[apparmor] Thunderbird profile - Links in GNOME

John Johansen john.johansen at canonical.com
Sun Apr 2 09:16:32 UTC 2017

On 04/02/2017 01:28 AM, intrigeri wrote:
> Hi,
> u:
>> Then I thought I need to try to make this work on a Debian/GNOME system
>> too.
> Great!
>> Thunderbird seems to ask gnome-open for my preferred browser but
>> it does not open links using gnome-open, instead it wants to open the
>> browsers directly.
> What I see here seems to confirm this behavior.
>> But I keep running into this kind of problem when I tell Thunderbird to
>> use Chromium:
> [...]
>> type=AVC msg=audit(1489921484.684:12657): apparmor="DENIED"
>> operation="file_mmap" profile="icedove//sanitized_helper"
>> name="/lib/x86_64-linux-gnu/libpthread-2.19.so" pid=32115
>> comm="chrome-sandbox" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
> Interesting. I see different behavior on sid (see below), so I assume
> you're testing on Jessie; let's ignore this Jessie problem and focus
> on current versions instead, OK?
>> And when I tell it to use Firefox-ESR:
>> type=AVC msg=audit(1489921598.610:12721): apparmor="DENIED"
>> operation="exec" profile="icedove"
>> name="/usr/lib/firefox-esr/firefox-esr" pid=32303 comm="icedove"
>> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> On my sid system, I get asked which browser should be used.
> The choices I have are:
> 1. "Firefox ESR" — if I choose this one, it just works, and I see that
>    firefox-esr is "confined" with the thunderbird//sanitized_helper
>    profile, thanks to abstractions/ubuntu-browsers. I think that what
>    you see (on Jessie?) is due to that abstraction not having been
>    updated in Jessie for firefox-esr. This may be worth a Jessie
>    update of the apparmor package (that could be combined with a fix
>    for CVE-2017-6507), if you want to take care of it (I'm not going
>    to bother personally, because 1. the Stretch release is close; and
>    2. icedove doesn't include any AppArmor profile on Jessie).
> 2. "Choose an Application"
>    * If I choose /usr/bin/firefox, the it starts, and is "confined" in
>      the same way as Firefox ESR. Good.
>    * If I choose /usr/bin/chromium, then Chromium doesn't start: I see
>      that exec'ing /usr/bin/chromium is denied by AppArmor. I think
>      that abstractions/ubuntu-browsers should allow /usr/bin/chromium,
>      just like it already allows /usr/bin/chromium-browser. But it
>      might not be enough. Wanna investigate further on sid?
chrome/chromium have some nasty behavior around their sandbox code that
will result in them failing start without an updated profile. Depending
on the rules in the profile the failure may not even be immediately obvious
as being related to apparmor.

It also makes the apparmor profile not very useful until we can add
proper support for some of the namespace stuff it is doing. That being
said I can provide a base profile that functions, though it will likely
need to be adapted to debian.

>> I was wondering how to solve this.
> See some potential leads above :)
> Now, 
> Cheers!

More information about the AppArmor mailing list