Bug#886915: thunderbird: Thunderbird blocked by AppArmor without intervention
Dear Maintainer and Mihail, On Tue, 29 May 2018 11:39:07 +0200 Mihail Dakov wrote: > Package: thunderbird > Version: 1:52.8.0-1 > Followup-For: Bug #886915 > > Dear Maintainer, > > Today starting thunderbird my DE freezed and I could only move the mouse. > alt+ctrl+f1 combination worked and I could only recover from the > situation by restarting lightdm.service. I run daily upgrades > with occasionally holding packages with bugs which prevents the package > from being used. This matches very well my experience. After upgrading both 4.15 and 4.16 kernels have the same issue, while 4.12 works nicelly. > Inspecting the journal logs I observed the following DENIED messages > > May 29 11:13:59 host audit[13611]: AVC apparmor="DENIED" operation="open" > profile="thunderbird" > name="/sys/devices/pci:00/:00:02.0/subsystem_vendor" pid=13611 > comm="thunderbird" requested_mask="r" > May 29 09:51:18 host kernel: audit: type=1400 audit(1527580278.534:97): > apparmor="DENIED" operation="open" profile="thunderbird" > name="/sys/devices/pci:00/:00:02.0/device" pid=8791 > comm="thunderbird"May 29 09:03:47 host kernel: audit: type=1400 > audit(1527577427.044:61): apparmor="DENIED" operation="open" > profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" > pid=6377 comm="thunderbird"May 29 11:15:58 host kernel: audit: type=1400 > audit(1527585358.980:115): apparmor="DENIED" operation="open" > profile="thunderbird" > name="/sys/devices/pci:00/:00:02.0/subsystem_device" pid=14434 > comm="thunderbird" I also found these lines in my log. > hence adding the next lines > > /sys/devices/pci*/**/subsystem_vendor r, > /sys/devices/pci*/**/vendor r, > /sys/devices/pci*/**/device r, > /sys/devices/pci*/**/subsystem_device r, > > after > > /sys/devices/pci*/**/config r, > > in /etc/apparmor.d/usr.bin.thunderbid profile solves the issue. I did exactly this and it completely resolved my issue. Thank you Mihail for reporting this progress. I went from completely freezing desktop to just plain working. > Maybe it makes sense to add them to the profile as well. I think it is very reasonable to do that. The earlier the better, so fewer people suffer from this. Cheers, Magnus
Bug#886915: thunderbird: Thunderbird blocked by AppArmor without intervention
Package: thunderbird
Version: 1:52.8.0-1
Followup-For: Bug #886915
Dear Maintainer,
Today starting thunderbird my DE freezed and I could only move the mouse.
alt+ctrl+f1 combination worked and I could only recover from the
situation by restarting lightdm.service. I run daily upgrades
with occasionally holding packages with bugs which prevents the package
from being used.
Inspecting the journal logs I observed the following DENIED messages
May 29 11:13:59 host audit[13611]: AVC apparmor="DENIED" operation="open"
profile="thunderbird"
name="/sys/devices/pci:00/:00:02.0/subsystem_vendor" pid=13611
comm="thunderbird" requested_mask="r"
May 29 09:51:18 host kernel: audit: type=1400 audit(1527580278.534:97):
apparmor="DENIED" operation="open" profile="thunderbird"
name="/sys/devices/pci:00/:00:02.0/device" pid=8791
comm="thunderbird"May 29 09:03:47 host kernel: audit: type=1400
audit(1527577427.044:61): apparmor="DENIED" operation="open"
profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor"
pid=6377 comm="thunderbird"May 29 11:15:58 host kernel: audit: type=1400
audit(1527585358.980:115): apparmor="DENIED" operation="open"
profile="thunderbird"
name="/sys/devices/pci:00/:00:02.0/subsystem_device" pid=14434
comm="thunderbird"
hence adding the next lines
/sys/devices/pci*/**/subsystem_vendor r,
/sys/devices/pci*/**/vendor r,
/sys/devices/pci*/**/device r,
/sys/devices/pci*/**/subsystem_device r,
after
/sys/devices/pci*/**/config r,
in /etc/apparmor.d/usr.bin.thunderbid profile solves the issue.
Maybe it makes sense to add them to the profile as well.
lspci -v -s ":00:02.0"
00:02.0 VGA compatible controller: Intel Corporation HD Graphics 5500 (rev 09)
(prog-if 00 [VGA controller])
Subsystem: HD Graphics 5500
Flags: bus master, fast devsel, latency 0, IRQ 51
Memory at f600 (64-bit, non-prefetchable) [size=16M]
Memory at e000 (64-bit, prefetchable) [size=256M]
I/O ports at f000 [size=64]
[virtual] Expansion ROM at 000c [disabled] [size=128K]
Capabilities: [90] MSI: Enable+ Count=1/1 Maskable- 64bit-
Capabilities: [d0] Power Management version 2
Capabilities: [a4] PCI Advanced Features
Kernel driver in use: i915
Kernel modules: i915
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (999, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages thunderbird depends on:
ii debianutils 4.8.6
ii fontconfig2.13.0-5
ii libatk1.0-0 2.28.1-1
ii libc6 2.27-3
ii libcairo-gobject2 1.15.10-3
ii libcairo2 1.15.10-3
ii libdbus-1-3 1.12.8-2
ii libdbus-glib-1-2 0.110-2
ii libevent-2.1-62.1.8-stable-4
ii libffi6 3.2.1-8
ii libfontconfig12.13.0-5
ii libfreetype6 2.8.1-2
ii libfribidi0 0.19.7-2
ii libgcc1 1:8.1.0-3
ii libgdk-pixbuf2.0-02.36.11-2
ii libglib2.0-0 2.56.1-2
ii libgtk-3-03.22.30-1
ii libhunspell-1.6-0 1.6.2-1+b1
ii libpango-1.0-01.42.1-1
ii libpangocairo-1.0-0 1.42.1-1
ii libpangoft2-1.0-0 1.42.1-1
ii libpixman-1-0 0.34.0-2
ii libstartup-notification0 0.12-5
ii libstdc++68.1.0-3
ii libvpx5 1.7.0-3
ii libx11-6 2:1.6.5-1
ii libx11-xcb1 2:1.6.5-1
ii libxcb-shm0 1.13-1
ii libxcb1 1.13-1
ii libxcomposite11:0.4.4-2
ii libxdamage1 1:1.1.4-3
ii libxext6 2:1.3.3-1+b2
ii libxfixes31:5.0.3-1
ii libxrender1 1:0.9.10-1
ii libxt61:1.1.5-1
ii psmisc23.1-1+b1
ii x11-utils 7.7+4
ii zlib1g1:1.2.11.dfsg-1
Versions of packages thunderbird recommends:
ii hunspell-en-us [hunspell-dictionary] 1:2018.04.16-1
ii lightning 1:52.8.0-1
Versions of packages thunderbird suggests:
ii apparmor 2.12-4
pn fonts-lyx
ii libgssapi-krb5-2 1.15.2-2
-- Configuration Files:
/etc/apparmor.d/usr.bin.thunderbird changed:
@{MOZ_LIBDIR}=/usr/lib/thunderbird
@{thunderbird_executable} = /usr/lib/thunderbird/thunderbird{,-bin}
profile thunderbird @{thunderbird_executable} {
#include
#include
#include
# TODO: finetune this for required accesses
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
Bug#886915: thunderbird: Thunderbird blocked by AppArmor without intervention.
On 2018-01-11 03:19 PM, Carsten Schoenert wrote:
> You can try to add a line for the Acrobat Reader into the profile. But
> this is blind shot from me, acroread will requesting probably further
> files.
I think you shot the target ;)
> diff --git a/debian/apparmor/usr.bin.thunderbird
> b/debian/apparmor/usr.bin.thunderbird
> index d1f4098c75..6744f4e058 100644
> --- a/debian/apparmor/usr.bin.thunderbird
> +++ b/debian/apparmor/usr.bin.thunderbird
> @@ -198,6 +198,8 @@ profile thunderbird @{thunderbird_executable} {
>/{usr/,}bin/ps Uxr,
>/{usr/,}bin/uname Uxr,
>/usr/bin/locale Uxr,
> + # may work for Adobe Acrobat
> + /usr/bin/acroread Uxr,
Generally, it is better to use "PUxr" instead of "Uxr". The former will
allow a transition to acroread's dedicated profile if it exists or run
uncontained otherwise.
Regards,
Simon
signature.asc
Description: OpenPGP digital signature
Bug#886915: thunderbird: Thunderbird blocked by AppArmor without intervention.
control: clone -1
control: retitle -1 AppArmor: profile doesn't allow to access Acrobat Reader
control: tags -1 user thunderb...@packages.debian.org
control: usertags -1 tb-apparmor
Hello Francois
On Thu, Jan 11, 2018 at 08:29:50PM +0100, Francois Mescam wrote:
...
> > > In the log when I try to open a pdf I have this message :
> > >
> > > Jan 11 10:47:46 eiffel6 kernel: [40296.963168] audit: type=1400
> > > audit(1515664066.510:296): apparmor="DENIED" operation="exec"
> > > profile="thunderbird" name="/usr/bin/acroread" pid=12815
> > > comm="thunderbird"
> > > requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> > >
> > > After I do
> > >
> > > aa-disable /etc/apparmor.d/usr.bin.thunderbird
> > >
> > > acroread is launched correctly.
> > >
> > > I observe this problem on a laptop running debian testing up to date.
> > you don't have written which version you use, testing has 52.4.0-1
> > unstable is on 52.5.2-2 and especially the apparmor stuff has changed
> > significantly between both versions.
> I use version 52.4.0-1
then your added information isn't really relevant for the reported
issue as the profile currently seems to not allow the usage of
/usr/bin/acroread. I cloned the report into a new issue to track this
separately.
You can try to add a line for the Acrobat Reader into the profile. But
this is blind shot from me, acroread will requesting probably further
files.
diff --git a/debian/apparmor/usr.bin.thunderbird
b/debian/apparmor/usr.bin.thunderbird
index d1f4098c75..6744f4e058 100644
--- a/debian/apparmor/usr.bin.thunderbird
+++ b/debian/apparmor/usr.bin.thunderbird
@@ -198,6 +198,8 @@ profile thunderbird @{thunderbird_executable} {
/{usr/,}bin/ps Uxr,
/{usr/,}bin/uname Uxr,
/usr/bin/locale Uxr,
+ # may work for Adobe Acrobat
+ /usr/bin/acroread Uxr,
/usr/bin/gpg Cx -> gpg,
/usr/bin/gpg2 Cx -> gpg,
Regards
Carsten
Bug#886915: thunderbird: Thunderbird blocked by AppArmor without intervention.
On 11/01/2018 13:10, Carsten Schoenert wrote: Hello Francois, On Thu, Jan 11, 2018 at 10:59:15AM +0100, Francois Mescam wrote: Dear Maintainer, Some complementary information about this bug. Since some month opening attached file in thunderbird does not work anymore. In the log when I try to open a pdf I have this message : Jan 11 10:47:46 eiffel6 kernel: [40296.963168] audit: type=1400 audit(1515664066.510:296): apparmor="DENIED" operation="exec" profile="thunderbird" name="/usr/bin/acroread" pid=12815 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 After I do aa-disable /etc/apparmor.d/usr.bin.thunderbird acroread is launched correctly. I observe this problem on a laptop running debian testing up to date. you don't have written which version you use, testing has 52.4.0-1 unstable is on 52.5.2-2 and especially the apparmor stuff has changed significantly between both versions. I use version 52.4.0-1 Regards Carsten -- Francois Mescam
Bug#886915: thunderbird: Thunderbird blocked by AppArmor without intervention.
Hello Francois, On Thu, Jan 11, 2018 at 10:59:15AM +0100, Francois Mescam wrote: > Dear Maintainer, > > Some complementary information about this bug. > > Since some month opening attached file in thunderbird does not work anymore. > > In the log when I try to open a pdf I have this message : > > Jan 11 10:47:46 eiffel6 kernel: [40296.963168] audit: type=1400 > audit(1515664066.510:296): apparmor="DENIED" operation="exec" > profile="thunderbird" name="/usr/bin/acroread" pid=12815 comm="thunderbird" > requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 > > After I do > > aa-disable /etc/apparmor.d/usr.bin.thunderbird > > acroread is launched correctly. > > I observe this problem on a laptop running debian testing up to date. you don't have written which version you use, testing has 52.4.0-1 unstable is on 52.5.2-2 and especially the apparmor stuff has changed significantly between both versions. Regards Carsten
Bug#886915: thunderbird: Thunderbird blocked by AppArmor without intervention.
Hello Urs, On Thu, Jan 11, 2018 at 10:11:07AM +0100, Urs Schroffenegger wrote: ... > Took me a while to figure out what was going on. I found some people > mentionning Apparmor while searching the web and in /var/log/syslog, I found > that: > > > Jan 11 09:06:18 flare kernel: [60207.044643] audit: type=1400 > audit(1515657978.983:138): apparmor="DENIED" operation="file_mmap" > profile="thunderbird" name="/tmp/.glXWcTtR" pid=534 comm="thunderbird" > requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 > Jan 11 09:06:18 flare kernel: [60207.044646] audit: type=1400 > audit(1515657978.983:139): apparmor="DENIED" operation="file_mmap" > profile="thunderbird" name="/tmp/.glXWcTtR" pid=534 comm="thunderbird" > requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 > Jan 11 09:06:18 flare kernel: [60207.044657] audit: type=1400 > audit(1515657978.983:140): apparmor="DENIED" operation="mkdir" > profile="thunderbird" name="/home/nab.nv/" pid=534 comm="thunderbird" > requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 with version 1:52.5.0-1 the AppArmor profile was disabled as default. The upload of 1:52.5.2-2 has fixed a issue where users which had re-enabled the AppArmor profile didn't get this disabled on a update again. So the update to 1:52.5.2-2 didn't has disabled yor active profile I guess. Why you have a active profile before the update I don't know. > Disabling the AppArmor profile for thunderbird fixed the bug: > > $ sudo aa-disable /etc/apparmor.d/usr.bin.thunderbird No, not really, it's a needed workaround for now to prevent unneeded user regressions. > I don't really know about apparmor and didn't change any of it's > configurations, I think it came with recommendation. > > Looking at various bugs, it seems like the profile shouldn't be active. > > I don't have the /etc/apparmor.d/disable/usr.bin.thunderbird mentioned in > README.apparmor. As written, I don't know why you don't get the symlink there. You would need to go through the various entries in the logfiles for apt/dpkg to maybe something more and useful. > I update regularly (couple of times a week), but don't restart to often, I > usually put the machine to sleep. And don't restart thunderbird often either, > in that case. So I don't know exaclty when the change that provoked this > appeared. But I think I did restart since the last thunderbird updates (26 > dec). And restarted yesterday, and the issue appeared. It's not only Thunderbird itself here, there is the kernel involved and also apparmor too. And I've seen various constellations and effects which I personally can't readjust. > So it looks there is an issue with the apparmor profile and with the way the > disabling and enabling of it happens. I have a fairly bif .thunderbird (about > 8GB), maybe that also started it. Mentionning this because it seems to try to > mmap something. Well, without tracing down which component (apparmor, apparmor triggering like enable/disable/reload) it's impossible to fix something. So for me this report isn't very useful. There or some other reports as well which showing some specific problems which happen while apparmor is running and that are needed to be solved. The real solution ins't the disabling of the apparmor profile. As far I see your log from above your issue is #882487. https://wiki.debian.org/Thunderbird#AppArmor_profile https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=tb-apparmor;users=thunderb...@packages.debian.org Regards Carsten
Bug#886915: thunderbird: Thunderbird blocked by AppArmor without intervention.
Dear Maintainer, Some complementary information about this bug. Since some month opening attached file in thunderbird does not work anymore. In the log when I try to open a pdf I have this message : Jan 11 10:47:46 eiffel6 kernel: [40296.963168] audit: type=1400 audit(1515664066.510:296): apparmor="DENIED" operation="exec" profile="thunderbird" name="/usr/bin/acroread" pid=12815 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 After I do aa-disable /etc/apparmor.d/usr.bin.thunderbird acroread is launched correctly. I observe this problem on a laptop running debian testing up to date. With my best regards -- Francois Mescam
Bug#886915: thunderbird: Thunderbird blocked by AppArmor without intervention.
Package: thunderbird Version: 1:52.5.2-2 Severity: important Dear Maintainer, Trying to start thunderbird fails silently. Starting from the console shows this: ExceptionHandler::GenerateDump cloned child 1829 ExceptionHandler::SendContinueSignalToChild sent continue signal to child ExceptionHandler::WaitForContinueSignal waiting for continue signal... Took me a while to figure out what was going on. I found some people mentionning Apparmor while searching the web and in /var/log/syslog, I found that: Jan 11 09:06:18 flare kernel: [60207.044643] audit: type=1400 audit(1515657978.983:138): apparmor="DENIED" operation="file_mmap" profile="thunderbird" name="/tmp/.glXWcTtR" pid=534 comm="thunderbird" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Jan 11 09:06:18 flare kernel: [60207.044646] audit: type=1400 audit(1515657978.983:139): apparmor="DENIED" operation="file_mmap" profile="thunderbird" name="/tmp/.glXWcTtR" pid=534 comm="thunderbird" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Jan 11 09:06:18 flare kernel: [60207.044657] audit: type=1400 audit(1515657978.983:140): apparmor="DENIED" operation="mkdir" profile="thunderbird" name="/home/nab.nv/" pid=534 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Disabling the AppArmor profile for thunderbird fixed the bug: $ sudo aa-disable /etc/apparmor.d/usr.bin.thunderbird I don't really know about apparmor and didn't change any of it's configurations, I think it came with recommendation. Looking at various bugs, it seems like the profile shouldn't be active. I don't have the /etc/apparmor.d/disable/usr.bin.thunderbird mentioned in README.apparmor. I update regularly (couple of times a week), but don't restart to often, I usually put the machine to sleep. And don't restart thunderbird often either, in that case. So I don't know exaclty when the change that provoked this appeared. But I think I did restart since the last thunderbird updates (26 dec). And restarted yesterday, and the issue appeared. So it looks there is an issue with the apparmor profile and with the way the disabling and enabling of it happens. I have a fairly bif .thunderbird (about 8GB), maybe that also started it. Mentionning this because it seems to try to mmap something. Tell me if you need additional information or if there is something I should try. Urs -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages thunderbird depends on: ii debianutils 4.8.4 ii fontconfig2.12.6-0.1 ii libatk1.0-0 2.26.1-2 ii libc6 2.26-2 ii libcairo-gobject2 1.15.8-3 ii libcairo2 1.15.8-3 ii libdbus-1-3 1.12.2-1 ii libdbus-glib-1-2 0.108-3 ii libevent-2.1-62.1.8-stable-4 ii libffi6 3.2.1-8 ii libfontconfig12.12.6-0.1 ii libfreetype6 2.8.1-1 ii libgcc1 1:7.2.0-19 ii libgdk-pixbuf2.0-02.36.11-1 ii libglib2.0-0 2.54.3-1 ii libgtk-3-03.22.26-2 ii libhunspell-1.6-0 1.6.2-1 ii libpango-1.0-01.40.14-1 ii libpangocairo-1.0-0 1.40.14-1 ii libpangoft2-1.0-0 1.40.14-1 ii libpixman-1-0 0.34.0-2 ii libstartup-notification0 0.12-5 ii libstdc++67.2.0-19 ii libvpx4 1.6.1-3 ii libx11-6 2:1.6.4-3 ii libx11-xcb1 2:1.6.4-3 ii libxcb-shm0 1.12-1 ii libxcb1 1.12-1 ii libxcomposite11:0.4.4-2 ii libxdamage1 1:1.1.4-3 ii libxext6 2:1.3.3-1+b2 ii libxfixes31:5.0.3-1 ii libxrender1 1:0.9.10-1 ii libxt61:1.1.5-1 ii psmisc23.1-1 ii x11-utils 7.7+3+b1 ii zlib1g1:1.2.8.dfsg-5 Versions of packages thunderbird recommends: ii hunspell-de-de [hunspell-dictionary] 20161207-3 ii hunspell-en-gb [hunspell-dictionary] 1:6.0.0~rc1-1 ii hunspell-en-us [hunspell-dictionary] 1:2017.08.24 ii lightning 1:52.5.2-2 ii myspell-fr [myspell-dictionary] 1.4-27 Versions of packages thunderbird suggests: ii apparmor 2.11.1-4 ii fonts-lyx 2.2.3-2 ii libgssapi-krb5-2 1.15.2-2 -- no debconf information
