Bug#880953: thunderbird: upon startup apparmor denies mmap of python3.6

Mon, 06 Nov 2017 01:49:14 -0800 

On 11/06/2017 09:46 AM, Philipp Kern wrote:
> Package: thunderbird
> Version: 1:52.4.0-1
> X-Debbugs-Cc: intrig...@debian.org, si...@sdeziel.info
> 
> Whenever I start Thunderbird I get the following denial from AppArmor:
> 
> [  172.585316] audit: type=1400 audit(1509957761.626:72):
> apparmor="DENIED" operation="file_mmap"
> profile="thunderbird//lsb_release" name="/usr/bin/python3.6" pid=4268
> comm="lsb_release" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
> 
> According to the profile python3.[0-9] is allowed to be read, but not
> mapped, so it can't actually be executed.

This is actually a pretty deep rabbit hole. You need to add all of dpkg
and apt at this point, which would need an abstraction. I stopped after
adding these:

/usr/bin/python3.[0-9] mr,
/usr/bin/apt-cache ixr,
/etc/apt/apt.conf.d/* r, (in addition to /etc/apt/apt.conf.d/)
/etc/dpkg/origins/* r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
@{PROC}/@{pid}/fd/ r,
/etc/apt/sources.list r,
/etc/apt/sourecs.list.d r,
/var/cache/apt/*.bin r,
/usr/bin/dpkg ixr,
/var/lib/apt/lists/ r,

At which point I would have needed to still address these:

> [ 3750.599923] audit: type=1400 audit(1509961339.632:196): apparmor="DENIED" 
> operation="open" profile="thunderbird//lsb_release" 
> name="/etc/dpkg/dpkg.cfg.d/" pid=9898 comm="dpkg" requested_mask="r" 
> denied_mask="r" fsuid=1000 ouid=0
> [ 3750.600114] audit: type=1400 audit(1509961339.632:197): apparmor="DENIED" 
> operation="mknod" profile="thunderbird//lsb_release" 
> name="/tmp/fileutl.message.ehuXZN" pid=9897 comm="apt-cache" 
> requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
> [ 3750.600190] audit: type=1400 audit(1509961339.632:198): apparmor="DENIED" 
> operation="mknod" profile="thunderbird//lsb_release" 
> name="/tmp/fileutl.message.ZSPpZG" pid=9897 comm="apt-cache" 
> requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
> [ 3750.600245] audit: type=1400 audit(1509961339.632:199): apparmor="DENIED" 
> operation="mknod" profile="thunderbird//lsb_release" 
> name="/tmp/fileutl.message.s0YSYz" pid=9897 comm="apt-cache" 
> requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[...]

And potentially more. A lot of implementation details now leak somewhere
where they shouldn't leak to. (I suppose lsb_release would actually need
its own profile in this case?)

Kind regards and thanks
Philipp Kern

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to