[pkg-apparmor] Bug#1051503: AppArmor blocks Evolution launch

dp217 dp217 at proton.me
Sun Sep 10 16:14:18 BST 2023 

Hello,

> comm="bwrap" looks like a hint towards bubblewrap, therefore my guess
> is that we are looking at a flatpak-packaged evolution here. But that's
> just a guess, so I'll wait for the feedback from the reporter.

Evolution is not a flatpak version, it is the default version installed with the OS (Debian 12)

> As far as I know we don't confine Evolution with AppArmor in Debian,
> so I suppose you've installed or enabled a profile yourself, and then
> I would encourage you to report this problem to the authors of
> said profile.
> If my assumptions are incorrect, please help me understand :)

Yes, the Profile is not part of Debian 12, I tried to install the profile from the https://packages.debian.org/bookworm/apparmor-profiles package, but it didn't work at all. So I am trying to create my own profile, mostly using aa-logprof.

> For the records. aa-logprof doesn't support mount rules yet (besides
> keeping/not breaking existing rules) which is why it doesn't ask
> anything for the DENIED event quoted above.

Thanks for the info, I hadn't thought of that, so I'll try to resolve unsupported records manually. (It might be a good idea to mention this somewhere, perhaps for other users, if not directly when generating via aa-logprof, at least in its manual)

> That said:
> The profile will need a mount rule added, probably
> mount options=(rw, silent, rslave) -> /,
> (I know allowing evolution or bwrap to mount / looks strange, even if
> it's inside a sandbox. But I'm afraid that's what the sandbox needs.)

Thanks for the syntax.
So probably even the default version (non flatpak version) tries to create a sandbox to run Evolution?
Without a deeper knowledge of the operating system and especially the application, it's not that easy to make rules as mentioned on the internet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20230910/7d4037a3/attachment.htm>

More information about the pkg-apparmor-team mailing list