1 1:0.9.10-1
ii libxt6 1:1.1.5-1+b3
ii psmisc 23.3-1
ii x11-utils 7.7+4
ii zlib1g 1:1.2.11.dfsg-1+b1
Versions of packages thunderbird recommends:
ii hunspell-el [hunspell-dictionary] 1:6.4.0~rc2-1
ii hunspell-en-us [hunspell-dictionary] 1:2018.04.16-1
pn lightning <none>
Versions of packages thunderbird suggests:
ii apparmor 2.13.3-7
pn fonts-lyx <none>
ii libgssapi-krb5-2 1.17-6
-- Configuration Files:
/etc/apparmor.d/usr.bin.thunderbird changed [not included]
-- no debconf information
Version: 1:68.4.2-1
Followup-For: Bug #949450
hey,
i think severity should be raised to important or even grave.
thunderbird/enigmail is unusable with default apparmor profile enabled.. this
particular message is one of many, makes encrypt/decrypt/signing completely
unusable. tried to add exceptions to apparmor, but new DENIED msgs rise.. and
not just for thunderbird/gpg.
eg. /OfflineCache/index.sqlite DENIED, filterlog.html DENIED..
atm, i've disabled apparmor profile and got back to a usable tb/enigmail. i
could send more details/messages if needed or a new bug report(?).
thanks,
d.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.14-gnu (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages thunderbird depends on:
ii debianutils 4.9.1
ii fontconfig 2.13.1-2+b1
ii libatk1.0-0 2.34.1-1
ii libc6 2.29-9
ii libcairo-gobject2 1.16.0-4
ii libcairo2 1.16.0-4
ii libdbus-1-3 1.12.16-2
ii libdbus-glib-1-2 0.110-5
ii libevent-2.1-7 2.1.11-stable-1
ii libffi7 3.3-3
ii libfontconfig1 2.13.1-2+b1
ii libfreetype6 2.10.1-2
ii libgcc1 1:9.2.1-25
ii libgdk-pixbuf2.0-0 2.40.0+dfsg-2
ii libglib2.0-0 2.62.4-1+b1
ii libgtk-3-0 3.24.13-1
ii libgtk2.0-0 2.24.32-4
ii libicu63 63.2-2
ii libjsoncpp1 1.7.4-3.1
ii libnspr4 2:4.24-1
ii libnss3 2:3.49.1-1
ii libpango-1.0-0 1.42.4-8
ii libsqlite3-0 3.31.0+really3.30.1+fossil191229-1
ii libstartup-notification0 0.12-6
ii libstdc++6 9.2.1-25
ii libvpx6 1.8.2-1
ii libx11-6 2:1.6.8-1
ii libx11-xcb1 2:1.6.8-1
ii libxcb-shm0 1.13.1-3
ii libxcb1 1.13.1-3
ii libxext6 2:1.3.3-1+b2
ii libxrender1 1:0.9.10-1
ii libxt6 1:1.1.5-1+b3
ii psmisc 23.3-1
ii x11-utils 7.7+4
ii zlib1g 1:1.2.11.dfsg-1+b1
Versions of packages thunderbird recommends:
ii hunspell-el [hunspell-dictionary] 1:6.4.0~rc2-1
ii hunspell-en-us [hunspell-dictionary] 1:2018.04.16-1
pn lightning <none>
Versions of packages thunderbird suggests:
ii apparmor 2.13.3-7
pn fonts-lyx <none>
ii libgssapi-krb5-2 1.17-6
-- Configuration Files:
/etc/apparmor.d/usr.bin.thunderbird changed [not included]
-- no debconf information
Christian Boltz
Feb 10, 2020, 7:40:03 PM2/10/20
to
Hello,
I'm not the maintainer of the thunderbird profile nor using Debian, but
maybe I can give some helpful input nevertheless ;-)
(Updating the shipped profile has to be done by someone else.)
Am Freitag, 31. Januar 2020, 11:46:49 CET schrieb Dimitris:
> On 1/30/20 2:11 PM, Dimitris wrote:
...
> > [Thu Jan 30 2020] audit: type=1400 audit(1580374356.923:36):
> > apparmor="DENIED" operation="open"
> > profile="thunderbird//sanitized_helper"
> > name="/tmp/clearsigned.message.pycT1r" pid=23600 comm="apt-cache"
> > requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
That looks interesting[tm] - why would apt-cache want to access a
tempfile that looks like (wild guess based on the filename) a signed
message?
[...]
> > audit: type=1400 audit(1580377190.735:2836): apparmor="DENIED"
> > operation="file_inherit" profile="thunderbird//gpg"
> > name=2F6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXXXXXXXXXXXD6C pid=13850 comm="gpg" requested_mask="a"
> > denied_mask="a" fsuid=1000 ouid=1000
> >
> > (replaced chars in between with Xs, since i don't know what this
> > could be..?)
That's a hex-encoded filename - this encoding gets used in the log if a
filename contains for example a space or special characters.
You can decode it with
aa-decode 2F6....D6C
(obviously use the original name, not the X'ed out one)
From the X'ed out name, I can say that it starts with, surprise, "/"
(2F) and ends with "l" (6C)
> new messages emerging making tb/enigmail unusable :
>
> audit: type=1400 audit(1580465922.867:14): apparmor="DENIED"
> operation="capable" profile="thunderbird" pid=11974 comm="thunderbird"
> capability=21 capname="sys_admin"
That's interesting[tm]. Wild guess: maybe thunderbird uses some
sandboxing that needs this capability to initialize?
> audit: type=1400 audit(1580465924.499:15): apparmor="DENIED"
> operation="open" profile="thunderbird" name="/etc/mate/defaults.list"
> pid=11974 comm="thunderbird" requested_mask="r" denied_mask="r"
> fsuid=1000 ouid=0
That translates to /etc/mate/defaults.list r, for the thunderbird
profile - or an abstraction. (We don't have a mate abstraction yet,
maybe it's time to start one? ;-)
> audit: type=1400 audit(1580465929.463:16): apparmor="DENIED"
> operation="file_lock" profile="thunderbird"
> name="/home/user/.cache/thunderbird/profile.default/OfflineCache/index
> .sqlite" pid=11974 comm="thunderbird" requested_mask="k"
> denied_mask="k" fsuid=1000 ouid=1000
k is for "file lock". The strictest-possible rule would be
/home/*/.cache/thunderbird/profile.default/OfflineCache/index k,
> audit: type=1400 audit(1580465955.367:18): apparmor="DENIED"
> operation="file_inherit" profile="thunderbird//gpg"
> name="/home/user/.icedove/profile.default/ImapMail/account1/INBOX.sbd/
> folder" pid=13491 comm="gpg" requested_mask="w" denied_mask="w"
> fsuid=1000 ouid=1000
>
> audit: type=1400 audit(1580466665.275:19): apparmor="DENIED"
> operation="file_inherit" profile="thunderbird//gpg"
> name="/home/user/.icedove/profile.default/prefs-1.js" pid=20428
> comm="gpg" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
These two look like a case of thunderbird not closing files when
executing gpg. You can probably ignore or deny that.
> audit: type=1400 audit(1580466665.279:20): apparmor="DENIED"
> operation="exec" profile="thunderbird//gpg" name="/usr/bin/gpg-agent"
> pid=20430 comm="gpg" requested_mask="x" denied_mask="x" fsuid=1000
> ouid=0
Ah, gpg wants to execute gpg-agent. That makes sense.
The easiest solution would be to add
/usr/bin/gpg-agent mrix,
to the gpg subprofile.
A more strict version would be
/usr/bin/gpg-agent mrPx -> thunderbird//gpg-agent,
to the gpg subprofile, and then to create a child profile called
gpg-agent:
profile gpg-agent {
# TODO
}
As a sidenote - soneone in the #apparmor IRC channel (on OFTC) spent
some work on creating a profile for thunderbird a few weeks ago.
Unfortunately the pastebin links have expired, but if you are
interested, I can try to get it uploaded somewhere again.
BTW: While you work on the profile, you might want to put it into
complain mode. Without knowing the exact profile filename:
aa-complain /etc/apparmor.d/*thunderbird
This will allow everything (so Thunderbird will work) and log what would
be denied. However, note that "allow everything" means that AppArmor
won't prevent anything evil, so don't forget to switch the profile back
to enforce mode (using aa-enforce instead of aa-complain) when you think
it's complete.
If you prefer an interactive tool over reading the logfile, you can use
aa-logprof to update the profile.
Regards,
Christian Boltz
--
> > How about openSUSE Leap $(sha256sum $ISOIMAGEFILENAME) :-(
> Can I get a version with my name?? :D
Sure. Just change your name to "openSUSE". ;)
[>> Mathias Homann, > Karl Sinn and James Knott in opensuse-factory]
I'm not the maintainer of the thunderbird profile nor using Debian, but
maybe I can give some helpful input nevertheless ;-)
(Updating the shipped profile has to be done by someone else.)
Am Freitag, 31. Januar 2020, 11:46:49 CET schrieb Dimitris:
> On 1/30/20 2:11 PM, Dimitris wrote:
...
> > [Thu Jan 30 2020] audit: type=1400 audit(1580374356.923:36):
> > apparmor="DENIED" operation="open"
> > profile="thunderbird//sanitized_helper"
> > name="/tmp/clearsigned.message.pycT1r" pid=23600 comm="apt-cache"
> > requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
That looks interesting[tm] - why would apt-cache want to access a
tempfile that looks like (wild guess based on the filename) a signed
message?
[...]
> > audit: type=1400 audit(1580377190.735:2836): apparmor="DENIED"
> > operation="file_inherit" profile="thunderbird//gpg"
> > name=2F6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXXXXXXXXXXXD6C pid=13850 comm="gpg" requested_mask="a"
> > denied_mask="a" fsuid=1000 ouid=1000
> >
> > (replaced chars in between with Xs, since i don't know what this
> > could be..?)
That's a hex-encoded filename - this encoding gets used in the log if a
filename contains for example a space or special characters.
You can decode it with
aa-decode 2F6....D6C
(obviously use the original name, not the X'ed out one)
From the X'ed out name, I can say that it starts with, surprise, "/"
(2F) and ends with "l" (6C)
> new messages emerging making tb/enigmail unusable :
>
> audit: type=1400 audit(1580465922.867:14): apparmor="DENIED"
> operation="capable" profile="thunderbird" pid=11974 comm="thunderbird"
> capability=21 capname="sys_admin"
That's interesting[tm]. Wild guess: maybe thunderbird uses some
sandboxing that needs this capability to initialize?
> audit: type=1400 audit(1580465924.499:15): apparmor="DENIED"
> operation="open" profile="thunderbird" name="/etc/mate/defaults.list"
> pid=11974 comm="thunderbird" requested_mask="r" denied_mask="r"
> fsuid=1000 ouid=0
That translates to /etc/mate/defaults.list r, for the thunderbird
profile - or an abstraction. (We don't have a mate abstraction yet,
maybe it's time to start one? ;-)
> audit: type=1400 audit(1580465929.463:16): apparmor="DENIED"
> operation="file_lock" profile="thunderbird"
> name="/home/user/.cache/thunderbird/profile.default/OfflineCache/index
> .sqlite" pid=11974 comm="thunderbird" requested_mask="k"
> denied_mask="k" fsuid=1000 ouid=1000
k is for "file lock". The strictest-possible rule would be
/home/*/.cache/thunderbird/profile.default/OfflineCache/index k,
> audit: type=1400 audit(1580465955.367:18): apparmor="DENIED"
> operation="file_inherit" profile="thunderbird//gpg"
> name="/home/user/.icedove/profile.default/ImapMail/account1/INBOX.sbd/
> folder" pid=13491 comm="gpg" requested_mask="w" denied_mask="w"
> fsuid=1000 ouid=1000
>
> audit: type=1400 audit(1580466665.275:19): apparmor="DENIED"
> operation="file_inherit" profile="thunderbird//gpg"
> name="/home/user/.icedove/profile.default/prefs-1.js" pid=20428
> comm="gpg" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
These two look like a case of thunderbird not closing files when
executing gpg. You can probably ignore or deny that.
> audit: type=1400 audit(1580466665.279:20): apparmor="DENIED"
> operation="exec" profile="thunderbird//gpg" name="/usr/bin/gpg-agent"
> pid=20430 comm="gpg" requested_mask="x" denied_mask="x" fsuid=1000
> ouid=0
Ah, gpg wants to execute gpg-agent. That makes sense.
The easiest solution would be to add
/usr/bin/gpg-agent mrix,
to the gpg subprofile.
A more strict version would be
/usr/bin/gpg-agent mrPx -> thunderbird//gpg-agent,
to the gpg subprofile, and then to create a child profile called
gpg-agent:
profile gpg-agent {
# TODO
}
As a sidenote - soneone in the #apparmor IRC channel (on OFTC) spent
some work on creating a profile for thunderbird a few weeks ago.
Unfortunately the pastebin links have expired, but if you are
interested, I can try to get it uploaded somewhere again.
BTW: While you work on the profile, you might want to put it into
complain mode. Without knowing the exact profile filename:
aa-complain /etc/apparmor.d/*thunderbird
This will allow everything (so Thunderbird will work) and log what would
be denied. However, note that "allow everything" means that AppArmor
won't prevent anything evil, so don't forget to switch the profile back
to enforce mode (using aa-enforce instead of aa-complain) when you think
it's complete.
If you prefer an interactive tool over reading the logfile, you can use
aa-logprof to update the profile.
Regards,
Christian Boltz
--
> > How about openSUSE Leap $(sha256sum $ISOIMAGEFILENAME) :-(
> Can I get a version with my name?? :D
Sure. Just change your name to "openSUSE". ;)
[>> Mathias Homann, > Karl Sinn and James Knott in opensuse-factory]
Calhun Delph
Aug 18, 2020, 9:10:03 AM8/18/20
to
Thomas Guyot-Sionnest
Nov 23, 2021, 10:30:03 AM11/23/21
to
Hi,
Is this bug still valid? I'm getting the same errors since I upgraded to
Debian Bullseye, however Thunderbird seems to be in enforce mode by
default and so some things are just not working anymore.
Trying to open links leads to:
Nov 23 09:57:43 debian thunderbird.desktop[392093]:
[392095:392095:1123/095743.933650:FATAL:double_fork_and_exec.cc(131)]
execv /opt/google/chrome/chrome_crashpad_handler: Permission denied (13)
Nov 23 09:57:43 debian kernel: audit: type=1400
audit(1637679463.930:453): apparmor="DENIED" operation="exec"
profile="thunderbird//sanitized_helper"
name="/opt/google/chrome/chrome_crashpad_handler" pid=392095
comm="chrome" requested_mask="x" denied_mask="x" fsuid=1000 ouid=
0
I also get similar GPG errors (I can send the exact lines if needed),
though I haven't even tried using GPG yet.
I don't recall ever changing apparmor config... I did run a
"dpkg-reconfigure apparmor" and it only asked about additional homedir
locations - which I have - but that didn't help anyway.
Regards,
--
Thomas
Is this bug still valid? I'm getting the same errors since I upgraded to
Debian Bullseye, however Thunderbird seems to be in enforce mode by
default and so some things are just not working anymore.
Trying to open links leads to:
Nov 23 09:57:43 debian thunderbird.desktop[392093]:
[392095:392095:1123/095743.933650:FATAL:double_fork_and_exec.cc(131)]
execv /opt/google/chrome/chrome_crashpad_handler: Permission denied (13)
Nov 23 09:57:43 debian kernel: audit: type=1400
audit(1637679463.930:453): apparmor="DENIED" operation="exec"
profile="thunderbird//sanitized_helper"
name="/opt/google/chrome/chrome_crashpad_handler" pid=392095
comm="chrome" requested_mask="x" denied_mask="x" fsuid=1000 ouid=
0
I also get similar GPG errors (I can send the exact lines if needed),
though I haven't even tried using GPG yet.
I don't recall ever changing apparmor config... I did run a
"dpkg-reconfigure apparmor" and it only asked about additional homedir
locations - which I have - but that didn't help anyway.
Regards,
--
Thomas
Thomas Guyot-Sionnest
Nov 24, 2021, 1:20:04 AM11/24/21
to
FYI this is the fix for chrome (attached patch), but maybe I should
report to a separate bug as it covers more than TB...
I haven't looked at the gpg issue and apparmor configuration but it may
too be best fixed at a global level... Unless we only want to allow
specific applications to run gpg?
The fix is inspired from https://askubuntu.com/q/1357638/628778
--
Thomas
report to a separate bug as it covers more than TB...
I haven't looked at the gpg issue and apparmor configuration but it may
too be best fixed at a global level... Unless we only want to allow
specific applications to run gpg?
The fix is inspired from https://askubuntu.com/q/1357638/628778
--
Thomas
0 new messages