[pkg-apparmor] Bug#920833: apparmor: AppArmor denies access to mime-specifc files for various GUI applications
Vincas Dargis
vindrg at gmail.com
Tue Jan 29 18:58:50 GMT 2019
Package: apparmor
Version: 2.13.2-6
Severity: minor
Tags: upstream
Dear Maintainer,
After recent updates on Sid, multiple GUI applications (like
Thunderbird, Firefox, qTox) on KDE are hit by these kind of denies:
```
type=AVC msg=audit(1548784946.545:1896): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/mime.cache" pid=2866
comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
type=AVC msg=audit(1548784946.545:1897): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/globs2" pid=2866 comm="thunderbird"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1548784946.545:1898): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/magic" pid=2866 comm="thunderbird"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1548784946.545:1899): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/aliases" pid=2866
comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
type=AVC msg=audit(1548784946.545:1900): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/subclasses" pid=2866
comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
type=AVC msg=audit(1548784946.545:1901): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/icons" pid=2866 comm="thunderbird"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1548784946.545:1902): apparmor="DENIED"
operation="open" profile="thunderbird"
name="/home/vincas/.local/share/mime/generic-icons" pid=2866
comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
```
GDB backtraces:
```
Thread 1 "thunderbird-bin" hit Catchpoint 1 (returned from syscall openat), 0x00007fe8629a4509 in __libc_open64 (file=0x7fe82ce5fe80 "/usr/local/share/mime/g
eneric-icons", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:48
48 in ../sysdeps/unix/sysv/linux/open64.c
#0 0x00007fe8629a4509 in __libc_open64 (file=0x7fe82ce5fe80 "/usr/local/share/mime/generic-icons", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:48
#1 0x00007fe8629360b2 in __GI__IO_file_open (fp=fp at entry=0x7fe82c94a800, filename=<optimized out>, posix_mode=<optimized out>, prot=prot at entry=438, read_wri
te=8, is32not64=is32not64 at entry=1) at fileops.c:189
#2 0x00007fe86293625d in _IO_new_file_fopen (fp=fp at entry=0x7fe82c94a800, filename=filename at entry=0x7fe82ce5fe80 "/usr/local/share/mime/generic-icons", mode=
<optimized out>, mode at entry=0x7fe860ff9b6f "r", is32not64=is32not64 at entry=1) at fileops.c:281
#3 0x00007fe86292a359 in __fopen_internal (filename=0x7fe82ce5fe80 "/usr/local/share/mime/generic-icons", mode=0x7fe860ff9b6f "r", is32=1) at iofopen.c:75
#4 0x00007fe860fd1156 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#5 0x00007fe860fce1d8 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#6 0x00007fe860fce38f in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#7 0x00007fe860fce8ae in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#8 0x00007fe860fcea19 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#9 0x00007fe860f604dd in g_content_type_from_mime_type () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#10 0x00007fe85d253ac5 in () at /usr/lib/thunderbird/libxul.so
#11 0x00007fe85af0e772 in () at /usr/lib/thunderbird/libxul.so
#12 0x00007fe85af02a3a in () at /usr/lib/thunderbird/libxul.so
...
```
For Qt application, it seems KDE styles/iconloader issue?
```
Thread 1 "qtox" hit Catchpoint 1 (returned from syscall openat), 0x00007f190adf4c4e in __libc_open64 (file=file at entry=0x56267c90d588 "/usr/share/mime/generic
-icons", oflag=oflag at entry=524288) at ../sysdeps/unix/sysv/linux/open64.c:48
48 in ../sysdeps/unix/sysv/linux/open64.c
#0 0x00007f190adf4c4e in __libc_open64 (file=file at entry=0x56267c90d588 "/usr/share/mime/generic-icons", oflag=oflag at entry=524288) at ../sysdeps/unix/sysv/li
nux/open64.c:48
#1 0x00007f190b31b96c in open64 (__oflag=<optimized out>, __path=0x56267c90d588 "/usr/share/mime/generic-icons") at /usr/include/x86_64-linux-gnu/bits/fcntl
2.h:91
#2 0x00007f190b31b96c in qt_safe_open (mode=438, flags=<optimized out>, pathname=0x56267c90d588 "/usr/share/mime/generic-icons") at ../../include/QtCore/5.1
1.3/QtCore/private/../../../../../src/corelib/kernel/qcore_unix_p.h:195
#3 0x00007f190b31b96c in QFSFileEnginePrivate::nativeOpen(QFlags<QIODevice::OpenModeFlag>) (this=0x56267c7b9c60, openMode=...) at io/qfsfileengine_unix.cpp:
122
#4 0x00007f190b2fa894 in QFSFileEngine::open(QFlags<QIODevice::OpenModeFlag>) (this=0x56267c82e680, openMode=...) at io/qfsfileengine.cpp:246
#5 0x00007f190b2b8156 in QFile::open(QFlags<QIODevice::OpenModeFlag>) (this=0x7ffcba56a8e0, mode=...) at ../../include/QtCore/../../src/corelib/global/qflag
s.h:140
#6 0x00007f18f91700fb in () at /lib/x86_64-linux-gnu/libKF5IconThemes.so.5
#7 0x00007f18f91726b3 in KIconLoader::KIconLoader(QString const&, QStringList const&, QObject*) () at /lib/x86_64-linux-gnu/libKF5IconThemes.so.5
#8 0x00007f18f91728e3 in KIconLoader::global() () at /lib/x86_64-linux-gnu/libKF5IconThemes.so.5
#9 0x00007f18f36eae95 in KStyle::pixelMetric(QStyle::PixelMetric, QStyleOption const*, QWidget const*) const () at /lib/x86_64-linux-gnu/libKF5Style.so.5
#10 0x00007f18f378850b in () at /usr/lib/x86_64-linux-gnu/qt5/plugins/styles/breeze.so
#11 0x00007f190e8df75b in () at /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#12 0x000056267a96c4bf in Widget::Widget(QWidget*) ()
#13 0x000056267a96c699 in Widget::getInstance() ()
#14 0x000056267a9327db in Nexus::showMainGUI() ()
#15 0x000056267a93468c in Nexus::start() ()
#16 0x000056267a926703 in main ()
[Switching to Thread 0x7f18f2ee2700 (LWP 10429)]
```
For firefox, it's deep in GTK:
```
Thread 1 "firefox" hit Catchpoint 1 (call to syscall openat), 0x00007f74ed013509 in __libc_open64 (file=0x7f74d783b4f0 "/home/vincas/.local/share//mime/generic-icons", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:48
48 in ../sysdeps/unix/sysv/linux/open64.c
#0 0x00007f74ed013509 in __libc_open64 (file=0x7f74d783b4f0 "/home/vincas/.local/share//mime/generic-icons", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:48
#1 0x00007f74ecfa50b2 in __GI__IO_file_open (fp=fp at entry=0x7f74d7ab4000, filename=<optimized out>, posix_mode=<optimized out>, prot=prot at entry=438, read_write=8, is32not64=is32not64 at entry=1) at fileops.c:189
#2 0x00007f74ecfa525d in _IO_new_file_fopen (fp=fp at entry=0x7f74d7ab4000, filename=filename at entry=0x7f74d783b4f0 "/home/vincas/.local/share//mime/generic-icons", mode=<optimized out>, mode at entry=0x7f74eb5aab6f "r", is32not64=is32not64 at entry=1) at fileops.c:281
#3 0x00007f74ecf99359 in __fopen_internal (filename=0x7f74d783b4f0 "/home/vincas/.local/share//mime/generic-icons", mode=0x7f74eb5aab6f "r", is32=1) at iofopen.c:75
#4 0x00007f74eb582156 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#5 0x00007f74eb57f1d8 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#6 0x00007f74eb57f441 in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#7 0x00007f74eb57f8ae in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#8 0x00007f74eb57f90a in () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#9 0x00007f74eb5116f9 in g_content_type_guess () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#10 0x00007f74eb7f2713 in () at /lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#11 0x00007f74eb7f5109 in () at /lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#12 0x00007f74eb7f5bd8 in gdk_pixbuf_loader_write () at /lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#13 0x00007f74eb7f22bb in () at /lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#14 0x00007f74eb7f329c in gdk_pixbuf_new_from_stream () at /lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#15 0x00007f74ec58b03f in () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#16 0x00007f74ec58e268 in gtk_icon_info_load_icon () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#17 0x00007f74ec58e4c4 in gtk_icon_theme_load_icon_for_scale () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#18 0x00007f74ec7145b3 in () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#19 0x00007f74ec715a91 in () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#20 0x00007f74ec71d06f in () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#21 0x00007f74eb2abc7d in g_closure_invoke () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#22 0x00007f74eb2bf4d6 in () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#23 0x00007f74eb2c82c2 in g_signal_emit_valist () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#24 0x00007f74eb2c890f in g_signal_emit () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#25 0x00007f74ec70da86 in gtk_widget_realize () at /lib/x86_64-linux-gnu/libgtk-3.so.0
...
```
I'll try to fix this issue.
First, will try reproducing on Gnome. Not sure if it's KDE-related, or
we need new abstraction, update existing, or leave these rules for
per-application profiles themselves...
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8), LANGUAGE=lt (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apparmor depends on:
ii debconf [debconf-2.0] 1.5.70
ii libc6 2.28-5
ii lsb-base 10.2018112800
ii python3 3.7.2-1
apparmor recommends no packages.
Versions of packages apparmor suggests:
ii apparmor-profiles-extra 1.25
ii apparmor-utils 2.13.2-6
-- Configuration Files:
/etc/apparmor.d/abstractions/audio changed [not included]
/etc/apparmor.d/abstractions/kde changed [not included]
/etc/apparmor.d/abstractions/mesa changed [not included]
/etc/apparmor.d/abstractions/ubuntu-email changed [not included]
/etc/apparmor.d/tunables/kernelvars changed [not included]
/etc/apparmor.d/tunables/securityfs changed [not included]
/etc/apparmor.d/tunables/sys changed [not included]
-- debconf information excluded
More information about the pkg-apparmor-team
mailing list