Bug#880425: thunderbird: logs spurious apparmor denial messages
Hi, Carsten Schoenert: > Am 05.11.2017 um 10:45 schrieb intrigeri: > meeh, go ahaed. > Looks fine from the technical side. As long as you put in tagging and > closing information so gbp can pick up the bug number later for > preparing changelog I'm more than happy. As I see actions on the BTS > nevertheless I will ask back in case I have further questions. :) > I'm really happy you take some responsibility on the apparmor profile, I > will mostly not have the time to also look at those bug reports while > keep up the packaging up to the current needing. No problem. > We still need to think about some automatic testing of Thunderbird > packages together with some extensions. Otherwise we will always hit > some issues while bringing new ESR versions into the security-update > like happen with 52.0 and the enigmail extension. But this is another thing. Indeed. It was fine to ship the profile in enforce mode as long as it was only affecting users who had voluntarily enabled AppArmor, but I suspect this won't work with a broader userbase: Thunderbird is simply too popular for us to be allowed to break it. And given how wide open the profile has to be in order to work with a broad userbase (e.g. since we need to run basically arbitrary apps to open attachments), it doesn't provide that much security anyway. Frankly, it's the kind of apps for which Flatpak + Portals would be much better suited than AppArmor. So if we see too many issues and maintenance churn, let's disable the profile by default. Cheers, -- intrigeri
Bug#880425: thunderbird: logs spurious apparmor denial messages
Hello intrigeri, Am 05.11.2017 um 10:45 schrieb intrigeri: > Control: tag -1 + pending > > intrigeri: >> Carsten, the updated profile lives there since upstream has moved >> from bzr@Launchpad to Git@GitLab: >> https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.bin.thunderbird > > Actually I now have write access to Vcs-Git so I've updated it myself: > https://anonscm.debian.org/cgit/pkg-mozilla/thunderbird.git/commit/?id=d7febc8d0244c35f0e06c2132e68e1e8db6a549f > > :) > > Carsten, please let me know if I did something wrong, happy to adjust > my workflow to suit yours better. meeh, go ahaed. Looks fine from the technical side. As long as you put in tagging and closing information so gbp can pick up the bug number later for preparing changelog I'm more than happy. As I see actions on the BTS nevertheless I will ask back in case I have further questions. I'm really happy you take some responsibility on the apparmor profile, I will mostly not have the time to also look at those bug reports while keep up the packaging up to the current needing. Fighting with upstream changes, preparing the packaging for three releases and timing some other interests all with that together is sometimes not easy. We still need to think about some automatic testing of Thunderbird packages together with some extensions. Otherwise we will always hit some issues while bringing new ESR versions into the security-update like happen with 52.0 and the enigmail extension. But this is another thing. -- Regards Carsten Schoenert
Bug#880425: thunderbird: logs spurious apparmor denial messages
Control: tag -1 + pending intrigeri: > Carsten, the updated profile lives there since upstream has moved > from bzr@Launchpad to Git@GitLab: > https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.bin.thunderbird Actually I now have write access to Vcs-Git so I've updated it myself: https://anonscm.debian.org/cgit/pkg-mozilla/thunderbird.git/commit/?id=d7febc8d0244c35f0e06c2132e68e1e8db6a549f :) Carsten, please let me know if I did something wrong, happy to adjust my workflow to suit yours better. Cheers, -- intrigeri
Bug#880425: thunderbird: logs spurious apparmor denial messages
Control: forwarded -1 https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/333081 Control: tag -1 + fixed-upstream Simon Deziel: > https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/333081 Thanks! This was reviewed and merged upstream. Carsten, the updated profile lives there since upstream has moved from bzr@Launchpad to Git@GitLab: https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.bin.thunderbird Cheers, -- intrigeri
Bug#880425: thunderbird: logs spurious apparmor denial messages
On 2017-11-01 03:52 AM, intrigeri wrote: > Hi, > > Simon Deziel: >> On 2017-10-31 08:32 AM, Philipp Kern wrote: >>> When I use Thunderbird I see a lot of these in the kernel log (probably >>> whenever I look at a signed and/or encrypted email): >>> >>> [94784.485686] audit: type=1400 audit(1509453045.981:153): >>> apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" >>> name="/usr/share/thunderbird/omni.ja" pid=4440 comm="gpg2" >>> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > > This means that Thunderbird has run gpg2 that inherited an open file > descriptor to omni.ja (AppArmor now mediates such inherited file > descriptors). But it does not imply that gpg2 has tried to access > omni.ja whatsoever. > >>> I don't see an obvious degradation of the client. Even gpg-encrypted >>> mails get handled correctly by Enigmail. But I suppose some kind of rule >>> is missing to make the log lines go away? > > Indeed. > >> I'd be tempted to add a deny rule to silence it. Opinions? > > Yes, please :) https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/333081 > You might need to add more than just the omni.ja rule, like I had to > do for torbrowser-launcher: > https://github.com/intrigeri/torbrowser-launcher/commit/d043788f590e8ff2da585e3512a0e596e7460ff8 There was already some overlap with other deny rules so I think we are good for now at least. Thanks Regards, Simon signature.asc Description: OpenPGP digital signature
Bug#880425: thunderbird: logs spurious apparmor denial messages
Hi, Simon Deziel: > On 2017-10-31 08:32 AM, Philipp Kern wrote: >> When I use Thunderbird I see a lot of these in the kernel log (probably >> whenever I look at a signed and/or encrypted email): >> >> [94784.485686] audit: type=1400 audit(1509453045.981:153): >> apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" >> name="/usr/share/thunderbird/omni.ja" pid=4440 comm="gpg2" >> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 This means that Thunderbird has run gpg2 that inherited an open file descriptor to omni.ja (AppArmor now mediates such inherited file descriptors). But it does not imply that gpg2 has tried to access omni.ja whatsoever. >> I don't see an obvious degradation of the client. Even gpg-encrypted >> mails get handled correctly by Enigmail. But I suppose some kind of rule >> is missing to make the log lines go away? Indeed. > I'd be tempted to add a deny rule to silence it. Opinions? Yes, please :) You might need to add more than just the omni.ja rule, like I had to do for torbrowser-launcher: https://github.com/intrigeri/torbrowser-launcher/commit/d043788f590e8ff2da585e3512a0e596e7460ff8 Cheers!
Bug#880425: thunderbird: logs spurious apparmor denial messages
On 2017-10-31 08:32 AM, Philipp Kern wrote: > When I use Thunderbird I see a lot of these in the kernel log (probably > whenever I look at a signed and/or encrypted email): > > [94784.485686] audit: type=1400 audit(1509453045.981:153): > apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" > name="/usr/share/thunderbird/omni.ja" pid=4440 comm="gpg2" > requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > > I don't see an obvious degradation of the client. Even gpg-encrypted > mails get handled correctly by Enigmail. But I suppose some kind of rule > is missing to make the log lines go away? On Ubuntu, omni.ja is in /usr/lib/thunderbird and there is no symlink to /usr/share/thundebird. This is probably not relevant here though. That said, I never encountered this denial myself. I don't see why gpg would need to access this zip file inherited by the parent, so I'd be tempted to add a deny rule to silence it. Opinions? Regards, Simon signature.asc Description: OpenPGP digital signature
Bug#880425: thunderbird: logs spurious apparmor denial messages
Package: thunderbird Version: 1:52.4.0-1 When I use Thunderbird I see a lot of these in the kernel log (probably whenever I look at a signed and/or encrypted email): [94784.485686] audit: type=1400 audit(1509453045.981:153): apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/usr/share/thunderbird/omni.ja" pid=4440 comm="gpg2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 I don't see an obvious degradation of the client. Even gpg-encrypted mails get handled correctly by Enigmail. But I suppose some kind of rule is missing to make the log lines go away? Kind regards and thanks Philipp Kern signature.asc Description: OpenPGP digital signature