Bug#985080: Akonadi server crashes because of Apparmor rules

[bs.net]

Hi hefee,

I think I found the cause for the Apparmor messages and the crash.

The package plasma-workspace needs the virtual package default-dbus-session-
bus or dbus-session-bus.
This dependency is fulfilled by the package dbus-user-session as well as by 
dbus-x11.
On my system the package dbus-x11 was installed, which apparently triggers the 
messages or the rules of akonadi-server are aligned to dbus-user-session.
I therefore installed the package dbus-user-session and then deleted dbus-x11. 
After that all messages except one and the akonadi server crashes do not occur 
anymore. 

The only message I continue to receive is:
Mär 14 22:49:00 mcp kernel: audit: type=1400 audit(1615758540.971:29): 
apparmor="DENIED" operation="open" profile="/usr/bin/akonadiserver" name="/usr/
local/share/mime/mime.cache" pid=2305 comm=5468726561642028706F6F6C656429 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Maybe it should be pointed out that the Akonadi server can not be used with 
dbus-11.

Many kind regards
Sascha

Bug#985080: Akonadi server crashes because of Apparmor rules

[bs.net]

Hi hefee,

thank you very much for the quick feedback.

I do not use anything unusual. Primarily POP3 accounts (external providers)
and a local mailbox. I also use an embedded MariaDB as backend and X11
(without Wayland). The file system is Btrfs and the user directory is
encrypted.

The setup exists since 2003 and has survived all upgrades.

I hope that a permanent solution can be found.

Thank you very much and best regards
Sascha

Bug#985080: Akonadi server crashes because of Apparmor rules

[Sandro Knauß]

Hi,

> the Akonadi server permanently crashes on login after upgrading to Bullseye.

I cannot reproduce this on my setup an using Akonadi server the whole time. So 
I'm interested, why this happens for you and not for me.

What resources are you using? I use only a private IMAP server with MariaDB as 
Akonadi backend and using X11 (not Wayland).

> It would be good if the Apparmor rules of the Akonadi server were
> functional. In the current state, the Akonadi server is unfortunately not
> usable without user adjustments.

This is not true for me and also other distros use these Apparmor rules and 
are happy ( at least I did not got any negative feedback/patches for around 6 
months). So it seems like you triggered a test case other did not catch, so it 
would be helpful if you describe your setup, to get this patch upstream.

regards,

hefee

signature.asc
Description: This is a digitally signed message part.

Bug#985080: Akonadi server crashes because of Apparmor rules

[bs.net]

Package: akonadi-server
Version: 4:20.08.3-1

Hi,

the Akonadi server permanently crashes on login after upgrading to Bullseye.

There are several Apparmor messages in the log:

Mär 12 18:01:27 mcp kernel: audit: type=1400 audit(1615568487.152:30): 
apparmor="DENIED" operation="open" profile="/usr/bin/akonadiserver" name="/
proc/2411/fd/" pid=2411 comm="QDBusConnection" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
Mär 12 18:01:27 mcp kernel: audit: type=1400 audit(1615568487.152:31): 
apparmor="DENIED" operation="exec" profile="/usr/bin/akonadiserver" name="/usr/
bin/dbus-launch" pid=2411 comm="QDBusConnection" requested_mask="x" 
denied_mask="x" fsuid=1000 ouid=0
Mär 12 18:01:27 mcp kernel: audit: type=1400 audit(1615568487.152:32): 
apparmor="DENIED" operation="exec" profile="/usr/bin/akonadiserver" name="/usr/
bin/dbus-launch" pid=2411 comm="QDBusConnection" requested_mask="x" 
denied_mask="x" fsuid=1000 ouid=0
Mär 12 18:01:27 mcp kernel: audit: type=1400 audit(1615568487.152:33): 
apparmor="DENIED" operation="exec" profile="/usr/bin/akonadiserver" name="/usr/
bin/dbus-launch" pid=2411 comm="QDBusConnection" requested_mask="x" 
denied_mask="x" fsuid=1000 ouid=0
Mär 12 17:21:29 mcp kernel: audit: type=1400 audit(1615566089.522:31): 
apparmor="DENIED" operation="signal" profile="/usr/bin/akonadiserver" pid=2292 
comm="akonadiserver" requested_mask="send" denied_mask="send" signal=term 
peer="unconfined"
Mär 12 17:21:32 mcp kernel: audit: type=1400 audit(1615566092.526:32): 
apparmor="DENIED" operation="signal" profile="/usr/bin/akonadiserver" pid=2292 
comm="akonadiserver" requested_mask="send" denied_mask="send" signal=kill 
peer="unconfined"
Mär 12 17:37:16 mcp kernel: audit: type=1400 audit(1615567036.308:30): 
apparmor="DENIED" operation="open" profile="/usr/bin/akonadiserver" name="/usr/
local/share/mime/mime.cache" pid=3791 comm=5468726561642028706F6F6C656429 
requested_mask="r" denied_mask="r"  fsuid=100

So that I can write e-mails again, I first added the missing include for user 
additions in the /etc/apparmor.d/usr.bin.akonadiserver file:

  # Site-specific additions and overrides. See local/README for details.
  #include 

Subsequently, I have fixed the above messages with the following additions in /
etc/apparmor.d/local/usr.bin.akonadiserver, so that the Akonadi server is now 
running again:

/usr/bin/dbus-launch ix,
/usr/local/share/mime/mime.cache r,
@{PROC}/@{pid}/fd/ r,
@{HOME}/.Xauthority r,
signal send set=term peer=unconfined,
signal send set=kill peer=unconfined,

It would be good if the Apparmor rules of the Akonadi server were functional. 
In the current state, the Akonadi server is unfortunately not usable without 
user adjustments.

Please fix the apparmor rules. Thanks a lot.

With kind regards