[pkg-apparmor] Bug#949450: thunderbird: tb not usable with apparmor profile enabled.

Christian Boltz apparmor-debian at cboltz.de
Tue Feb 11 00:21:43 GMT 2020 

Hello,

I'm not the maintainer of the thunderbird profile nor using Debian, but 
maybe I can give some helpful input nevertheless ;-)

(Updating the shipped profile has to be done by someone else.)

Am Freitag, 31. Januar 2020, 11:46:49 CET schrieb Dimitris:
> On 1/30/20 2:11 PM, Dimitris wrote:
...
> > [Thu Jan 30 2020] audit: type=1400 audit(1580374356.923:36):
> > apparmor="DENIED" operation="open"
> > profile="thunderbird//sanitized_helper"
> > name="/tmp/clearsigned.message.pycT1r" pid=23600 comm="apt-cache"
> > requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

That looks interesting[tm] - why would apt-cache want to access a 
tempfile that looks like (wild guess based on the filename) a signed 
message?

[...]
> > audit: type=1400 audit(1580377190.735:2836): apparmor="DENIED"
> > operation="file_inherit" profile="thunderbird//gpg"
> > name=2F6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXXXXXXXXXXXD6C pid=13850 comm="gpg" requested_mask="a"
> > denied_mask="a" fsuid=1000 ouid=1000
> > 
> > (replaced chars in between with Xs, since i don't know what this
> > could be..?)

That's a hex-encoded filename - this encoding gets used in the log if a 
filename contains for example a space or special characters. 

You can decode it with
    aa-decode 2F6....D6C
(obviously use the original name, not the X'ed out one)

>From the X'ed out name, I can say that it starts with, surprise, "/" 
(2F) and ends with "l" (6C)

> new messages emerging making tb/enigmail unusable :
> 
> audit: type=1400 audit(1580465922.867:14): apparmor="DENIED"
> operation="capable" profile="thunderbird" pid=11974 comm="thunderbird"
> capability=21 capname="sys_admin"

That's interesting[tm]. Wild guess: maybe thunderbird uses some 
sandboxing that needs this capability to initialize?

> audit: type=1400 audit(1580465924.499:15): apparmor="DENIED"
> operation="open" profile="thunderbird" name="/etc/mate/defaults.list"
> pid=11974 comm="thunderbird" requested_mask="r" denied_mask="r"
> fsuid=1000 ouid=0

That translates to   /etc/mate/defaults.list r,   for the thunderbird 
profile - or an abstraction. (We don't have a mate abstraction yet, 
maybe it's time to start one? ;-)

> audit: type=1400 audit(1580465929.463:16): apparmor="DENIED"
> operation="file_lock" profile="thunderbird"
> name="/home/user/.cache/thunderbird/profile.default/OfflineCache/index
> .sqlite" pid=11974 comm="thunderbird" requested_mask="k"
> denied_mask="k" fsuid=1000 ouid=1000

k is for "file lock". The strictest-possible rule would be
    /home/*/.cache/thunderbird/profile.default/OfflineCache/index k,

> audit: type=1400 audit(1580465955.367:18): apparmor="DENIED"
> operation="file_inherit" profile="thunderbird//gpg"
> name="/home/user/.icedove/profile.default/ImapMail/account1/INBOX.sbd/
> folder" pid=13491 comm="gpg" requested_mask="w" denied_mask="w"
> fsuid=1000 ouid=1000
> 
> audit: type=1400 audit(1580466665.275:19): apparmor="DENIED"
> operation="file_inherit" profile="thunderbird//gpg"
> name="/home/user/.icedove/profile.default/prefs-1.js" pid=20428
> comm="gpg" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

These two look like a case of thunderbird not closing files when 
executing gpg. You can probably ignore or deny that.

> audit: type=1400 audit(1580466665.279:20): apparmor="DENIED"
> operation="exec" profile="thunderbird//gpg" name="/usr/bin/gpg-agent"
> pid=20430 comm="gpg" requested_mask="x" denied_mask="x" fsuid=1000
> ouid=0

Ah, gpg wants to execute gpg-agent. That makes sense.

The easiest solution would be to add
    /usr/bin/gpg-agent mrix,
to the gpg subprofile.

A more strict version would be
    /usr/bin/gpg-agent mrPx -> thunderbird//gpg-agent,
to the gpg subprofile, and then to create a child profile called 
gpg-agent:
    profile gpg-agent {
        # TODO
    }


As a sidenote - soneone in the #apparmor IRC channel (on OFTC) spent 
some work on creating a profile for thunderbird a few weeks ago. 
Unfortunately the pastebin links have expired, but if you are 
interested, I can try to get it uploaded somewhere again.


BTW: While you work on the profile, you might want to put it into 
complain mode. Without knowing the exact profile filename:
    aa-complain /etc/apparmor.d/*thunderbird
This will allow everything (so Thunderbird will work) and log what would 
be denied. However, note that "allow everything" means that AppArmor 
won't prevent anything evil, so don't forget to switch the profile back 
to enforce mode (using aa-enforce instead of aa-complain) when you think 
it's complete.

If you prefer an interactive tool over reading the logfile, you can use 
aa-logprof   to update the profile.


Regards,

Christian Boltz
-- 
> > How about openSUSE Leap $(sha256sum $ISOIMAGEFILENAME) :-(
> Can I get a version with my name?? :D
Sure.  Just change your name to "openSUSE".  ;)
[>> Mathias Homann, > Karl Sinn and James Knott in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20200211/73693be6/attachment.sig>

More information about the pkg-apparmor-team mailing list