From the apparmor side we can only offer a work around that can
temporarily block the log spam. The reason for this is that while the
denial is coming from apparmor its because the policy is denying the
access, ie. a bug in policy not the enforcement engine.
For various reasons snaps do not use regular apparmor policy instead
snapd manages and generates the policy for snap applications. For a
change to be permanent it needs to be added to the snapd interfaces.
the workaround is you can edit the profile generated by snapd adding the
following rule.
deny dbus (receive) bus="system" path="/org/freedesktop/login1"
interface="org.freedesktop.DBus.Properties" member="PropertiesChanged",
this will only last until snapd regenerates, and reloads the profile.
This is generally only when the snap is updated.
to do this, as root edit the file
/var/lib/snapd/apparmor/profiles/snap.thunderbird.thunderbird
after you are done editing it, you load the modified policy into the kernel
using
sudo apparmor_parser -r
/var/lib/snapd/apparmor/profiles/snap.thunderbird.thunderbird
if you are unfamiliar with apparmor profiles below describes where to insert the
rule from above.
Within the file find the start of the profile which I have copied below
----------------------------------------------------------
profile "snap.thunderbird.thunderbird"
flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/openssl>
# While in later versions of the base abstraction, include this explicitly
--------------------------------------------------------
and insert the rule, like below
---------------------------------------------------------
profile "snap.thunderbird.thunderbird"
flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/openssl>
deny dbus (receive) bus="system" path="/org/freedesktop/login1"
interface="org.freedesktop.DBus.Properties" member="PropertiesChanged",
# While in later versions of the base abstraction, include this explicitly
---------------------------------------------------------
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2125656
Title:
Apparmor Repeatedly blocking Thunderbird snap
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2125656/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
