Bug#920833: apparmor: AppArmor denies access to mime-specifc files for various GUI applications
Changing this rule [0]: @{user_share_dirs} = @{HOME}/.local/{,share/@{flatpak_exports_root}}/share Into these two: @{user_share_dirs} = @{HOME}/.local/share @{user_share_dirs} += @{HOME}/.local/share/@{flatpak_exports_root}/share Makes logs happy again. Not sure if flatpak-stuff is OK thought. [0] https://gitlab.com/apparmor/apparmor/blob/f2c0a1132707256aa3370e6f051965fdef80d7eb/profiles/apparmor.d/tunables/share#L15
Bug#920833: apparmor: AppArmor denies access to mime-specifc files for various GUI applications
Something strange is going on. Check this output: ``` $ /usr/sbin/apparmor_parser -Q -p /etc/apparmor.d/usr.bin.thunderbird | fgrep user_share @{user_share_dirs} = @{HOME}/.local/{,share/@{flatpak_exports_root}}/share owner @{user_share_dirs}/applications/{**,} r, owner @{user_share_dirs}/icons/{**,}r, {**,} r, owner @{user_share_dirs}/applications/{**,} r, owner @{user_share_dirs}/icons/{**,}r, owner @{user_share_dirs}/mime/{**,} r, owner @{user_share_dirs}/applications/{**,} r, owner @{user_share_dirs}/icons/{**,}r, owner @{user_share_dirs}/mime/{**,} r, owner @{user_share_dirs}/applications/{**,} r, owner @{user_share_dirs}/icons/{**,}r, owner @{user_share_dirs}/mime/{**,} r, owner @{user_share_dirs}/applications/{**,} r, owner @{user_share_dirs}/icons/{**,}r, owner @{user_share_dirs}/mime/{**,} r, ``` So, Thunderbird should have access to mime-stuff in home via (indirectly) included `abstractions/freedesktop.org`. Could it be that's something is wrong with "@{user_share_dirs} = @{HOME}/.local/{,share/@{flatpak_exports_root}}/share" rule?
Bug#920833: [pkg-apparmor] Bug#920833: apparmor: AppArmor denies access to mime-specifc files for various GUI applications
Someone has reproduces same issue with Thunerbird: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921888#10
Bug#920833: [pkg-apparmor] Bug#920833: apparmor: AppArmor denies access to mime-specifc files for various GUI applications
On 2019-01-31 11:24, intrigeri wrote:> I can't reproduce this. I can't reproduce this on my Sid Gnome/KDE VM's too :/ I see that you have modified a few tunables files locally. I wonder if this affects how @{user_share_dirs} is used. Can you please retry with a pristine config? I've cleaned up my AppArmor installation, still the same.
Bug#920833: [pkg-apparmor] Bug#920833: apparmor: AppArmor denies access to mime-specifc files for various GUI applications
Control: tag -1 + moreinfo > After recent updates on Sid, multiple GUI applications (like > Thunderbird, Firefox, qTox) on KDE are hit by these kind of denies: > ``` > type=AVC msg=audit(1548784946.545:1896): apparmor="DENIED" > operation="open" profile="thunderbird" > name="/home/vincas/.local/share/mime/mime.cache" pid=2866 > comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=1000 I can't reproduce this. I see that you have modified a few tunables files locally. I wonder if this affects how @{user_share_dirs} is used. Can you please retry with a pristine config?
Bug#920833: apparmor: AppArmor denies access to mime-specifc files for various GUI applications
Package: apparmor Version: 2.13.2-6 Severity: minor Tags: upstream Dear Maintainer, After recent updates on Sid, multiple GUI applications (like Thunderbird, Firefox, qTox) on KDE are hit by these kind of denies: ``` type=AVC msg=audit(1548784946.545:1896): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/vincas/.local/share/mime/mime.cache" pid=2866 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=AVC msg=audit(1548784946.545:1897): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/vincas/.local/share/mime/globs2" pid=2866 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=AVC msg=audit(1548784946.545:1898): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/vincas/.local/share/mime/magic" pid=2866 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=AVC msg=audit(1548784946.545:1899): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/vincas/.local/share/mime/aliases" pid=2866 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=AVC msg=audit(1548784946.545:1900): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/vincas/.local/share/mime/subclasses" pid=2866 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=AVC msg=audit(1548784946.545:1901): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/vincas/.local/share/mime/icons" pid=2866 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=AVC msg=audit(1548784946.545:1902): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/vincas/.local/share/mime/generic-icons" pid=2866 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 ``` GDB backtraces: ``` Thread 1 "thunderbird-bin" hit Catchpoint 1 (returned from syscall openat), 0x7fe8629a4509 in __libc_open64 (file=0x7fe82ce5fe80 "/usr/local/share/mime/g eneric-icons", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:48 48 in ../sysdeps/unix/sysv/linux/open64.c #0 0x7fe8629a4509 in __libc_open64 (file=0x7fe82ce5fe80 "/usr/local/share/mime/generic-icons", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:48 #1 0x7fe8629360b2 in __GI__IO_file_open (fp=fp@entry=0x7fe82c94a800, filename=, posix_mode=, prot=prot@entry=438, read_wri te=8, is32not64=is32not64@entry=1) at fileops.c:189 #2 0x7fe86293625d in _IO_new_file_fopen (fp=fp@entry=0x7fe82c94a800, filename=filename@entry=0x7fe82ce5fe80 "/usr/local/share/mime/generic-icons", mode= , mode@entry=0x7fe860ff9b6f "r", is32not64=is32not64@entry=1) at fileops.c:281 #3 0x7fe86292a359 in __fopen_internal (filename=0x7fe82ce5fe80 "/usr/local/share/mime/generic-icons", mode=0x7fe860ff9b6f "r", is32=1) at iofopen.c:75 #4 0x7fe860fd1156 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0 #5 0x7fe860fce1d8 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0 #6 0x7fe860fce38f in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0 #7 0x7fe860fce8ae in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0 #8 0x7fe860fcea19 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0 #9 0x7fe860f604dd in g_content_type_from_mime_type () at /lib/x86_64-linux-gnu/libgio-2.0.so.0 #10 0x7fe85d253ac5 in () at /usr/lib/thunderbird/libxul.so #11 0x7fe85af0e772 in () at /usr/lib/thunderbird/libxul.so #12 0x7fe85af02a3a in () at /usr/lib/thunderbird/libxul.so ... ``` For Qt application, it seems KDE styles/iconloader issue? ``` Thread 1 "qtox" hit Catchpoint 1 (returned from syscall openat), 0x7f190adf4c4e in __libc_open64 (file=file@entry=0x56267c90d588 "/usr/share/mime/generic -icons", oflag=oflag@entry=524288) at ../sysdeps/unix/sysv/linux/open64.c:48 48 in ../sysdeps/unix/sysv/linux/open64.c #0 0x7f190adf4c4e in __libc_open64 (file=file@entry=0x56267c90d588 "/usr/share/mime/generic-icons", oflag=oflag@entry=524288) at ../sysdeps/unix/sysv/li nux/open64.c:48 #1 0x7f190b31b96c in open64 (__oflag=, __path=0x56267c90d588 "/usr/share/mime/generic-icons") at /usr/include/x86_64-linux-gnu/bits/fcntl 2.h:91 #2 0x7f190b31b96c in qt_safe_open (mode=438, flags=, pathname=0x56267c90d588 "/usr/share/mime/generic-icons") at ../../include/QtCore/5.1 1.3/QtCore/private/../../../../../src/corelib/kernel/qcore_unix_p.h:195 #3 0x7f190b31b96c in QFSFileEnginePrivate::nativeOpen(QFlags) (this=0x56267c7b9c60, openMode=...) at io/qfsfileengine_unix.cpp: 122 #4 0x7f190b2fa894 in QFSFileEngine::open(QFlags) (this=0x56267c82e680, openMode=...) at io/qfsfileengine.cpp:246 #5 0x7f190b2b8156 in QFile::open(QFlags) (this=0x7ffcba56a8e0, mode=...) at ../../include/QtCore/../../src/corelib/global/qflag s.h:140 #6 0x7f18f91700fb in () at /lib/x86_64-linux-gnu/libKF5IconThemes.so.5 #7 0x7f18f91726b3 in KIconLoader::KIconLoader(QString const&, QStringList const&, QObject*) () at