Bug#918035: thunderbird: README.apparmor and changelog state that apparmor is disabled, yet it is working
Il 02/01/19 17:10, Carsten Schoenert ha scritto: So if you now encountering issues would mean that you have enabled the apparmor profile by yourself after the version that is used in the postinst script or you doing a update from a version prior to this version. Stretch never had Thunderbird 1:52.5.0-1~deb9u1, the closest version smaller to that version was 1:52.4.0-1~deb9u1. I'm positive I've never consciously enabled apparmor myself, though. I keep logs of all manual changes, with links to documentation, and I have nothing on apparmor in general or thunderbird specifically. The system is roughly a couple of years old: it went through the "weasel" rebranding and back, then was upgraded to testing at the beginning of november. My father's PC has a similar history and, unsurprisingly, apparmor for thunderbird is enabled also there. So you maybe need to rethink how AppArmor is intended to help you for preventing to some things wrong? Had I enabled it, I would do so :) Given that I have not, I'll just disable it and be on my way. If you need more info on the package installation history on my system, I'd be glad to help. If you believe my case is a one-off, you may close the bug because I accept your explanation. Regards, Andrea.
Bug#918035: thunderbird: README.apparmor and changelog state that apparmor is disabled, yet it is working
Hello Andrea,
Am 02.01.19 um 16:09 schrieb Andrea Borgia:
> I could not attach a text file from /tmp and discovered that apparmor
> was preventing me from doing that:> syslog:Jan 2 12:37:02 mononoke kernel:
> [65507.015542] audit:
type=1400 audit(1546429022.613:50): apparmor="DENIED" operation="open"
profile="thunderbird" name="/tmp/hdparm.txt" pid=21962
comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
that is the desired effect if apparmor is active for Thunderbird.
> However, both README.apparmor and the package changelog explicitly
> state that the thunderbird apparmor profile is disabled by default,
> yet /etc/apparmor.d/usr.bin.thunderbird is installed and active.> aa-status
> --pretty-json | jq .profiles.thunderbird ---> "enforce"
>
> Based on the number of similar apparmor bugs on thunderbird, I'd say
> my system is behaving as expected but the documentation is outdated.
The behavior how the AA profile is getting installed and deactivated on
first time installation hasn't changed for a bit more than a year now.
The package comes (still) with the following apparmor related files.
> $ dpkg -L thunderbird | grep apparmor
> /etc/apparmor.d
> /etc/apparmor.d/disable
> /etc/apparmor.d/usr.bin.thunderbird
> /usr/share/doc/thunderbird/README.apparmor
But there is also the postinst script that is responsible how the
package is installed or updated and handled.
> $ head -n80 /var/lib/dpkg/info/thunderbird.postinst | tail -n9
> # Disable apparmor on new installations and when we're upgrading from
> # a version that had it enabled by default
> if test -n "$2" && dpkg --compare-versions "$2" gt "1:52.5.0-1~"; then
> : # Leave the disable/ symlink at users choice if
> # upgrading from a version that ships the symlink
> else
> mkdir -p /etc/apparmor.d/disable
> [ -f /etc/apparmor.d/disable/usr.bin.thunderbird ] || ln -s
> /etc/apparmor.d/usr.bin.thunderbird
> /etc/apparmor.d/disable/usr.bin.thunderbird
> fi
Note that $2 is the and is only
available if another version of thunderbird was installed while the
postinst script is running. And this is also the case if you haven't
purged a package while removing from your system.
So if you now encountering issues would mean that you have enabled the
apparmor profile by yourself after the version that is used in the
postinst script or you doing a update from a version prior to this
version. Stretch never had Thunderbird 1:52.5.0-1~deb9u1, the closest
version smaller to that version was 1:52.4.0-1~deb9u1.
Denying the reading of any file from /tmp without specification is
correct. You can read every file, also in subfolders, from your home folder!
> owner @{HOME}/** r,
Some files and folders are excluded for valid reasons later also in the
AA profile.
So you maybe need to rethink how AppArmor is intended to help you for
preventing to some things wrong? Don't use /tmp for picking up files as
an attachment.
> In that case, could you please revise it?
Sorry, I see nothing that needs to be changed.
--
Regards
Carsten Schoenert
Bug#918035: thunderbird: README.apparmor and changelog state that apparmor is disabled, yet it is working
Package: thunderbird Version: 1:60.4.0-1~deb9u1 Severity: normal Dear Maintainer, I could not attach a text file from /tmp and discovered that apparmor was preventing me from doing that: syslog:Jan 2 12:37:02 mononoke kernel: [65507.015542] audit: type=1400 audit(1546429022.613:50): apparmor="DENIED" operation="open" profile="thunderbird" name="/tmp/hdparm.txt" pid=21962 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 However, both README.apparmor and the package changelog explicitly state that the thunderbird apparmor profile is disabled by default, yet /etc/apparmor.d/usr.bin.thunderbird is installed and active. aa-status --pretty-json | jq .profiles.thunderbird ---> "enforce" Based on the number of similar apparmor bugs on thunderbird, I'd say my system is behaving as expected but the documentation is outdated. In that case, could you please revise it? Thanks, Andrea. -- System Information: Debian Release: buster/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.20.0-rc6-18.12.13.amdgpu (SMP w/4 CPU cores) Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8), LANGUAGE=it_IT.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages thunderbird depends on: ii debianutils 4.8.6 ii fontconfig2.13.1-2 ii libatk1.0-0 2.30.0-2 ii libc6 2.28-2 ii libcairo-gobject2 1.16.0-2 ii libcairo2 1.16.0-2 ii libdbus-1-3 1.12.12-1 ii libdbus-glib-1-2 0.110-3 ii libevent-2.0-52.0.21-stable-3 ii libffi6 3.2.1-9 ii libfontconfig12.13.1-2 ii libfreetype6 2.9.1-3 ii libgcc1 1:8.2.0-13 ii libgdk-pixbuf2.0-02.38.0+dfsg-7 ii libglib2.0-0 2.58.1-2 ii libgtk-3-03.24.2-3 ii libgtk2.0-0 2.24.32-3 ii libjsoncpp1 1.7.4-3 ii libpango-1.0-01.42.4-6 ii libpangocairo-1.0-0 1.42.4-6 ii libpangoft2-1.0-0 1.42.4-6 ii libstartup-notification0 0.12-6 ii libstdc++68.2.0-13 ii libvpx4 1.6.1-3+deb9u1 ii libx11-6 2:1.6.7-1 ii libx11-xcb1 2:1.6.7-1 ii libxcb-shm0 1.13.1-2 ii libxcb1 1.13.1-2 ii libxext6 2:1.3.3-1+b2 ii libxrender1 1:0.9.10-1 ii libxt61:1.1.5-1 ii psmisc23.2-1 ii x11-utils 7.7+4 ii zlib1g1:1.2.11.dfsg-1 Versions of packages thunderbird recommends: ii hunspell-en-us [hunspell-dictionary] 1:2018.04.16-1 ii hunspell-it [hunspell-dictionary] 1:6.1.3-1 ii lightning 1:60.4.0-1~deb9u1 Versions of packages thunderbird suggests: ii apparmor 2.13.1-3+b1 ii fonts-lyx 2.3.2-1 ii libgssapi-krb5-2 1.16.1-1 -- no debconf information
