Bug#918820: msmtp: AppArmor profile makes passwordeval unusable

Kai Weber Wed, 09 Jan 2019 09:10:05 -0800

* Simon Deziel <si...@sdeziel.info>:

I did two tests. One with passwordeval using python, one with
passwordeval using secret-tool.


passwordeval python -c "import keyring; print keyring.get_password('smtp', 
'kai.we...@glorybox.de')"
passwordeval secret-tool lookup service smtp username kai.we...@glorybox.de

Find attached the logfiles.


> Hi Kai,
> 
> On 2019-01-09 10:03 a.m., kai.we...@glorybox.de wrote:
> 
> > With the AppArmor profile shipped the 'passwordeval' options does not
> > work anymore. I tried using the permitted "gpg" or "secret-tool" but
> > this did not work.
> > 
> > msmtp uses popen(3) which in turn seems to exec /bin/dash which is not
> > permitted by AppArmor.
> > 
> > This renders the package currently unusable because I use the "pass"
> > password manager. This might render the package unusable for everyone
> > else using 'passwordeval' as well.
> 
> If you could put the profile in complain mode and collect the kernel
> messages it would be useful to figure out what rules are missing.
> 
> To do so:
> 
> 1) please edit the profile flags to include "complain" like this:
> 
>   /usr/bin/msmtp flags=(attach_disconnected,complain) {
> 
> 2) compile the new profile
> 
>  sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.msmtp
> 
> 3) do your test
> 
> 4) collect kernel logs
> 
> Providing only the apparmor messages would suffice (something like: grep
> apparmor /var/log/syslog).
> 
> Thanks,
> Simon

Kai

Jan  9 17:47:09 dummy kernel: [23484.742007] audit: type=1400 
audit(1547052429.273:844): apparmor="DENIED" operation="exec" 
profile="/usr/bin/msmtp" name="/bin/dash" pid=3869 comm="msmtp" 
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Jan  9 17:48:21 dummy kernel: [23557.249217] audit: type=1400 
audit(1547052501.788:846): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/bin/msmtp" pid=4561 comm="apparmor_parser"
Jan  9 17:48:27 dummy kernel: [23562.647401] audit: type=1400 
audit(1547052507.184:847): apparmor="ALLOWED" operation="exec" 
profile="/usr/bin/msmtp" name="/bin/dash" pid=4635 comm="msmtp" 
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 
target="/usr/bin/msmtp//null-/bin/dash"
Jan  9 17:48:27 dummy kernel: [23562.647756] audit: type=1400 
audit(1547052507.184:848): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/bin/msmtp//null-/bin/dash" name="/tmp/#20452048" pid=4635 
comm="sh" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Jan  9 17:48:27 dummy kernel: [23562.647793] audit: type=1400 
audit(1547052507.184:849): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/bin/msmtp//null-/bin/dash" name="/bin/dash" pid=4635 comm="sh" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jan  9 17:48:27 dummy kernel: [23562.647842] audit: type=1400 
audit(1547052507.184:850): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/bin/msmtp//null-/bin/dash" 
name="/lib/x86_64-linux-gnu/ld-2.28.so" pid=4635 comm="sh" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
Jan  9 17:48:27 dummy kernel: [23562.648041] audit: type=1400 
audit(1547052507.184:851): apparmor="ALLOWED" operation="open" 
profile="/usr/bin/msmtp//null-/bin/dash" name="/etc/ld.so.cache" pid=4635 
comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jan  9 17:48:27 dummy kernel: [23562.648087] audit: type=1400 
audit(1547052507.184:852): apparmor="ALLOWED" operation="open" 
profile="/usr/bin/msmtp//null-/bin/dash" 
name="/lib/x86_64-linux-gnu/libc-2.28.so" pid=4635 comm="sh" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
Jan  9 17:48:27 dummy kernel: [23562.648140] audit: type=1400 
audit(1547052507.184:853): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/bin/msmtp//null-/bin/dash" 
name="/lib/x86_64-linux-gnu/libc-2.28.so" pid=4635 comm="sh" 
requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
Jan  9 17:48:27 dummy kernel: [23562.649312] audit: type=1400 
audit(1547052507.188:854): apparmor="ALLOWED" operation="exec" 
profile="/usr/bin/msmtp//null-/bin/dash" name="/usr/bin/python2.7" pid=4636 
comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 
target="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/python2.7"
Jan  9 17:48:27 dummy kernel: [23562.649516] audit: type=1400 
audit(1547052507.188:855): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/python2.7" 
name="/tmp/#20452048" pid=4636 comm="python" requested_mask="wr" 
denied_mask="wr" fsuid=1000 ouid=1000
Jan  9 17:48:27 dummy kernel: [23562.649523] audit: type=1400 
audit(1547052507.188:856): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/python2.7" 
name="/usr/bin/python2.7" pid=4636 comm="python" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0

Jan  9 17:49:48 dummy kernel: [23644.263808] audit: type=1400 
audit(1547052588.802:1564): apparmor="ALLOWED" operation="exec" 
profile="/usr/bin/msmtp" name="/bin/dash" pid=5468 comm="msmtp" 
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 
target="/usr/bin/msmtp//null-/bin/dash"
Jan  9 17:49:48 dummy kernel: [23644.264049] audit: type=1400 
audit(1547052588.802:1565): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/bin/msmtp//null-/bin/dash" name="/tmp/#20452047" pid=5468 
comm="sh" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Jan  9 17:49:48 dummy kernel: [23644.264253] audit: type=1400 
audit(1547052588.802:1566): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/bin/msmtp//null-/bin/dash" name="/bin/dash" pid=5468 comm="sh" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jan  9 17:49:48 dummy kernel: [23644.264289] audit: type=1400 
audit(1547052588.802:1567): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/bin/msmtp//null-/bin/dash" 
name="/lib/x86_64-linux-gnu/ld-2.28.so" pid=5468 comm="sh" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
Jan  9 17:49:48 dummy kernel: [23644.264398] audit: type=1400 
audit(1547052588.802:1568): apparmor="ALLOWED" operation="open" 
profile="/usr/bin/msmtp//null-/bin/dash" name="/etc/ld.so.cache" pid=5468 
comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jan  9 17:49:48 dummy kernel: [23644.264434] audit: type=1400 
audit(1547052588.802:1569): apparmor="ALLOWED" operation="open" 
profile="/usr/bin/msmtp//null-/bin/dash" 
name="/lib/x86_64-linux-gnu/libc-2.28.so" pid=5468 comm="sh" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
Jan  9 17:49:48 dummy kernel: [23644.264468] audit: type=1400 
audit(1547052588.802:1570): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/bin/msmtp//null-/bin/dash" 
name="/lib/x86_64-linux-gnu/libc-2.28.so" pid=5468 comm="sh" 
requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
Jan  9 17:49:48 dummy kernel: [23644.266779] audit: type=1400 
audit(1547052588.806:1571): apparmor="ALLOWED" operation="exec" 
profile="/usr/bin/msmtp//null-/bin/dash" name="/usr/bin/secret-tool" pid=5469 
comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 
target="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/secret-tool"
Jan  9 17:49:48 dummy kernel: [23644.266872] audit: type=1400 
audit(1547052588.806:1572): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/secret-tool" 
name="/tmp/#20452047" pid=5469 comm="secret-tool" requested_mask="wr" 
denied_mask="wr" fsuid=1000 ouid=1000
Jan  9 17:49:48 dummy kernel: [23644.266896] audit: type=1400 
audit(1547052588.806:1573): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/bin/msmtp//null-/bin/dash//null-/usr/bin/secret-tool" 
name="/usr/bin/secret-tool" pid=5469 comm="secret-tool" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0

Bug#918820: msmtp: AppArmor profile makes passwordeval unusable

Reply via email to