Bug#880424: thunderbird: apparmor should allow the execution of the configured browser
i have the same problem with opening links in Vivaldi (1.13.1008.34 (Stable channel) (64-bit)) via Thunderbird (52.4.0 (64-bit)). $uname -a Linux sun 4.13.0-1-amd64 #1 SMP Debian 4.13.13-1 (2017-11-16) x86_64 GNU/Linux. Vivaldi is set systemwide as my preferred browser. Thunderbird has it as the preferred action to open http/https links with my standard browser. I`ve tried also with the path to the browser (/opt/vivaldi/vivaldi) in the config of Thunderbird, but it didn't work. I've checked with $tail -f /var/log/messages: Dec 6 09:19:09 sun kernel: [17764.341411] audit: type=1400 audit(1512548349.389:549): apparmor="DENIED" operation="exec" profile="thunderbird" name="/opt/vivaldi/vivaldi" pid=10791 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 This comes up, when i click on links in Thunderbird to open it with Vivaldi. When i change my standard browser i.e. to Chrome or Firefox, it works. It is possible to open links in mails with my standard browser. When i go back to Vivaldi as my standard browser the apparmor message comes up and it is not possible to open links in mails. When i boot my system with Kernel 4.12 it works normal $uname -a Linux sun 4.12.0-2-amd64 #1 SMP Debian 4.12.13-1 (2017-09-19) x86_64 GNU/Linux regards Michael
Bug#880424: thunderbird: apparmor should allow the execution of the configured browser
Control: severity -1 minor Once AppArmor profile for Thunderbird is disabled by default (#882672), this bug will only affect users who opt-in.
Bug#880424: thunderbird: apparmor should allow the execution of the configured browser
Control: forwarded -1 https://bugs.launchpad.net/apparmor/+bug/1730220 Control: clone -1 -2 Control: retitle -2 thunderbird: apparmor should allow the execution of google-chrome-beta Hi Philipp, first of all, thanks for your report; I particularly appreciate that you've put quite some thought into the problem and its various potential long-term solutions :) Philipp Kern: > I turned on AppArmor and Thunderbird stopped opening links for me. dmesg > has the following denial message: > [ 3795.153239] audit: type=1400 audit(1509283418.100:64): > apparmor="DENIED" operation="exec" profile="thunderbird" > name="/opt/google/chrome-beta/google-chrome-beta" pid=31896 > comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 I'm cloning a dedicated bug for this specific problem: it can trivially be fixed without blocking on a solution to the general one. > I think there needs to be some kind of defined way for browsers to be > allowed to be executed. I agree, see below. > Literally the only browser Thunderbird should be able to execute is the > one configured as the default, not some set of ancient and potentially > exploitable other browsers (like some compiled against old webkit > versions), looking at the current list in the abstraction. I agree this would be ideal but: - While dynamic generation of ad-hoc strict AppArmor profiles is doable for services that run as root (e.g. that's what libvirt does), I'm not aware of any existing solution for non-root apps, and it looks like it would require lots of work, so let's not count on it. - I think this is better solved by a broker design i.e. the sandboxed app asks some privileged helper, outside the sandbox, to open a URL. This is certainly doable with AppArmor (iirc Ubuntu Phone and snaps have something like this) but I doubt it'll be nicely integrated soon and it requires the app to cooperate so that's not something we'll get in Thunderbird on the short term (see Simon's post on debian-devel@ about how it can be done for modern GTK/Glib apps). - Arguably it's the distro's responsibility to avoid shipping/leaving exploitable browsers around on users' systems. > I suppose one way would be to always launch some kind of > sensible-browser binary and let that call out to the default browser > only. Indeed, if Thunderbird was using xdg-open, sensible-browsers and similar it would be much easier to come up with an AppArmor policy that's better both in terms of security and UX. When working on this 1-2 years ago Ulrike noticed this isn't the case. I haven't checked recently though. If we can't find a simpler solution I'm open to checking with Mozilla why they do it their way. > Another way would be to let browser packages ship a file that allows > their execution and then the installed ones are automatically available > to Thunderbird (or another browser-spawning program). In this case > Chrome would need to start shipping such a file. I think we can totaly do this: the #include directive can take a directory (e.g. something.d) as an argument so for example abstractions/ubuntu-browsers could include a .d directory where each browser (e.g. google-chrome-beta) could drop its snippet. Given the above, this is likely the only solution that would be flexible enough for your needs, while being doable on the short term without major changes. I've started a discussion about this upstream: https://bugs.launchpad.net/apparmor/+bug/1730220 Cheers, -- intrigeri
Bug#880424: thunderbird: apparmor should allow the execution of the configured browser
Hi, Philipp Kern: > Note that this extends to generic URL handlers as well: > [95946.493507] audit: type=1400 audit(1509454207.986:185): > apparmor="DENIED" operation="exec" profile="thunderbird" > name="/usr/bin/gobby-0.5" pid=6205 comm="thunderbird" requested_mask="x" > denied_mask="x" fsuid=1000 ouid=0 > (From an infinote:// URL in an email.) I think this is (technically, not in terms of UX) closer to #855346 which is fixed in the Vcs-Git already: https://anonscm.debian.org/cgit/pkg-mozilla/thunderbird.git/tree/debian/apparmor/usr.bin.thunderbird Cheers, -- intrigeri
Bug#880424: thunderbird: apparmor should allow the execution of the configured browser
On 10/31/2017 01:30 PM, Philipp Kern wrote: > I turned on AppArmor and Thunderbird stopped opening links for me. dmesg > has the following denial message: > > [ 3795.153239] audit: type=1400 audit(1509283418.100:64): > apparmor="DENIED" operation="exec" profile="thunderbird" > name="/opt/google/chrome-beta/google-chrome-beta" pid=31896 > comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 > > I think there needs to be some kind of defined way for browsers to be > allowed to be executed. I understand that I use a browser that is not in > the distribution, which makes this even more important. In this case the > browser is literally set as the xdg default: [...] Note that this extends to generic URL handlers as well: [95946.493507] audit: type=1400 audit(1509454207.986:185): apparmor="DENIED" operation="exec" profile="thunderbird" name="/usr/bin/gobby-0.5" pid=6205 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 (From an infinote:// URL in an email.) And I'd be surprised if Thunderbird were the only application with this problem. Kind regards Philipp Kern signature.asc Description: OpenPGP digital signature
Bug#880424: thunderbird: apparmor should allow the execution of the configured browser
Package: thunderbird Version: 1:52.4.0-1 I turned on AppArmor and Thunderbird stopped opening links for me. dmesg has the following denial message: [ 3795.153239] audit: type=1400 audit(1509283418.100:64): apparmor="DENIED" operation="exec" profile="thunderbird" name="/opt/google/chrome-beta/google-chrome-beta" pid=31896 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 I think there needs to be some kind of defined way for browsers to be allowed to be executed. I understand that I use a browser that is not in the distribution, which makes this even more important. In this case the browser is literally set as the xdg default: $ xdg-settings get default-web-browser google-chrome-beta.desktop /etc/apparmor.d/abstractions/ubuntu-browsers includes the regular google-chrome: /opt/google/chrome/google-chrome Cx -> sanitized_helper, Literally the only browser Thunderbird should be able to execute is the one configured as the default, not some set of ancient and potentially exploitable other browsers (like some compiled against old webkit versions), looking at the current list in the abstraction. I suppose one way would be to always launch some kind of sensible-browser binary and let that call out to the default browser only. Which might be what sanitized_helper is already trying to accomplish. Except that the abstraction leaks into the... abstraction. :) Another way would be to let browser packages ship a file that allows their execution and then the installed ones are automatically available to Thunderbird (or another browser-spawning program). In this case Chrome would need to start shipping such a file. Kind regards and thanks Philipp Kern signature.asc Description: OpenPGP digital signature
