[pkg-apparmor] Bug#882048: Re: Bug#882048: apparmor should let thunderbird use signatures from files

Vincas Dargis vindrg at gmail.com
Sat Nov 25 15:23:16 UTC 2017 

On 2017.11.23 21:14, intrigeri wrote:
>> 4. Opening a File dialog to select file to be attached, produces bunch of DENIED
>> messages in log, when user browses it's $HOME, which contains dot-files and
>> directories. I have experienced this myself, as for some reason file select dialog
>> tries to read files being displayed (probably for create/modify dates?). To avoid
>> these noisy DENIED messages, someone have put `deny @{HOME}/.* r,` rule to silence
>> it. This is my speculation.
> 
> I can't reproduce this after commenting out the "deny @{HOME}/.* r" rule.

I got this mayhem on KDE desktop, when opening "Save As" dialog for saving message, or with signature "Choose file" dialog:

type=AVC msg=audit(1511621266.915:756): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.vboxclient-clipboard.pid" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:757): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.selected_editor" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:758): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.gitconfig" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:759): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.xsession-errors" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:760): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.vboxclient-display.pid" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:761): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.vboxclient-seamless.pid" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:762): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.recently-used" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:763): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.vboxclient-draganddrop.pid" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:764): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.lesshst" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:765): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.wget-hsts" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:766): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.vboxclient-clipboard.pid" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:767): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.selected_editor" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:768): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.gitconfig" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:769): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.xsession-errors" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:770): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.vboxclient-display.pid" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:771): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.vboxclient-seamless.pid" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:772): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.recently-used" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:773): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.vboxclient-draganddrop.pid" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:774): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.lesshst" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.919:775): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.wget-hsts" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.947:776): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.gitconfig" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1511621266.951:777): apparmor="DENIED" operation="open" profile="thunderbird" 
name="/home/vincas/.lesshst" pid=6607 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

I tried to break on open() syscall to catch what library tries to open these files in open file dialog like this:

```
gdb /usr/lib/thunderbird/thunderbird
```

Within gdb:

```
set height 0
set logging on
break open
commands
print((char*)$rdi)
bt
c
r
```

This will break on `open()` syscall, print file path argument for `open()`, produce backtrace and continue. In result I 
get results like this (from gdb.txt default log file in working directory):

```
Thread 41 "pool" hit Breakpoint 1, 0x00007f3f08c919d0 in open64 () from /lib/x86_64-linux-gnu/libpthread.so.0
$554 = 0x7f3ecb320800 "/home/vincas/.vimrc"
#0  0x00007f3f08c919d0 in open64 () from /lib/x86_64-linux-gnu/libpthread.so.0
#1  0x00007f3f01c42526 in ?? () from /lib/x86_64-linux-gnu/libgio-2.0.so.0
#2  0x00007f3f01c43fe9 in ?? () from /lib/x86_64-linux-gnu/libgio-2.0.so.0
#3  0x00007f3f01c4142b in ?? () from /lib/x86_64-linux-gnu/libgio-2.0.so.0
#4  0x00007f3f01bb3930 in ?? () from /lib/x86_64-linux-gnu/libgio-2.0.so.0
#5  0x00007f3f01bebcf6 in ?? () from /lib/x86_64-linux-gnu/libgio-2.0.so.0
#6  0x00007f3f0166b000 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7  0x00007f3f0166a635 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#8  0x00007f3f08c87517 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#9  0x00007f3f07f1c82f in clone () from /lib/x86_64-linux-gnu/libc.so.6
```

Then I've tried from another way around. I have disabled `usr.bin.thunderbird` profile so Thunderbird can do whatever 
needed, and monitored using sysdig (cool tool doing stuff from kernel space, not like strace that meddles process 
environment, no need to "attach"):

```
$ sudo sysdig "proc.name=thunderbird and fd.name=/home/vincas/.vimrc"
257671 17:14:42.523705164 7 thunderbird (8712) < open fd=69(<f>/home/vincas/.vimrc) name=/home/vincas/.vimrc 
flags=1(O_RDONLY) mode=0
257672 17:14:42.523705558 7 thunderbird (8712) > read fd=69(<f>/home/vincas/.vimrc) size=4096
257675 17:14:42.523706624 7 thunderbird (8712) < read res=51 data=set bg=dark.set tabstop=4.set expandtab.syntax on..
257676 17:14:42.523706974 7 thunderbird (8712) > close fd=69(<f>/home/vincas/.vimrc)
257677 17:14:42.523707278 7 thunderbird (8712) < close res=0
259891 17:14:42.526054294 2 thunderbird (8715) < open fd=69(<f>/home/vincas/.vimrc) name=/home/vincas/.vimrc 
flags=1(O_RDONLY) mode=0
259893 17:14:42.526055044 2 thunderbird (8715) > read fd=69(<f>/home/vincas/.vimrc) size=4096
259895 17:14:42.526056857 2 thunderbird (8715) < read res=51 data=set bg=dark.set tabstop=4.set expandtab.syntax on..
259897 17:14:42.526057576 2 thunderbird (8715) > close fd=69(<f>/home/vincas/.vimrc)
259900 17:14:42.526058142 2 thunderbird (8715) < close res=0
```

So glib/gio libraries not just opens, it actually reads these files visible in file dialog. Twice!

I guess we need some bug reports..?

More information about the pkg-apparmor-team mailing list