Bug#900210: thunderbird: Thunderbird AppArmor config disables ability to send entirely
Control: retitle -1 Thunderbird AppArmor config breaks stuff with custom $TMPDIR Control: severity -1 minor (Retitling to clarify which condition is needed to trigger the bug, downgrading severity as this AppArmor profile is disabled by default.)
Bug#900210: thunderbird: Thunderbird AppArmor config disables ability to send entirely
I've reproduced it. This is yet another sign how we need use more variables in AppArmor, and it needs to be fixed not only for Thunderbird, as $TMPDIR change will affect other confined applications too. I'll continue discussion in AppArmor mailing list to see how to approach it better. P.S. Also, waiting for AppArmor 2.13 in Debian ;)
Bug#900210: thunderbird: Thunderbird AppArmor config disables ability to send entirely
On 5/28/18 11:01 PM, Carsten Schoenert wrote: Hello intri, hello Vincas, this looks like something you guys should have a look at please. Thanks! I'll take a look into this.
Bug#900210: thunderbird: Thunderbird AppArmor config disables ability to send entirely
Hello intri, hello Vincas, this looks like something you guys should have a look at please. Thanks! @intrigeri The uploads of TB 52.8.0 to stretch- and jessie-security did have cherry-picked your reverted commit c33dba2f from unstable so the issue of the user are not related to this modification I guess. Am 27.05.2018 um 18:54 schrieb Stephen Dowdy: > Package: thunderbird > Version: 1:52.8.0-1~deb9u1 > Severity: important > > > Attempting to send e-mail results in a popup: > > [ Send Message Error ] > Sending of the message failed. > > > # aa-status --enabled && echo "AppArmor Enabled" > AppArmor Enabled > > # aa-status | egrep '(profiles|thunderbird)' > 54 profiles are loaded. > 21 profiles are in enforce mode. >thunderbird >thunderbird//browser_java >thunderbird//browser_openjdk >thunderbird//gpg >thunderbird//sanitized_helper > 33 profiles are in complain mode. > 6 processes have profiles defined. >thunderbird (32689) > > > dmesg shows the following apparmor DENIED messages: > > [62711.954571] audit: type=1400 audit(1527437094.186:58): > apparmor="DENIED" operation="open" profile="thunderbird" > name="/run/user/1000/xauth-1000-_0" pid=32700 comm="thunderbird" > requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > [62711.960341] audit: type=1400 audit(1527437094.194:59): > apparmor="DENIED" operation="open" profile="thunderbird" > name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" > requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > [62711.971343] audit: type=1400 audit(1527437094.202:60): > apparmor="DENIED" operation="mkdir" profile="thunderbird" > name="/run/user/1000/thunderbird_sdowdy/" pid=32689 comm="thunderbird" > requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 > [62711.971925] audit: type=1400 audit(1527437094.206:61): > apparmor="DENIED" operation="open" profile="thunderbird" > name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" > requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > [62712.747197] audit: type=1400 audit(1527437094.978:62): > apparmor="DENIED" operation="open" profile="thunderbird" > name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" > requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > [62712.895221] audit: type=1400 audit(1527437095.126:63): > apparmor="DENIED" operation="open" profile="thunderbird" > name="/etc/xdg/mimeapps.list" pid=32689 comm="thunderbird" requested_mask="r" > denied_mask="r" fsuid=1000 ouid=0 > [63310.628483] audit: type=1400 audit(1527437692.863:64): > apparmor="DENIED" operation="mknod" profile="thunderbird" > name="/run/user/1000/nsemail.eml" pid=32689 comm="thunderbird" > requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 > [63310.671468] audit: type=1400 audit(1527437692.907:65): > apparmor="DENIED" operation="open" profile="thunderbird" > name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" > requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > > $ env | grep /run/user > TMPDIR=/run/user/1000/ > GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1 > DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus > XDG_RUNTIME_DIR=/run/user/1000 > XAUTHORITY=/run/user/1000/xauth-1000-_0 > > I suspect because i explicitly set TMPDIR to XDG_RUNTIME_DIR (something that > should be pretty normal, even better than using /tmp, IMHO), that AppArmor > should allow for this. > (i'm not entirely sure that's the issue, but it seems likely) > > > Also, for general purposes... > I did choose to allow/use maintainer's version of AppArmor configuration in > the recent update, however, i think you should respect the existing > enforce/complain/disable state of the user's system, as i'd previously done: > > aa-complain /etc/apparmor.d/usr.bin.thunderbird > (which i am back to now in order to keep working) > > > thanks, > --stephen > > > -- System Information: > Debian Release: 9.4 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.16.0-0.bpo.1-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= > (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages thunderbird depends on: > ii debianutils 4.8.1.1 > ii fontconfig2.11.0-6.7+b1 > ii libatk1.0-0 2.22.0-1 > ii libc6 2.24-11+deb9u3 > ii libcairo-gobject2 1.14.8-1 > ii libcairo2 1.14.8-1 > ii libdbus-1-3 1.10.26-0+deb9u1 > ii libdbus-glib-1-2 0.108-2 > ii libevent-2.0-52.0.21-stable-3 > ii libffi6 3.2.1-6 > ii libfontconfig12.11.0-6.7+b1 > ii libfreetype6 2.6.3-3.2 > i
Bug#900210: thunderbird: Thunderbird AppArmor config disables ability to send entirely
Package: thunderbird Version: 1:52.8.0-1~deb9u1 Severity: important Attempting to send e-mail results in a popup: [ Send Message Error ] Sending of the message failed. # aa-status --enabled && echo "AppArmor Enabled" AppArmor Enabled # aa-status | egrep '(profiles|thunderbird)' 54 profiles are loaded. 21 profiles are in enforce mode. thunderbird thunderbird//browser_java thunderbird//browser_openjdk thunderbird//gpg thunderbird//sanitized_helper 33 profiles are in complain mode. 6 processes have profiles defined. thunderbird (32689) dmesg shows the following apparmor DENIED messages: [62711.954571] audit: type=1400 audit(1527437094.186:58): apparmor="DENIED" operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" pid=32700 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [62711.960341] audit: type=1400 audit(1527437094.194:59): apparmor="DENIED" operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [62711.971343] audit: type=1400 audit(1527437094.202:60): apparmor="DENIED" operation="mkdir" profile="thunderbird" name="/run/user/1000/thunderbird_sdowdy/" pid=32689 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [62711.971925] audit: type=1400 audit(1527437094.206:61): apparmor="DENIED" operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [62712.747197] audit: type=1400 audit(1527437094.978:62): apparmor="DENIED" operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [62712.895221] audit: type=1400 audit(1527437095.126:63): apparmor="DENIED" operation="open" profile="thunderbird" name="/etc/xdg/mimeapps.list" pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [63310.628483] audit: type=1400 audit(1527437692.863:64): apparmor="DENIED" operation="mknod" profile="thunderbird" name="/run/user/1000/nsemail.eml" pid=32689 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [63310.671468] audit: type=1400 audit(1527437692.907:65): apparmor="DENIED" operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 $ env | grep /run/user TMPDIR=/run/user/1000/ GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus XDG_RUNTIME_DIR=/run/user/1000 XAUTHORITY=/run/user/1000/xauth-1000-_0 I suspect because i explicitly set TMPDIR to XDG_RUNTIME_DIR (something that should be pretty normal, even better than using /tmp, IMHO), that AppArmor should allow for this. (i'm not entirely sure that's the issue, but it seems likely) Also, for general purposes... I did choose to allow/use maintainer's version of AppArmor configuration in the recent update, however, i think you should respect the existing enforce/complain/disable state of the user's system, as i'd previously done: aa-complain /etc/apparmor.d/usr.bin.thunderbird (which i am back to now in order to keep working) thanks, --stephen -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.16.0-0.bpo.1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages thunderbird depends on: ii debianutils 4.8.1.1 ii fontconfig2.11.0-6.7+b1 ii libatk1.0-0 2.22.0-1 ii libc6 2.24-11+deb9u3 ii libcairo-gobject2 1.14.8-1 ii libcairo2 1.14.8-1 ii libdbus-1-3 1.10.26-0+deb9u1 ii libdbus-glib-1-2 0.108-2 ii libevent-2.0-52.0.21-stable-3 ii libffi6 3.2.1-6 ii libfontconfig12.11.0-6.7+b1 ii libfreetype6 2.6.3-3.2 ii libgcc1 1:6.3.0-18+deb9u1 ii libgdk-pixbuf2.0-02.36.5-2+deb9u2 ii libglib2.0-0 2.50.3-2 ii libgtk-3-03.22.11-1 ii libhunspell-1.4-0 1.4.1-2+b2 ii libpango-1.0-01.40.5-1 ii libpangocairo-1.0-0 1.40.5-1 ii libpangoft2-1.0-0 1.40.5-1 ii libpixman-1-0 0.34.0-1 ii libstartup-notification0 0.12-4+b2 ii libstdc++66.3.0-18+deb9u1 ii libvpx4 1.6.1-3+deb9u1 ii libx11-6 2:1.6.4-3 ii libx11-xcb1 2:1.6.4-3 ii
