Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Hi,
Vincas Dargis:
> Interesting, on Sid with XFCE 4.14, Thunderbird uses `gio-launch-desktop` for
> some reason:
> ```
> [pid 5664] execve("/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop",
> ["/usr/lib/x86_64-linux-gnu/glib-2"..., "/usr/lib/firefox-esr/firefox-esr",
> "https://bugs.debian.org/882048;], 0x7f87f7e3a300 /* 56 vars */) = 0
> ```
> Any ideas how to make it use exo-helper?
AFAICT, Thunderbird itself has no knowledge of gio-launch-desktop,
exo-helper-N, etc. I believe that like most GTK programs, it delegates
such operations to GIO (quite possibly via GLib). So to answer this
question, I suspect you'll need to read the GIO/GLib documentation
(and possibly source code).
Cheers,
--
intrigeri
Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Control: tag -1 + upstream Control: tag -1 + fixed-upstream Control: tag -1 + pending Hi, Carsten Schoenert: > I'm happy to add this patch, but this should also go upstream I guess. I've merged Vincas' upstream MR and updated the profile on the debian/experimental branch in Thunderbird's Vcs-Git. Thank you all! Cheers, -- intrigeri
Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Interesting, on Sid with XFCE 4.14, Thunderbird uses `gio-launch-desktop` for
some reason:
```
[pid 5664] execve("/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop",
["/usr/lib/x86_64-linux-gnu/glib-2"..., "/usr/lib/firefox-esr/firefox-esr",
"https://bugs.debian.org/882048;], 0x7f87f7e3a300 /* 56 vars */) = 0
```
Any ideas how to make it use exo-helper?
Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Sure, I'll reproduce this on my XFCE VM and work on upstreaming. On 2019-09-29 10:13, Carsten Schoenert wrote: Hello Vincas, I'm happy to add this patch, but this should also go upstream I guess. The modification could alo get merged into the existing line for exo-helper-1. Could you please have a look. Thanks.
Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Hello Vincas,
I'm happy to add this patch, but this should also go upstream I guess.
The modification could alo get merged into the existing line for
exo-helper-1.
Could you please have a look. Thanks.
Regards
Carsten
Am 28.09.19 um 01:31 schrieb Ryan Armstrong:
> Package: thunderbird
> Version: 1:60.9.0-1
> Severity: normal
> Tags: newcomer patch
>
> Dear Maintainer,
>
> Upon switching to Debian testing (and thus Xfce 4.14), I noticed that
> web links would no longer open in Firefox. I traced the issue to the
> apparmor rule not allowing access for exo-helper-2 used by Xfce 4.14.
>
> Sep 27 16:44:30 alpha audit[3491]: AVC apparmor="DENIED"
> operation="exec" profile="thunderbird"
> name="/usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2" pid=3491
> comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
> Sep 27 16:44:30 alpha kernel: audit: type=1400 audit(1569617070.839:47):
> apparmor="DENIED" operation="exec" profile="thunderbird"
> name="/usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2" pid=3491
> comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
>
> When adding the following line to usr.bin.thunderbird, the problem is
> resolved:
>
> /usr/lib/@{multiarch}/xfce4/exo-2/exo-helper-2 ixr,
>
>
> Here is the change in patch form:
>
> Index:
> thunderbird_1%3a60.9.0-1~deb10u1_amd64/etc/apparmor.d/usr.bin.thunderbird
> ===
> ---
> thunderbird_1%3a60.9.0-1~deb10u1_amd64.orig/etc/apparmor.d/usr.bin.thunderbird
> +++
> thunderbird_1%3a60.9.0-1~deb10u1_amd64/etc/apparmor.d/usr.bin.thunderbird
> @@ -54,6 +54,7 @@ profile thunderbird /usr/lib/thunderbird
> # For Xubuntu to launch the browser
> /usr/bin/exo-open ixr,
> /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
> + /usr/lib/@{multiarch}/xfce4/exo-2/exo-helper-2 ixr,
> /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
> /etc/xdg/xfce4/helpers.rc r,
>
>
> Thanks,
> Ryan
>
>
> -- System Information:
> Debian Release: bullseye/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386, arm64, armhf
>
> Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
> TAINT_UNSIGNED_MODULE
> Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_CA:en (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages thunderbird depends on:
> ii debianutils 4.9
> ii fontconfig 2.13.1-2+b1
> ii libatk1.0-0 2.34.0-1
> ii libc6 2.29-1
> ii libcairo-gobject2 1.16.0-4
> ii libcairo2 1.16.0-4
> ii libdbus-1-3 1.12.16-1
> ii libdbus-glib-1-2 0.110-4
> ii libevent-2.1-6 2.1.8-stable-4
> ii libffi6 3.2.1-9
> ii libfontconfig1 2.13.1-2+b1
> ii libfreetype6 2.9.1-4
> ii libgcc1 1:9.2.1-8
> ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1
> ii libglib2.0-0 2.60.6-2
> ii libgtk-3-0 3.24.11-1
> ii libgtk2.0-0 2.24.32-4
> ii libhunspell-1.7-0 1.7.0-2+b1
> ii libicu63 63.2-2
> ii libjsoncpp1 1.7.4-3+b1
> ii libnspr4 2:4.21-2
> ii libnss3 2:3.45-1
> ii libpango-1.0-0 1.42.4-7
> ii libsqlite3-0 3.29.0-2
> ii libstartup-notification0 0.12-6
> ii libstdc++6 9.2.1-8
> ii libvpx6 1.8.1-2
> ii libx11-6 2:1.6.8-1
> ii libx11-xcb1 2:1.6.8-1
> ii libxcb-shm0 1.13.1-2
> ii libxcb1 1.13.1-2
> ii libxext6 2:1.3.3-1+b2
> ii libxrender1 1:0.9.10-1
> ii libxt6 1:1.1.5-1+b3
> ii psmisc 23.2-1+b1
> ii x11-utils 7.7+4
> ii zlib1g 1:1.2.11.dfsg-1+b1
>
> Versions of packages thunderbird recommends:
> ii hunspell-en-us [hunspell-dictionary] 1:2018.04.16-1
> ii lightning 1:60.9.0-1
>
> Versions of packages thunderbird suggests:
> ii apparmor 2.13.3-5
> ii fonts-lyx 2.3.3-2
> ii libgssapi-krb5-2 1.17-6
>
> -- Configuration Files:
> /etc/apparmor.d/usr.bin.thunderbird changed:
> @{MOZ_LIBDIR}=/usr/lib/thunderbird
> profile thunderbird /usr/lib/thunderbird/thunderbird{,-bin} {
> #include
> #include
> #include
> # TODO: finetune this for required accesses
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> # Backported from the mesa abstraction, available in AppArmor >2.13
> # System
Bug#941290: Unable to launch web browser from e-mail link in Thunderbird on Xfce 4.14 (using exo-helper-2) due to Apparmor
Package: thunderbird
Version: 1:60.9.0-1
Severity: normal
Tags: newcomer patch
Dear Maintainer,
Upon switching to Debian testing (and thus Xfce 4.14), I noticed that
web links would no longer open in Firefox. I traced the issue to the
apparmor rule not allowing access for exo-helper-2 used by Xfce 4.14.
Sep 27 16:44:30 alpha audit[3491]: AVC apparmor="DENIED"
operation="exec" profile="thunderbird"
name="/usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2" pid=3491
comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
Sep 27 16:44:30 alpha kernel: audit: type=1400 audit(1569617070.839:47):
apparmor="DENIED" operation="exec" profile="thunderbird"
name="/usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2" pid=3491
comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
When adding the following line to usr.bin.thunderbird, the problem is
resolved:
/usr/lib/@{multiarch}/xfce4/exo-2/exo-helper-2 ixr,
Here is the change in patch form:
Index:
thunderbird_1%3a60.9.0-1~deb10u1_amd64/etc/apparmor.d/usr.bin.thunderbird
===
---
thunderbird_1%3a60.9.0-1~deb10u1_amd64.orig/etc/apparmor.d/usr.bin.thunderbird
+++
thunderbird_1%3a60.9.0-1~deb10u1_amd64/etc/apparmor.d/usr.bin.thunderbird
@@ -54,6 +54,7 @@ profile thunderbird /usr/lib/thunderbird
# For Xubuntu to launch the browser
/usr/bin/exo-open ixr,
/usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
+ /usr/lib/@{multiarch}/xfce4/exo-2/exo-helper-2 ixr,
/etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
/etc/xdg/xfce4/helpers.rc r,
Thanks,
Ryan
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64, armhf
Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages thunderbird depends on:
ii debianutils 4.9
ii fontconfig 2.13.1-2+b1
ii libatk1.0-0 2.34.0-1
ii libc6 2.29-1
ii libcairo-gobject2 1.16.0-4
ii libcairo2 1.16.0-4
ii libdbus-1-3 1.12.16-1
ii libdbus-glib-1-2 0.110-4
ii libevent-2.1-6 2.1.8-stable-4
ii libffi6 3.2.1-9
ii libfontconfig1 2.13.1-2+b1
ii libfreetype6 2.9.1-4
ii libgcc1 1:9.2.1-8
ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1
ii libglib2.0-0 2.60.6-2
ii libgtk-3-0 3.24.11-1
ii libgtk2.0-0 2.24.32-4
ii libhunspell-1.7-0 1.7.0-2+b1
ii libicu63 63.2-2
ii libjsoncpp1 1.7.4-3+b1
ii libnspr4 2:4.21-2
ii libnss3 2:3.45-1
ii libpango-1.0-0 1.42.4-7
ii libsqlite3-0 3.29.0-2
ii libstartup-notification0 0.12-6
ii libstdc++6 9.2.1-8
ii libvpx6 1.8.1-2
ii libx11-6 2:1.6.8-1
ii libx11-xcb1 2:1.6.8-1
ii libxcb-shm0 1.13.1-2
ii libxcb1 1.13.1-2
ii libxext6 2:1.3.3-1+b2
ii libxrender1 1:0.9.10-1
ii libxt6 1:1.1.5-1+b3
ii psmisc 23.2-1+b1
ii x11-utils 7.7+4
ii zlib1g 1:1.2.11.dfsg-1+b1
Versions of packages thunderbird recommends:
ii hunspell-en-us [hunspell-dictionary] 1:2018.04.16-1
ii lightning 1:60.9.0-1
Versions of packages thunderbird suggests:
ii apparmor 2.13.3-5
ii fonts-lyx 2.3.3-2
ii libgssapi-krb5-2 1.17-6
-- Configuration Files:
/etc/apparmor.d/usr.bin.thunderbird changed:
@{MOZ_LIBDIR}=/usr/lib/thunderbird
profile thunderbird /usr/lib/thunderbird/thunderbird{,-bin} {
#include
#include
#include
# TODO: finetune this for required accesses
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
# Backported from the mesa abstraction, available in AppArmor >2.13
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
# User files
owner @{HOME}/.cache/ w, # if user clears all caches
owner @{HOME}/.cache/mesa_shader_cache/ w,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
owner @{HOME}/.cache/mesa_shader_cache/??/ w,
owner @{HOME}/.cache/mesa_shader_cache/??/* rw,
# End of backported mesa abstraction
# Backported from the dri-enumerate abstraction, available in
AppArmor 2.13
/sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor}
r,
# Allow opening attachments
