Bug#900210: thunderbird: Thunderbird AppArmor config disables ability to send entirely

[Stephen Dowdy]

Package: thunderbird
Version: 1:52.8.0-1~deb9u1
Severity: important


Attempting to send e-mail results in a popup:

    [ Send Message Error ]
    Sending of the message failed.


    # aa-status --enabled  && echo "AppArmor Enabled"
    AppArmor Enabled

    # aa-status | egrep '(profiles|thunderbird)'
    54 profiles are loaded.
    21 profiles are in enforce mode.
       thunderbird
       thunderbird//browser_java
       thunderbird//browser_openjdk
       thunderbird//gpg
       thunderbird//sanitized_helper
    33 profiles are in complain mode.
    6 processes have profiles defined.
       thunderbird (32689) 


dmesg shows the following apparmor DENIED messages:

    [62711.954571] audit: type=1400 audit(1527437094.186:58): apparmor="DENIED" 
operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" 
pid=32700 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=1000
    [62711.960341] audit: type=1400 audit(1527437094.194:59): apparmor="DENIED" 
operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" 
pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=1000
    [62711.971343] audit: type=1400 audit(1527437094.202:60): apparmor="DENIED" 
operation="mkdir" profile="thunderbird" 
name="/run/user/1000/thunderbird_sdowdy/" pid=32689 comm="thunderbird" 
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
    [62711.971925] audit: type=1400 audit(1527437094.206:61): apparmor="DENIED" 
operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" 
pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=1000
    [62712.747197] audit: type=1400 audit(1527437094.978:62): apparmor="DENIED" 
operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" 
pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=1000
    [62712.895221] audit: type=1400 audit(1527437095.126:63): apparmor="DENIED" 
operation="open" profile="thunderbird" name="/etc/xdg/mimeapps.list" pid=32689 
comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [63310.628483] audit: type=1400 audit(1527437692.863:64): apparmor="DENIED" 
operation="mknod" profile="thunderbird" name="/run/user/1000/nsemail.eml" 
pid=32689 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000 
ouid=1000
    [63310.671468] audit: type=1400 audit(1527437692.907:65): apparmor="DENIED" 
operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" 
pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=1000

    $ env | grep /run/user
    TMPDIR=/run/user/1000/
    GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1
    DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
    XDG_RUNTIME_DIR=/run/user/1000
    XAUTHORITY=/run/user/1000/xauth-1000-_0

I suspect because i explicitly set TMPDIR to XDG_RUNTIME_DIR (something that 
should be pretty normal, even better than using /tmp, IMHO), that AppArmor 
should allow for this.
(i'm not entirely sure that's the issue, but it seems likely)


Also, for general purposes...
I did choose to allow/use maintainer's version of AppArmor configuration in the 
recent update, however, i think you should respect the existing 
enforce/complain/disable state of the user's system, as i'd previously done:

    aa-complain /etc/apparmor.d/usr.bin.thunderbird 
    (which i am back to now in order to keep working)


thanks,
--stephen


-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.16.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages thunderbird depends on:
ii  debianutils               4.8.1.1
ii  fontconfig                2.11.0-6.7+b1
ii  libatk1.0-0               2.22.0-1
ii  libc6                     2.24-11+deb9u3
ii  libcairo-gobject2         1.14.8-1
ii  libcairo2                 1.14.8-1
ii  libdbus-1-3               1.10.26-0+deb9u1
ii  libdbus-glib-1-2          0.108-2
ii  libevent-2.0-5            2.0.21-stable-3
ii  libffi6                   3.2.1-6
ii  libfontconfig1            2.11.0-6.7+b1
ii  libfreetype6              2.6.3-3.2
ii  libgcc1                   1:6.3.0-18+deb9u1
ii  libgdk-pixbuf2.0-0        2.36.5-2+deb9u2
ii  libglib2.0-0              2.50.3-2
ii  libgtk-3-0                3.22.11-1
ii  libhunspell-1.4-0         1.4.1-2+b2
ii  libpango-1.0-0            1.40.5-1
ii  libpangocairo-1.0-0       1.40.5-1
ii  libpangoft2-1.0-0         1.40.5-1
ii  libpixman-1-0             0.34.0-1
ii  libstartup-notification0  0.12-4+b2
ii  libstdc++6                6.3.0-18+deb9u1
ii  libvpx4                   1.6.1-3+deb9u1
ii  libx11-6                  2:1.6.4-3
ii  libx11-xcb1               2:1.6.4-3
ii  libxcb-shm0               1.12-1
ii  libxcb1                   1.12-1
ii  libxcomposite1            1:0.4.4-2
ii  libxdamage1               1:1.1.4-2+b3
ii  libxext6                  2:1.3.3-1+b2
ii  libxfixes3                1:5.0.3-1
ii  libxrender1               1:0.9.10-1
ii  libxt6                    1:1.1.5-1
ii  psmisc                    22.21-2.1+b2
ii  x11-utils                 7.7+3+b1
ii  zlib1g                    1:1.2.8.dfsg-5

Versions of packages thunderbird recommends:
ii  hunspell-en-us [hunspell-dictionary]  20070829-7
ii  lightning                             1:52.8.0-1~deb9u1

Versions of packages thunderbird suggests:
ii  apparmor          2.11.0-3+deb9u2
pn  fonts-lyx         <none>
ii  libgssapi-krb5-2  1.15-1+deb9u1

-- debconf-show failed