On 11/06/2017 09:46 AM, Philipp Kern wrote: > Package: thunderbird > Version: 1:52.4.0-1 > X-Debbugs-Cc: intrig...@debian.org, si...@sdeziel.info > > Whenever I start Thunderbird I get the following denial from AppArmor: > > [ 172.585316] audit: type=1400 audit(1509957761.626:72): > apparmor="DENIED" operation="file_mmap" > profile="thunderbird//lsb_release" name="/usr/bin/python3.6" pid=4268 > comm="lsb_release" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 > > According to the profile python3.[0-9] is allowed to be read, but not > mapped, so it can't actually be executed.
This is actually a pretty deep rabbit hole. You need to add all of dpkg and apt at this point, which would need an abstraction. I stopped after adding these: /usr/bin/python3.[0-9] mr, /usr/bin/apt-cache ixr, /etc/apt/apt.conf.d/* r, (in addition to /etc/apt/apt.conf.d/) /etc/dpkg/origins/* r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, @{PROC}/@{pid}/fd/ r, /etc/apt/sources.list r, /etc/apt/sourecs.list.d r, /var/cache/apt/*.bin r, /usr/bin/dpkg ixr, /var/lib/apt/lists/ r, At which point I would have needed to still address these: > [ 3750.599923] audit: type=1400 audit(1509961339.632:196): apparmor="DENIED" > operation="open" profile="thunderbird//lsb_release" > name="/etc/dpkg/dpkg.cfg.d/" pid=9898 comm="dpkg" requested_mask="r" > denied_mask="r" fsuid=1000 ouid=0 > [ 3750.600114] audit: type=1400 audit(1509961339.632:197): apparmor="DENIED" > operation="mknod" profile="thunderbird//lsb_release" > name="/tmp/fileutl.message.ehuXZN" pid=9897 comm="apt-cache" > requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 > [ 3750.600190] audit: type=1400 audit(1509961339.632:198): apparmor="DENIED" > operation="mknod" profile="thunderbird//lsb_release" > name="/tmp/fileutl.message.ZSPpZG" pid=9897 comm="apt-cache" > requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 > [ 3750.600245] audit: type=1400 audit(1509961339.632:199): apparmor="DENIED" > operation="mknod" profile="thunderbird//lsb_release" > name="/tmp/fileutl.message.s0YSYz" pid=9897 comm="apt-cache" > requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [...] And potentially more. A lot of implementation details now leak somewhere where they shouldn't leak to. (I suppose lsb_release would actually need its own profile in this case?) Kind regards and thanks Philipp Kern
signature.asc
Description: OpenPGP digital signature