Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Hi, Vincas Dargis: > Interesting, on Sid with XFCE 4.14, Thunderbird uses `gio-launch-desktop` for > some reason: > ``` > [pid 5664] execve("/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop", > ["/usr/lib/x86_64-linux-gnu/glib-2"..., "/usr/lib/firefox-esr/firefox-esr", > "https://bugs.debian.org/882048;], 0x7f87f7e3a300 /* 56 vars */) = 0 > ``` > Any ideas how to make it use exo-helper? AFAICT, Thunderbird itself has no knowledge of gio-launch-desktop, exo-helper-N, etc. I believe that like most GTK programs, it delegates such operations to GIO (quite possibly via GLib). So to answer this question, I suspect you'll need to read the GIO/GLib documentation (and possibly source code). Cheers, -- intrigeri
Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Control: tag -1 + upstream Control: tag -1 + fixed-upstream Control: tag -1 + pending Hi, Carsten Schoenert: > I'm happy to add this patch, but this should also go upstream I guess. I've merged Vincas' upstream MR and updated the profile on the debian/experimental branch in Thunderbird's Vcs-Git. Thank you all! Cheers, -- intrigeri
Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Interesting, on Sid with XFCE 4.14, Thunderbird uses `gio-launch-desktop` for some reason: ``` [pid 5664] execve("/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop", ["/usr/lib/x86_64-linux-gnu/glib-2"..., "/usr/lib/firefox-esr/firefox-esr", "https://bugs.debian.org/882048;], 0x7f87f7e3a300 /* 56 vars */) = 0 ``` Any ideas how to make it use exo-helper?
Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Sure, I'll reproduce this on my XFCE VM and work on upstreaming. On 2019-09-29 10:13, Carsten Schoenert wrote: Hello Vincas, I'm happy to add this patch, but this should also go upstream I guess. The modification could alo get merged into the existing line for exo-helper-1. Could you please have a look. Thanks.
Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Hello Vincas, I'm happy to add this patch, but this should also go upstream I guess. The modification could alo get merged into the existing line for exo-helper-1. Could you please have a look. Thanks. Regards Carsten Am 28.09.19 um 01:31 schrieb Ryan Armstrong: > Package: thunderbird > Version: 1:60.9.0-1 > Severity: normal > Tags: newcomer patch > > Dear Maintainer, > > Upon switching to Debian testing (and thus Xfce 4.14), I noticed that > web links would no longer open in Firefox. I traced the issue to the > apparmor rule not allowing access for exo-helper-2 used by Xfce 4.14. > > Sep 27 16:44:30 alpha audit[3491]: AVC apparmor="DENIED" > operation="exec" profile="thunderbird" > name="/usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2" pid=3491 > comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0 > Sep 27 16:44:30 alpha kernel: audit: type=1400 audit(1569617070.839:47): > apparmor="DENIED" operation="exec" profile="thunderbird" > name="/usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2" pid=3491 > comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0 > > When adding the following line to usr.bin.thunderbird, the problem is > resolved: > > /usr/lib/@{multiarch}/xfce4/exo-2/exo-helper-2 ixr, > > > Here is the change in patch form: > > Index: > thunderbird_1%3a60.9.0-1~deb10u1_amd64/etc/apparmor.d/usr.bin.thunderbird > === > --- > thunderbird_1%3a60.9.0-1~deb10u1_amd64.orig/etc/apparmor.d/usr.bin.thunderbird > +++ > thunderbird_1%3a60.9.0-1~deb10u1_amd64/etc/apparmor.d/usr.bin.thunderbird > @@ -54,6 +54,7 @@ profile thunderbird /usr/lib/thunderbird > # For Xubuntu to launch the browser > /usr/bin/exo-open ixr, > /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, > + /usr/lib/@{multiarch}/xfce4/exo-2/exo-helper-2 ixr, > /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, > /etc/xdg/xfce4/helpers.rc r, > > > Thanks, > Ryan > > > -- System Information: > Debian Release: bullseye/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386, arm64, armhf > > Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), > LANGUAGE=en_CA:en (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages thunderbird depends on: > ii debianutils 4.9 > ii fontconfig 2.13.1-2+b1 > ii libatk1.0-0 2.34.0-1 > ii libc6 2.29-1 > ii libcairo-gobject2 1.16.0-4 > ii libcairo2 1.16.0-4 > ii libdbus-1-3 1.12.16-1 > ii libdbus-glib-1-2 0.110-4 > ii libevent-2.1-6 2.1.8-stable-4 > ii libffi6 3.2.1-9 > ii libfontconfig1 2.13.1-2+b1 > ii libfreetype6 2.9.1-4 > ii libgcc1 1:9.2.1-8 > ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1 > ii libglib2.0-0 2.60.6-2 > ii libgtk-3-0 3.24.11-1 > ii libgtk2.0-0 2.24.32-4 > ii libhunspell-1.7-0 1.7.0-2+b1 > ii libicu63 63.2-2 > ii libjsoncpp1 1.7.4-3+b1 > ii libnspr4 2:4.21-2 > ii libnss3 2:3.45-1 > ii libpango-1.0-0 1.42.4-7 > ii libsqlite3-0 3.29.0-2 > ii libstartup-notification0 0.12-6 > ii libstdc++6 9.2.1-8 > ii libvpx6 1.8.1-2 > ii libx11-6 2:1.6.8-1 > ii libx11-xcb1 2:1.6.8-1 > ii libxcb-shm0 1.13.1-2 > ii libxcb1 1.13.1-2 > ii libxext6 2:1.3.3-1+b2 > ii libxrender1 1:0.9.10-1 > ii libxt6 1:1.1.5-1+b3 > ii psmisc 23.2-1+b1 > ii x11-utils 7.7+4 > ii zlib1g 1:1.2.11.dfsg-1+b1 > > Versions of packages thunderbird recommends: > ii hunspell-en-us [hunspell-dictionary] 1:2018.04.16-1 > ii lightning 1:60.9.0-1 > > Versions of packages thunderbird suggests: > ii apparmor 2.13.3-5 > ii fonts-lyx 2.3.3-2 > ii libgssapi-krb5-2 1.17-6 > > -- Configuration Files: > /etc/apparmor.d/usr.bin.thunderbird changed: > @{MOZ_LIBDIR}=/usr/lib/thunderbird > profile thunderbird /usr/lib/thunderbird/thunderbird{,-bin} { > #include > #include > #include > # TODO: finetune this for required accesses > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > # Backported from the mesa abstraction, available in AppArmor >2.13 > # System
Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Package: thunderbird Version: 1:60.9.0-1 Severity: normal Tags: newcomer patch Dear Maintainer, Upon switching to Debian testing (and thus Xfce 4.14), I noticed that web links would no longer open in Firefox. I traced the issue to the apparmor rule not allowing access for exo-helper-2 used by Xfce 4.14. Sep 27 16:44:30 alpha audit[3491]: AVC apparmor="DENIED" operation="exec" profile="thunderbird" name="/usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2" pid=3491 comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0 Sep 27 16:44:30 alpha kernel: audit: type=1400 audit(1569617070.839:47): apparmor="DENIED" operation="exec" profile="thunderbird" name="/usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2" pid=3491 comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0 When adding the following line to usr.bin.thunderbird, the problem is resolved: /usr/lib/@{multiarch}/xfce4/exo-2/exo-helper-2 ixr, Here is the change in patch form: Index: thunderbird_1%3a60.9.0-1~deb10u1_amd64/etc/apparmor.d/usr.bin.thunderbird === --- thunderbird_1%3a60.9.0-1~deb10u1_amd64.orig/etc/apparmor.d/usr.bin.thunderbird +++ thunderbird_1%3a60.9.0-1~deb10u1_amd64/etc/apparmor.d/usr.bin.thunderbird @@ -54,6 +54,7 @@ profile thunderbird /usr/lib/thunderbird # For Xubuntu to launch the browser /usr/bin/exo-open ixr, /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, + /usr/lib/@{multiarch}/xfce4/exo-2/exo-helper-2 ixr, /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, /etc/xdg/xfce4/helpers.rc r, Thanks, Ryan -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, arm64, armhf Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages thunderbird depends on: ii debianutils 4.9 ii fontconfig 2.13.1-2+b1 ii libatk1.0-0 2.34.0-1 ii libc6 2.29-1 ii libcairo-gobject2 1.16.0-4 ii libcairo2 1.16.0-4 ii libdbus-1-3 1.12.16-1 ii libdbus-glib-1-2 0.110-4 ii libevent-2.1-6 2.1.8-stable-4 ii libffi6 3.2.1-9 ii libfontconfig1 2.13.1-2+b1 ii libfreetype6 2.9.1-4 ii libgcc1 1:9.2.1-8 ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1 ii libglib2.0-0 2.60.6-2 ii libgtk-3-0 3.24.11-1 ii libgtk2.0-0 2.24.32-4 ii libhunspell-1.7-0 1.7.0-2+b1 ii libicu63 63.2-2 ii libjsoncpp1 1.7.4-3+b1 ii libnspr4 2:4.21-2 ii libnss3 2:3.45-1 ii libpango-1.0-0 1.42.4-7 ii libsqlite3-0 3.29.0-2 ii libstartup-notification0 0.12-6 ii libstdc++6 9.2.1-8 ii libvpx6 1.8.1-2 ii libx11-6 2:1.6.8-1 ii libx11-xcb1 2:1.6.8-1 ii libxcb-shm0 1.13.1-2 ii libxcb1 1.13.1-2 ii libxext6 2:1.3.3-1+b2 ii libxrender1 1:0.9.10-1 ii libxt6 1:1.1.5-1+b3 ii psmisc 23.2-1+b1 ii x11-utils 7.7+4 ii zlib1g 1:1.2.11.dfsg-1+b1 Versions of packages thunderbird recommends: ii hunspell-en-us [hunspell-dictionary] 1:2018.04.16-1 ii lightning 1:60.9.0-1 Versions of packages thunderbird suggests: ii apparmor 2.13.3-5 ii fonts-lyx 2.3.3-2 ii libgssapi-krb5-2 1.17-6 -- Configuration Files: /etc/apparmor.d/usr.bin.thunderbird changed: @{MOZ_LIBDIR}=/usr/lib/thunderbird profile thunderbird /usr/lib/thunderbird/thunderbird{,-bin} { #include #include #include # TODO: finetune this for required accesses #include #include #include #include #include #include #include #include #include #include #include #include #include #include # Backported from the mesa abstraction, available in AppArmor >2.13 # System files /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() # User files owner @{HOME}/.cache/ w, # if user clears all caches owner @{HOME}/.cache/mesa_shader_cache/ w, owner @{HOME}/.cache/mesa_shader_cache/index rw, owner @{HOME}/.cache/mesa_shader_cache/??/ w, owner @{HOME}/.cache/mesa_shader_cache/??/* rw, # End of backported mesa abstraction # Backported from the dri-enumerate abstraction, available in AppArmor 2.13 /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, # Allow opening attachments