Your message dated Sun, 24 Feb 2019 18:49:43 +0000
with message-id <[email protected]>
and subject line Bug#920833: fixed in apparmor 2.13.2-8
has caused the Debian Bug report #920833,
regarding apparmor: AppArmor denies access to mime-specifc files for various
GUI applications
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
920833: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920833
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: apparmor
Version: 2.13.2-6
Severity: minor
Tags: upstream
Dear Maintainer,
After recent updates on Sid, multiple GUI applications (like
Thunderbird, Firefox, qTox) on KDE are hit by these kind of denies:
```
type=AVC msg=audit(1548784946.545:1896): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/mime.cache" pid=2866
comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
type=AVC msg=audit(1548784946.545:1897): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/globs2" pid=2866 comm="thunderbird"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1548784946.545:1898): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/magic" pid=2866 comm="thunderbird"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1548784946.545:1899): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/aliases" pid=2866
comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
type=AVC msg=audit(1548784946.545:1900): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/subclasses" pid=2866
comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
type=AVC msg=audit(1548784946.545:1901): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/icons" pid=2866 comm="thunderbird"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1548784946.545:1902): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/generic-icons" pid=2866
comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
```
GDB backtraces:
```
Thread 1 "thunderbird-bin" hit Catchpoint 1 (returned from syscall openat),
0x00007fe8629a4509 in __libc_open64 (file=0x7fe82ce5fe80
"/usr/local/share/mime/g
eneric-icons", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:48
48 in ../sysdeps/unix/sysv/linux/open64.c
#0 0x00007fe8629a4509 in __libc_open64 (file=0x7fe82ce5fe80
"/usr/local/share/mime/generic-icons", oflag=0) at
../sysdeps/unix/sysv/linux/open64.c:48
#1 0x00007fe8629360b2 in __GI__IO_file_open (fp=fp@entry=0x7fe82c94a800,
filename=<optimized out>, posix_mode=<optimized out>, prot=prot@entry=438,
read_wri
te=8, is32not64=is32not64@entry=1) at fileops.c:189
#2 0x00007fe86293625d in _IO_new_file_fopen (fp=fp@entry=0x7fe82c94a800,
filename=filename@entry=0x7fe82ce5fe80 "/usr/local/share/mime/generic-icons",
mode=
<optimized out>, mode@entry=0x7fe860ff9b6f "r", is32not64=is32not64@entry=1) at
fileops.c:281
#3 0x00007fe86292a359 in __fopen_internal (filename=0x7fe82ce5fe80
"/usr/local/share/mime/generic-icons", mode=0x7fe860ff9b6f "r", is32=1) at
iofopen.c:75
#4 0x00007fe860fd1156 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#5 0x00007fe860fce1d8 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#6 0x00007fe860fce38f in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#7 0x00007fe860fce8ae in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#8 0x00007fe860fcea19 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#9 0x00007fe860f604dd in g_content_type_from_mime_type () at
/lib/x86_64-linux-gnu/libgio-2.0.so.0
#10 0x00007fe85d253ac5 in () at /usr/lib/thunderbird/libxul.so
#11 0x00007fe85af0e772 in () at /usr/lib/thunderbird/libxul.so
#12 0x00007fe85af02a3a in () at /usr/lib/thunderbird/libxul.so
...
```
For Qt application, it seems KDE styles/iconloader issue?
```
Thread 1 "qtox" hit Catchpoint 1 (returned from syscall openat),
0x00007f190adf4c4e in __libc_open64 (file=file@entry=0x56267c90d588
"/usr/share/mime/generic
-icons", oflag=oflag@entry=524288) at ../sysdeps/unix/sysv/linux/open64.c:48
48 in ../sysdeps/unix/sysv/linux/open64.c
#0 0x00007f190adf4c4e in __libc_open64 (file=file@entry=0x56267c90d588
"/usr/share/mime/generic-icons", oflag=oflag@entry=524288) at
../sysdeps/unix/sysv/li
nux/open64.c:48
#1 0x00007f190b31b96c in open64 (__oflag=<optimized out>,
__path=0x56267c90d588 "/usr/share/mime/generic-icons") at
/usr/include/x86_64-linux-gnu/bits/fcntl
2.h:91
#2 0x00007f190b31b96c in qt_safe_open (mode=438, flags=<optimized out>,
pathname=0x56267c90d588 "/usr/share/mime/generic-icons") at
../../include/QtCore/5.1
1.3/QtCore/private/../../../../../src/corelib/kernel/qcore_unix_p.h:195
#3 0x00007f190b31b96c in
QFSFileEnginePrivate::nativeOpen(QFlags<QIODevice::OpenModeFlag>)
(this=0x56267c7b9c60, openMode=...) at io/qfsfileengine_unix.cpp:
122
#4 0x00007f190b2fa894 in QFSFileEngine::open(QFlags<QIODevice::OpenModeFlag>)
(this=0x56267c82e680, openMode=...) at io/qfsfileengine.cpp:246
#5 0x00007f190b2b8156 in QFile::open(QFlags<QIODevice::OpenModeFlag>)
(this=0x7ffcba56a8e0, mode=...) at
../../include/QtCore/../../src/corelib/global/qflag
s.h:140
#6 0x00007f18f91700fb in () at /lib/x86_64-linux-gnu/libKF5IconThemes.so.5
#7 0x00007f18f91726b3 in KIconLoader::KIconLoader(QString const&, QStringList
const&, QObject*) () at /lib/x86_64-linux-gnu/libKF5IconThemes.so.5
#8 0x00007f18f91728e3 in KIconLoader::global() () at
/lib/x86_64-linux-gnu/libKF5IconThemes.so.5
#9 0x00007f18f36eae95 in KStyle::pixelMetric(QStyle::PixelMetric, QStyleOption
const*, QWidget const*) const () at /lib/x86_64-linux-gnu/libKF5Style.so.5
#10 0x00007f18f378850b in () at
/usr/lib/x86_64-linux-gnu/qt5/plugins/styles/breeze.so
#11 0x00007f190e8df75b in () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#12 0x000056267a96c4bf in Widget::Widget(QWidget*) ()
#13 0x000056267a96c699 in Widget::getInstance() ()
#14 0x000056267a9327db in Nexus::showMainGUI() ()
#15 0x000056267a93468c in Nexus::start() ()
#16 0x000056267a926703 in main ()
[Switching to Thread 0x7f18f2ee2700 (LWP 10429)]
```
For firefox, it's deep in GTK:
```
Thread 1 "firefox" hit Catchpoint 1 (call to syscall openat),
0x00007f74ed013509 in __libc_open64 (file=0x7f74d783b4f0
"/home/vincas/.local/share//mime/generic-icons", oflag=0) at
../sysdeps/unix/sysv/linux/open64.c:48
48 in ../sysdeps/unix/sysv/linux/open64.c
#0 0x00007f74ed013509 in __libc_open64 (file=0x7f74d783b4f0
"/home/vincas/.local/share//mime/generic-icons", oflag=0) at
../sysdeps/unix/sysv/linux/open64.c:48
#1 0x00007f74ecfa50b2 in __GI__IO_file_open (fp=fp@entry=0x7f74d7ab4000,
filename=<optimized out>, posix_mode=<optimized out>, prot=prot@entry=438,
read_write=8, is32not64=is32not64@entry=1) at fileops.c:189
#2 0x00007f74ecfa525d in _IO_new_file_fopen (fp=fp@entry=0x7f74d7ab4000,
filename=filename@entry=0x7f74d783b4f0
"/home/vincas/.local/share//mime/generic-icons", mode=<optimized out>,
mode@entry=0x7f74eb5aab6f "r", is32not64=is32not64@entry=1) at fileops.c:281
#3 0x00007f74ecf99359 in __fopen_internal (filename=0x7f74d783b4f0
"/home/vincas/.local/share//mime/generic-icons", mode=0x7f74eb5aab6f "r",
is32=1) at iofopen.c:75
#4 0x00007f74eb582156 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#5 0x00007f74eb57f1d8 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#6 0x00007f74eb57f441 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#7 0x00007f74eb57f8ae in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#8 0x00007f74eb57f90a in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#9 0x00007f74eb5116f9 in g_content_type_guess () at
/lib/x86_64-linux-gnu/libgio-2.0.so.0
#10 0x00007f74eb7f2713 in () at /lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#11 0x00007f74eb7f5109 in () at /lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#12 0x00007f74eb7f5bd8 in gdk_pixbuf_loader_write () at
/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#13 0x00007f74eb7f22bb in () at /lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#14 0x00007f74eb7f329c in gdk_pixbuf_new_from_stream () at
/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#15 0x00007f74ec58b03f in () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#16 0x00007f74ec58e268 in gtk_icon_info_load_icon () at
/lib/x86_64-linux-gnu/libgtk-3.so.0
#17 0x00007f74ec58e4c4 in gtk_icon_theme_load_icon_for_scale () at
/lib/x86_64-linux-gnu/libgtk-3.so.0
#18 0x00007f74ec7145b3 in () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#19 0x00007f74ec715a91 in () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#20 0x00007f74ec71d06f in () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#21 0x00007f74eb2abc7d in g_closure_invoke () at
/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#22 0x00007f74eb2bf4d6 in () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#23 0x00007f74eb2c82c2 in g_signal_emit_valist () at
/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#24 0x00007f74eb2c890f in g_signal_emit () at
/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#25 0x00007f74ec70da86 in gtk_widget_realize () at
/lib/x86_64-linux-gnu/libgtk-3.so.0
...
```
I'll try to fix this issue.
First, will try reproducing on Gnome. Not sure if it's KDE-related, or
we need new abstraction, update existing, or leave these rules for
per-application profiles themselves...
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8), LANGUAGE=lt
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apparmor depends on:
ii debconf [debconf-2.0] 1.5.70
ii libc6 2.28-5
ii lsb-base 10.2018112800
ii python3 3.7.2-1
apparmor recommends no packages.
Versions of packages apparmor suggests:
ii apparmor-profiles-extra 1.25
ii apparmor-utils 2.13.2-6
-- Configuration Files:
/etc/apparmor.d/abstractions/audio changed [not included]
/etc/apparmor.d/abstractions/kde changed [not included]
/etc/apparmor.d/abstractions/mesa changed [not included]
/etc/apparmor.d/abstractions/ubuntu-email changed [not included]
/etc/apparmor.d/tunables/kernelvars changed [not included]
/etc/apparmor.d/tunables/securityfs changed [not included]
/etc/apparmor.d/tunables/sys changed [not included]
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: apparmor
Source-Version: 2.13.2-8
We believe that the bug you reported is fixed in the latest version of
apparmor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
intrigeri <[email protected]> (supplier of updated apparmor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 Feb 2019 17:00:23 +0000
Source: apparmor
Architecture: source
Version: 2.13.2-8
Distribution: unstable
Urgency: medium
Maintainer: Debian AppArmor Team <[email protected]>
Changed-By: intrigeri <[email protected]>
Closes: 920833 921866 921875 921888
Changes:
apparmor (2.13.2-8) unstable; urgency=medium
.
* Cherry-pick 5 more commits from upstream apparmor-2.13 branch
(Closes: #921866).
* Cherry-pick upstream MR!344 (Closes: #920833, #921888).
* Install the nvidia_modprobe named profile (Closes: #921875)
and add it to the list of profiles whose syntax is checked
via autopkgtests.
* Patch usr.sbin.smdb to include snippet generated at runtime
(part of the fix for #896080).
* New autopkgtest: ensure apparmor.service starts on
package installation.
* Update salsa CI pipeline.
Checksums-Sha1:
ccd80d714eb86537ac47fe2d4f8e4147fc042351 3366 apparmor_2.13.2-8.dsc
942025d5e2b508473ae21539ca98a710a47046eb 104236 apparmor_2.13.2-8.debian.tar.xz
5ba0d62ab6090cf5548aab3011efe7ead915ba8e 12645
apparmor_2.13.2-8_amd64.buildinfo
Checksums-Sha256:
bdbbc5f1bfe4a0c7821534c7ee4098323ad600016e575e405f90a184c1fd3cf9 3366
apparmor_2.13.2-8.dsc
80e9473bbb25b2a25434429ee8362caf54802a2b342bce5eb22bd84a38a79be8 104236
apparmor_2.13.2-8.debian.tar.xz
f728ef6d879d218074a9cd0e793a568b89e244979a3eeb41a226b8cbb1a3d965 12645
apparmor_2.13.2-8_amd64.buildinfo
Files:
d33a928fe594aa8d4cf39e990925d289 3366 admin optional apparmor_2.13.2-8.dsc
b60008d82d8320a7199caae6f66d552e 104236 admin optional
apparmor_2.13.2-8.debian.tar.xz
928dbd9e20ad1cfccefcf76e6abd947a 12645 admin optional
apparmor_2.13.2-8_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEHRt1x6SY9ZXd6PxEAfr306of05kFAlxy4z8ACgkQAfr306of
05mpiw/+NOday+kTNkywxzFXdTKt9Qq125243vz9Ypl1vjt732B4dplzBL49hFOW
zn15k+rrvIEeyHKBU4JCH8JdftwgvPiOn6//MOgk1aSfIlLbTbK9I5cS5xgPfy02
bYaK7kBIwJVcYPyFXffWgNAYSVzFeCAATB7UfwRcBxv90oTm33R+wXgSX0eH9b2B
iv/+N6ZFrIdalg0etWB5kc35Lk1E6ygpWUwA+Dhp72nZrSJxDO/81bteqdWTErZr
yKAEBmKn/tdvTmvng1HkWs1BUhUrAF3E6WmvGFJ7/hIAA4oKHn4ojql26aXbdl/r
qpsAGd1XaBn160AK/KQyrNr425+IHaNfCsh8nV+KrCsDhAzTdy96xe35MUfZUtP9
0ytkhxNcaCwgdOsqlYt9SRo/0Rnky/QhwlB1/XQPR5hVNVL/r0I3ltQ/g5T2JcRW
Yl0R/ucVRDnz8jQwAcDIWj+IkuGJ7C4hQsoeZA5iQvn30k8t2hs7zVQRc4mZFCqE
rfFeRHdYhB1B9mMxXuwEq02GGsnpsA0U2q43z5cS13pcxU5ER17ZnxS2NLsq7j+c
w9F9j9Q7zazm1rdqvCd/7kb02GI7PQfEFZfRz6GXr0fsl2Axfm6CSAKj3ZfNvAFx
YXp5oyQM52re10GFKJqbeXuBraVVjSdK9Era0kzfSu+XaLp9rrk=
=DVOP
-----END PGP SIGNATURE-----
--- End Message ---
