[apparmor] Thunderbird profile - Links in GNOME
intrigeri at debian.org
Sun Apr 2 08:28:14 UTC 2017
> Then I thought I need to try to make this work on a Debian/GNOME system
> Thunderbird seems to ask gnome-open for my preferred browser but
> it does not open links using gnome-open, instead it wants to open the
> browsers directly.
What I see here seems to confirm this behavior.
> But I keep running into this kind of problem when I tell Thunderbird to
> use Chromium:
> type=AVC msg=audit(1489921484.684:12657): apparmor="DENIED"
> operation="file_mmap" profile="icedove//sanitized_helper"
> name="/lib/x86_64-linux-gnu/libpthread-2.19.so" pid=32115
> comm="chrome-sandbox" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
Interesting. I see different behavior on sid (see below), so I assume
you're testing on Jessie; let's ignore this Jessie problem and focus
on current versions instead, OK?
> And when I tell it to use Firefox-ESR:
> type=AVC msg=audit(1489921598.610:12721): apparmor="DENIED"
> operation="exec" profile="icedove"
> name="/usr/lib/firefox-esr/firefox-esr" pid=32303 comm="icedove"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
On my sid system, I get asked which browser should be used.
The choices I have are:
1. "Firefox ESR" — if I choose this one, it just works, and I see that
firefox-esr is "confined" with the thunderbird//sanitized_helper
profile, thanks to abstractions/ubuntu-browsers. I think that what
you see (on Jessie?) is due to that abstraction not having been
updated in Jessie for firefox-esr. This may be worth a Jessie
update of the apparmor package (that could be combined with a fix
for CVE-2017-6507), if you want to take care of it (I'm not going
to bother personally, because 1. the Stretch release is close; and
2. icedove doesn't include any AppArmor profile on Jessie).
2. "Choose an Application"
* If I choose /usr/bin/firefox, the it starts, and is "confined" in
the same way as Firefox ESR. Good.
* If I choose /usr/bin/chromium, then Chromium doesn't start: I see
that exec'ing /usr/bin/chromium is denied by AppArmor. I think
that abstractions/ubuntu-browsers should allow /usr/bin/chromium,
just like it already allows /usr/bin/chromium-browser. But it
might not be enough. Wanna investigate further on sid?
> I was wondering how to solve this.
See some potential leads above :)
More information about the AppArmor