[apparmor] Thunderbird profile - Links in GNOME

intrigeri intrigeri at debian.org
Sun Apr 2 08:28:14 UTC 2017 

Hi,

u:
> Then I thought I need to try to make this work on a Debian/GNOME system
> too.

Great!

> Thunderbird seems to ask gnome-open for my preferred browser but
> it does not open links using gnome-open, instead it wants to open the
> browsers directly.

What I see here seems to confirm this behavior.

> But I keep running into this kind of problem when I tell Thunderbird to
> use Chromium:

[...]

> type=AVC msg=audit(1489921484.684:12657): apparmor="DENIED"
> operation="file_mmap" profile="icedove//sanitized_helper"
> name="/lib/x86_64-linux-gnu/libpthread-2.19.so" pid=32115
> comm="chrome-sandbox" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Interesting. I see different behavior on sid (see below), so I assume
you're testing on Jessie; let's ignore this Jessie problem and focus
on current versions instead, OK?

> And when I tell it to use Firefox-ESR:

> type=AVC msg=audit(1489921598.610:12721): apparmor="DENIED"
> operation="exec" profile="icedove"
> name="/usr/lib/firefox-esr/firefox-esr" pid=32303 comm="icedove"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

On my sid system, I get asked which browser should be used.
The choices I have are:

1. "Firefox ESR" — if I choose this one, it just works, and I see that
   firefox-esr is "confined" with the thunderbird//sanitized_helper
   profile, thanks to abstractions/ubuntu-browsers. I think that what
   you see (on Jessie?) is due to that abstraction not having been
   updated in Jessie for firefox-esr. This may be worth a Jessie
   update of the apparmor package (that could be combined with a fix
   for CVE-2017-6507), if you want to take care of it (I'm not going
   to bother personally, because 1. the Stretch release is close; and
   2. icedove doesn't include any AppArmor profile on Jessie).

2. "Choose an Application"

   * If I choose /usr/bin/firefox, the it starts, and is "confined" in
     the same way as Firefox ESR. Good.

   * If I choose /usr/bin/chromium, then Chromium doesn't start: I see
     that exec'ing /usr/bin/chromium is denied by AppArmor. I think
     that abstractions/ubuntu-browsers should allow /usr/bin/chromium,
     just like it already allows /usr/bin/chromium-browser. But it
     might not be enough. Wanna investigate further on sid?

> I was wondering how to solve this.

See some potential leads above :)

Now, 

Cheers!
-- 
intrigeri

More information about the AppArmor mailing list