* Simon Deziel <si...@sdeziel.info>: I did two tests. One with passwordeval using python, one with passwordeval using secret-tool.
passwordeval python -c "import keyring; print keyring.get_password('smtp', 'kai.we...@glorybox.de')" passwordeval secret-tool lookup service smtp username kai.we...@glorybox.de Find attached the logfiles. > Hi Kai, > > On 2019-01-09 10:03 a.m., kai.we...@glorybox.de wrote: > > > With the AppArmor profile shipped the 'passwordeval' options does not > > work anymore. I tried using the permitted "gpg" or "secret-tool" but > > this did not work. > > > > msmtp uses popen(3) which in turn seems to exec /bin/dash which is not > > permitted by AppArmor. > > > > This renders the package currently unusable because I use the "pass" > > password manager. This might render the package unusable for everyone > > else using 'passwordeval' as well. > > If you could put the profile in complain mode and collect the kernel > messages it would be useful to figure out what rules are missing. > > To do so: > > 1) please edit the profile flags to include "complain" like this: > > /usr/bin/msmtp flags=(attach_disconnected,complain) { > > 2) compile the new profile > > sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.msmtp > > 3) do your test > > 4) collect kernel logs > > Providing only the apparmor messages would suffice (something like: grep > apparmor /var/log/syslog). > > Thanks, > Simon Kai
Jan 9 17:47:09 dummy kernel: [23484.742007] audit: type=1400 audit(1547052429.273:844): apparmor="DENIED" operation="exec" profile="/usr/bin/msmtp" name="/bin/dash" pid=3869 comm="msmtp" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Jan 9 17:48:21 dummy kernel: [23557.249217] audit: type=1400 audit(1547052501.788:846): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/msmtp" pid=4561 comm="apparmor_parser" Jan 9 17:48:27 dummy kernel: [23562.647401] audit: type=1400 audit(1547052507.184:847): apparmor="ALLOWED" operation="exec" profile="/usr/bin/msmtp" name="/bin/dash" pid=4635 comm="msmtp" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/bin/msmtp//null-/bin/dash" Jan 9 17:48:27 dummy kernel: [23562.647756] audit: type=1400 audit(1547052507.184:848): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/msmtp//null-/bin/dash" name="/tmp/#20452048" pid=4635 comm="sh" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Jan 9 17:48:27 dummy kernel: [23562.647793] audit: type=1400 audit(1547052507.184:849): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/msmtp//null-/bin/dash" name="/bin/dash" pid=4635 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 9 17:48:27 dummy kernel: [23562.647842] audit: type=1400 audit(1547052507.184:850): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/msmtp//null-/bin/dash" name="/lib/x86_64-linux-gnu/ld-2.28.so" pid=4635 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 9 17:48:27 dummy kernel: [23562.648041] audit: type=1400 audit(1547052507.184:851): apparmor="ALLOWED" operation="open" profile="/usr/bin/msmtp//null-/bin/dash" name="/etc/ld.so.cache" pid=4635 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 9 17:48:27 dummy kernel: [23562.648087] audit: type=1400 audit(1547052507.184:852): apparmor="ALLOWED" operation="open" profile="/usr/bin/msmtp//null-/bin/dash" name="/lib/x86_64-linux-gnu/libc-2.28.so" pid=4635 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 9 17:48:27 dummy kernel: [23562.648140] audit: type=1400 audit(1547052507.184:853): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/msmtp//null-/bin/dash" name="/lib/x86_64-linux-gnu/libc-2.28.so" pid=4635 comm="sh" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0 Jan 9 17:48:27 dummy kernel: [23562.649312] audit: type=1400 audit(1547052507.188:854): apparmor="ALLOWED" operation="exec" profile="/usr/bin/msmtp//null-/bin/dash" name="/usr/bin/python2.7" pid=4636 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/python2.7" Jan 9 17:48:27 dummy kernel: [23562.649516] audit: type=1400 audit(1547052507.188:855): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/python2.7" name="/tmp/#20452048" pid=4636 comm="python" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Jan 9 17:48:27 dummy kernel: [23562.649523] audit: type=1400 audit(1547052507.188:856): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/python2.7" name="/usr/bin/python2.7" pid=4636 comm="python" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jan 9 17:49:48 dummy kernel: [23644.263808] audit: type=1400 audit(1547052588.802:1564): apparmor="ALLOWED" operation="exec" profile="/usr/bin/msmtp" name="/bin/dash" pid=5468 comm="msmtp" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/bin/msmtp//null-/bin/dash" Jan 9 17:49:48 dummy kernel: [23644.264049] audit: type=1400 audit(1547052588.802:1565): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/msmtp//null-/bin/dash" name="/tmp/#20452047" pid=5468 comm="sh" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Jan 9 17:49:48 dummy kernel: [23644.264253] audit: type=1400 audit(1547052588.802:1566): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/msmtp//null-/bin/dash" name="/bin/dash" pid=5468 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 9 17:49:48 dummy kernel: [23644.264289] audit: type=1400 audit(1547052588.802:1567): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/msmtp//null-/bin/dash" name="/lib/x86_64-linux-gnu/ld-2.28.so" pid=5468 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 9 17:49:48 dummy kernel: [23644.264398] audit: type=1400 audit(1547052588.802:1568): apparmor="ALLOWED" operation="open" profile="/usr/bin/msmtp//null-/bin/dash" name="/etc/ld.so.cache" pid=5468 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 9 17:49:48 dummy kernel: [23644.264434] audit: type=1400 audit(1547052588.802:1569): apparmor="ALLOWED" operation="open" profile="/usr/bin/msmtp//null-/bin/dash" name="/lib/x86_64-linux-gnu/libc-2.28.so" pid=5468 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 9 17:49:48 dummy kernel: [23644.264468] audit: type=1400 audit(1547052588.802:1570): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/msmtp//null-/bin/dash" name="/lib/x86_64-linux-gnu/libc-2.28.so" pid=5468 comm="sh" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0 Jan 9 17:49:48 dummy kernel: [23644.266779] audit: type=1400 audit(1547052588.806:1571): apparmor="ALLOWED" operation="exec" profile="/usr/bin/msmtp//null-/bin/dash" name="/usr/bin/secret-tool" pid=5469 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/secret-tool" Jan 9 17:49:48 dummy kernel: [23644.266872] audit: type=1400 audit(1547052588.806:1572): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/secret-tool" name="/tmp/#20452047" pid=5469 comm="secret-tool" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Jan 9 17:49:48 dummy kernel: [23644.266896] audit: type=1400 audit(1547052588.806:1573): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/secret-tool" name="/usr/bin/secret-tool" pid=5469 comm="secret-tool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0