Apparmor: cant open hyperlinks in Thunderbird

Questions about software.
User avatar
mil3s
Posts: 45
Joined: 13 Aug 2014 13:22

Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 05 Apr 2018 17:58

Hello community,
we have in solydx firefox in /opt/firefox. This is not default like ubuntu and debian. So apparmor profiles will not proper work.

When I want to open a hyperlink in thunderbird, I cant open it in firefox. And additional I get a gpg error.

Here is the logfile:
Apr 5 19:37:17 ... apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/usr/share/thunderbird/extensions/langpack-de@thunderbird.mozilla.org.xpi" pid=3919 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 5 19:37:19 ... apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=3943 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
I tried some fixes, but I have less apparmor experiences.

I added in /etc/apparmor.d/abstractions/ubuntu-browsers

Code: Select all

/opt/firefox/firefox* Cx -> sanitized_helper,
and in /etc/apparmor.d/usr.bin.thunderbird

Code: Select all

/opt/firefox/firefox Cx -> sanitized_helper,
/opt/firefox/firefox m,
But that's not correct. How can I fix it proper? Thank you in advance.
Image
SolydX 10 64 - Debian Buster

kurotsugi
Posts: 2034
Joined: 09 Jan 2014 00:17

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby kurotsugi » 06 Apr 2018 08:05

AFAIK you need to register new profiles for firefox. edit the default profiles should works too

User avatar
mil3s
Posts: 45
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 06 Apr 2018 09:18

Has somebody a working profile for firefox and for thunderbird?

Maybe it would be fine for the solydxk repository like a solydxk-apparmor-profiles package?
This would be great for stable and the for community version.
Image
SolydX 10 64 - Debian Buster

kurotsugi
Posts: 2034
Joined: 09 Jan 2014 00:17

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby kurotsugi » 06 Apr 2018 15:19

Code: Select all

    /path/to/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
since the main program in this case is thunderbird, we might need to add this line to ubuntu-email abstraction too. since I'm not using thunderbird you'll need to replace to the correct path.

User avatar
mil3s
Posts: 45
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 06 Apr 2018 17:21

Code: Select all

# which thunderbird
/usr/bin/thunderbird
So I added to /etc/apparmor.d/abstractions/ubuntu-email:

Code: Select all

/usr/bin/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
I still get :

Code: Select all

apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci0000:00/0000:00:0b.0/0000:05:00.0/vendor" pid=3598 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=3697 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
What can I do?
Image
SolydX 10 64 - Debian Buster

kurotsugi
Posts: 2034
Joined: 09 Jan 2014 00:17

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby kurotsugi » 07 Apr 2018 08:13

https://askubuntu.com/questions/916009/ ... f-apparmor

this link suggested that you need to add permission to each processes.

User avatar
mil3s
Posts: 45
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 09 Apr 2018 09:01

This:

Code: Select all

apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci0000:00/0000:00:0b.0/0000:05:00.0/vendor" pid=3598 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
should be solved by this?
/sys/devices/pci*/**/vendor r,
in /etc/apparmor.d/usr.bin.thunderbird
But it doesn't.

And I still cant open a hyperlink from thunderbird in firefox.
I still get this:

Code: Select all

apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=3673 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Is really nobody using apparmor in solydx?? Schoelje, ilu?
Image
SolydX 10 64 - Debian Buster

User avatar
ilu
Posts: 1877
Joined: 09 Oct 2013 12:45

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby ilu » 11 Apr 2018 21:32

No, I'm not - it's on my to-do list but that list is really long ....

User avatar
ilu
Posts: 1877
Joined: 09 Oct 2013 12:45

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby ilu » 15 Apr 2018 21:00

mil3s did you see this bug report https://bugs.debian.org/cgi-bin/bugrepo ... bug=882043 ?

User avatar
mil3s
Posts: 45
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 17 Apr 2018 10:28

Yes and I still get:
apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=5637 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
How can I fix this "m" error ?? I have an entry for m.

BTW I'm not allowed to use Linux without Apparmor in homeoffice, because of compliance guide.
Image
SolydX 10 64 - Debian Buster

User avatar
ilu
Posts: 1877
Joined: 09 Oct 2013 12:45

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby ilu » 17 Apr 2018 11:59

Ah you are on EE, so you've got the fixed version already.

Sorry I can't help you. Does everything else work as expected? Only thunderbird links? Maybe you need to ask in an apparmor forum if there is any ...

I know this is no solution but if your employer cares about security it has advantages not to be able to open links out of thunderbird. If you can't click on anything in an email you can't be phished easily. Copy/pasting the link takes just a second more and raises your awareness about where you are going. Don't hit me I'm just trying to see the positive side ...


Return to “Software”

Who is online

Users browsing this forum: No registered users and 2 guests