Bug#900840: thunderbird: does not start with apparmor errors and breaks X session
On 6/10/18 1:41 PM, intrigeri wrote: Control: found -1 1:60.0~b2-11:60.0~b6-1 Control: merge 895563 -1 Vincas Dargis: The problem is, that I should have reported this bug much earlier Actually you did notice and report this bug earlier (#895563) but for some reason, once the fix was applied upstreamed, it was not brought to src:thunderbird. Cheers, Looks like I totally forgot that. :(
Bug#900840: thunderbird: does not start with apparmor errors and breaks X session
Control: found -1 1:60.0~b2-11:60.0~b6-1 Control: merge 895563 -1 Vincas Dargis: > The problem is, that I should have reported this bug much earlier Actually you did notice and report this bug earlier (#895563) but for some reason, once the fix was applied upstreamed, it was not brought to src:thunderbird. Cheers, -- intrigeri
Bug#900840: thunderbird: does not start with apparmor errors and breaks X session
On 6/6/18 6:05 PM, Vincas Dargis wrote: Hannes Hörl: could you edit your /etc/apparmor.d/local/usr.bin.thunderbird to add this line as workaround for time being (please remove email wrapping): /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, With the above config it seems to work now. Just for the record, those are the kernel command line settings regarding apparmor I currently boot my kernel with: > apparmor=1 security=apparmor Thanks for the quick help!
Bug#900840: thunderbird: does not start with apparmor errors and breaks X session
Vincas Dargis: > intrigeri: what do we do in this case, I guess we just copy-paste > dri-enumarate into > some sort of "# backported from dri-enumarete" block? yes.
Bug#900840: thunderbird: does not start with apparmor errors and breaks X session
On Tue, 05 Jun 2018 20:11:49 +0100 =?utf-8?q?Hannes_H=C3=B6rl?= wrote: Jun 5 19:04:27 pfah kernel: [22972.942931] audit: type=1400 audit(1528221867.305:54): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 19:04:27 pfah kernel: [22972.943282] audit: type=1400 audit(1528221867.305:55): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 19:04:27 pfah kernel: [22972.943288] audit: type=1400 audit(1528221867.305:56): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 19:04:27 pfah kernel: [22972.943292] audit: type=1400 audit(1528221867.305:57): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 19:04:27 pfah kernel: [22972.947864] audit: type=1400 audit(1528221867.309:58): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 19:04:27 pfah kernel: [22972.948154] audit: type=1400 audit(1528221867.309:59): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 OK so I've reproduced that, and looks like Thunderbird profile now *needs* to have brand new to be included (earlier it kinda "complained", but still worked). The problem is, that I should have reported this bug much earlier, but the fact that I've myself added that include locally for testing it, kinda made Thunderbird to Work On My Machine™ after latest beta update, while it broke for everyone else. intrigeri: what do we do in this case, I guess we just copy-paste dri-enumarate into some sort of "# backported from dri-enumarete" block? Worst part is that even Sid does not have that abstraction. Hannes Hörl: could you edit your /etc/apparmor.d/local/usr.bin.thunderbird to add this line as workaround for time being (please remove email wrapping): /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
Bug#900840: thunderbird: does not start with apparmor errors and breaks X session
Hello Hannes, decreased severity as AppAprmor is not enabled by default so bug reports like your's can't be a RC bug. On Tue, Jun 05, 2018 at 08:11:49PM +0100, Hannes Hörl wrote: > thunderbird cannot be started anymore and breaks X. X does not update > the screen anymore, the cursor can still be moved and shows on the > screen while nothing can be clicked on or interacted with. Application > which e.g. play sound seem to still continue running, but cannot be > controlled fia the GUI anymore. The X-server needs to be completely > restarted to fix the issue. We will probably find a lot more of such issues which are need a mor granulary tuned AppArmor profile. @Vincas This is once more a thing which I'd like to adress to you with the a kindly request to have a look at. Thanks. Regards Carsten > With the last tested version (1:60.0~b6-1 from experimentsl) I see the > following in the syslog: > > Jun 5 19:02:19 pfah kernel: [22845.000634] audit: type=1400 > audit(1528221739.361:49): apparmor="STATUS" operation="profile_replace" > profile="unconfined" name="thunderbird" pid=2979 comm="apparmor_parser" > Jun 5 19:02:19 pfah kernel: [22845.015315] audit: type=1400 > audit(1528221739.377:50): apparmor="STATUS" operation="profile_replace" > profile="unconfined" name="thunderbird//browser_java" pid=2979 > comm="apparmor_parser" > Jun 5 19:02:19 pfah kernel: [22845.016056] audit: type=1400 > audit(1528221739.377:51): apparmor="STATUS" operation="profile_replace" > profile="unconfined" name="thunderbird//browser_openjdk" pid=2979 > comm="apparmor_parser" > Jun 5 19:02:19 pfah kernel: [22845.016668] audit: type=1400 > audit(1528221739.377:52): apparmor="STATUS" operation="profile_replace" > profile="unconfined" name="thunderbird//gpg" pid=2979 comm="apparmor_parser" > Jun 5 19:02:19 pfah kernel: [22845.016920] audit: type=1400 > audit(1528221739.377:53): apparmor="STATUS" operation="profile_replace" > profile="unconfined" name="thunderbird//sanitized_helper" pid=2979 > comm="apparmor_parser" > Jun 5 19:04:27 pfah kernel: [22972.942931] audit: type=1400 > audit(1528221867.305:54): apparmor="DENIED" operation="open" > profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" > pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=0 > Jun 5 19:04:27 pfah kernel: [22972.943282] audit: type=1400 > audit(1528221867.305:55): apparmor="DENIED" operation="open" > profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" > pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=0 > Jun 5 19:04:27 pfah kernel: [22972.943288] audit: type=1400 > audit(1528221867.305:56): apparmor="DENIED" operation="open" > profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" > pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=0 > Jun 5 19:04:27 pfah kernel: [22972.943292] audit: type=1400 > audit(1528221867.305:57): apparmor="DENIED" operation="open" > profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" > pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=0 > Jun 5 19:04:27 pfah kernel: [22972.947864] audit: type=1400 > audit(1528221867.309:58): apparmor="DENIED" operation="open" > profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" > pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=0 > Jun 5 19:04:27 pfah kernel: [22972.948154] audit: type=1400 > audit(1528221867.309:59): apparmor="DENIED" operation="open" > profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" > pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=0 > > > With the forner version I had (1:52.8.0-1 from sid) I see this in the > syslog: > > Jun 5 18:33:38 pfah kernel: [21124.071163] audit: type=1400 > audit(1528220018.432:43): apparmor="DENIED" operation="open" > profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" > pid=12543 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=0 > Jun 5 18:33:38 pfah kernel: [21124.071195] audit: type=1400 > audit(1528220018.432:44): apparmor="DENIED" operation="open" > profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" > pid=12543 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=0 > Jun 5 18:33:38 pfah kernel: [21124.071268] audit: type=1400 > audit(1528220018.432:45): apparmor="DENIED" operation="open" > profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" > pid=12543 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=0 > Jun 5 18:33:38 pfah kernel: [21124.071312] audit: type=1400 > audit(1528220018.432:46): apparmor="DENIED" operation="open" > profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" > pid=12543 comm="thunderbird"
Bug#900840: thunderbird: does not start with apparmor errors and breaks X session
Package: thunderbird Version: 1:60.0~b6-1 Severity: grave Justification: renders package unusable Dear Maintainer, thunderbird cannot be started anymore and breaks X. X does not update the screen anymore, the cursor can still be moved and shows on the screen while nothing can be clicked on or interacted with. Application which e.g. play sound seem to still continue running, but cannot be controlled fia the GUI anymore. The X-server needs to be completely restarted to fix the issue. With the last tested version (1:60.0~b6-1 from experimentsl) I see the following in the syslog: Jun 5 19:02:19 pfah kernel: [22845.000634] audit: type=1400 audit(1528221739.361:49): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="thunderbird" pid=2979 comm="apparmor_parser" Jun 5 19:02:19 pfah kernel: [22845.015315] audit: type=1400 audit(1528221739.377:50): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="thunderbird//browser_java" pid=2979 comm="apparmor_parser" Jun 5 19:02:19 pfah kernel: [22845.016056] audit: type=1400 audit(1528221739.377:51): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="thunderbird//browser_openjdk" pid=2979 comm="apparmor_parser" Jun 5 19:02:19 pfah kernel: [22845.016668] audit: type=1400 audit(1528221739.377:52): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="thunderbird//gpg" pid=2979 comm="apparmor_parser" Jun 5 19:02:19 pfah kernel: [22845.016920] audit: type=1400 audit(1528221739.377:53): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="thunderbird//sanitized_helper" pid=2979 comm="apparmor_parser" Jun 5 19:04:27 pfah kernel: [22972.942931] audit: type=1400 audit(1528221867.305:54): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 19:04:27 pfah kernel: [22972.943282] audit: type=1400 audit(1528221867.305:55): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 19:04:27 pfah kernel: [22972.943288] audit: type=1400 audit(1528221867.305:56): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 19:04:27 pfah kernel: [22972.943292] audit: type=1400 audit(1528221867.305:57): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 19:04:27 pfah kernel: [22972.947864] audit: type=1400 audit(1528221867.309:58): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 19:04:27 pfah kernel: [22972.948154] audit: type=1400 audit(1528221867.309:59): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 With the forner version I had (1:52.8.0-1 from sid) I see this in the syslog: Jun 5 18:33:38 pfah kernel: [21124.071163] audit: type=1400 audit(1528220018.432:43): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=12543 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 18:33:38 pfah kernel: [21124.071195] audit: type=1400 audit(1528220018.432:44): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=12543 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 18:33:38 pfah kernel: [21124.071268] audit: type=1400 audit(1528220018.432:45): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=12543 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 18:33:38 pfah kernel: [21124.071312] audit: type=1400 audit(1528220018.432:46): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=12543 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 18:33:38 pfah kernel: [21124.073642] audit: type=1400 audit(1528220018.432:47): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=12543 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 5 18:33:38 pfah kernel: [21124.073676] audit: type=1400 audit(1528220018.432:48): apparmor="DENIED" operation="open"