Apparmor: cant open hyperlinks in Thunderbird

Questions about software.
User avatar
mil3s
Posts: 51
Joined: 13 Aug 2014 13:22

Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 05 Apr 2018 17:58

Hello community,
we have in solydx firefox in /opt/firefox. This is not default like ubuntu and debian. So apparmor profiles will not proper work.

When I want to open a hyperlink in thunderbird, I cant open it in firefox. And additional I get a gpg error.

Here is the logfile:
Apr 5 19:37:17 ... apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/usr/share/thunderbird/extensions/langpack-de@thunderbird.mozilla.org.xpi" pid=3919 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 5 19:37:19 ... apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=3943 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
I tried some fixes, but I have less apparmor experiences.

I added in /etc/apparmor.d/abstractions/ubuntu-browsers

Code: Select all

/opt/firefox/firefox* Cx -> sanitized_helper,
and in /etc/apparmor.d/usr.bin.thunderbird

Code: Select all

/opt/firefox/firefox Cx -> sanitized_helper,
/opt/firefox/firefox m,
But that's not correct. How can I fix it proper? Thank you in advance.
Image
SolydX 10 64 - Debian Buster

kurotsugi
Posts: 2039
Joined: 09 Jan 2014 00:17

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby kurotsugi » 06 Apr 2018 08:05

AFAIK you need to register new profiles for firefox. edit the default profiles should works too

User avatar
mil3s
Posts: 51
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 06 Apr 2018 09:18

Has somebody a working profile for firefox and for thunderbird?

Maybe it would be fine for the solydxk repository like a solydxk-apparmor-profiles package?
This would be great for stable and the for community version.
Image
SolydX 10 64 - Debian Buster

kurotsugi
Posts: 2039
Joined: 09 Jan 2014 00:17

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby kurotsugi » 06 Apr 2018 15:19

Code: Select all

    /path/to/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
since the main program in this case is thunderbird, we might need to add this line to ubuntu-email abstraction too. since I'm not using thunderbird you'll need to replace to the correct path.

User avatar
mil3s
Posts: 51
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 06 Apr 2018 17:21

Code: Select all

# which thunderbird
/usr/bin/thunderbird
So I added to /etc/apparmor.d/abstractions/ubuntu-email:

Code: Select all

/usr/bin/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
I still get :

Code: Select all

apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci0000:00/0000:00:0b.0/0000:05:00.0/vendor" pid=3598 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=3697 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
What can I do?
Image
SolydX 10 64 - Debian Buster

kurotsugi
Posts: 2039
Joined: 09 Jan 2014 00:17

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby kurotsugi » 07 Apr 2018 08:13

https://askubuntu.com/questions/916009/ ... f-apparmor

this link suggested that you need to add permission to each processes.

User avatar
mil3s
Posts: 51
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 09 Apr 2018 09:01

This:

Code: Select all

apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci0000:00/0000:00:0b.0/0000:05:00.0/vendor" pid=3598 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
should be solved by this?
/sys/devices/pci*/**/vendor r,
in /etc/apparmor.d/usr.bin.thunderbird
But it doesn't.

And I still cant open a hyperlink from thunderbird in firefox.
I still get this:

Code: Select all

apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=3673 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Is really nobody using apparmor in solydx?? Schoelje, ilu?
Image
SolydX 10 64 - Debian Buster

User avatar
ilu
Posts: 1907
Joined: 09 Oct 2013 12:45

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby ilu » 11 Apr 2018 21:32

No, I'm not - it's on my to-do list but that list is really long ....

User avatar
ilu
Posts: 1907
Joined: 09 Oct 2013 12:45

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby ilu » 15 Apr 2018 21:00

mil3s did you see this bug report https://bugs.debian.org/cgi-bin/bugrepo ... bug=882043 ?

User avatar
mil3s
Posts: 51
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 17 Apr 2018 10:28

Yes and I still get:
apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=5637 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
How can I fix this "m" error ?? I have an entry for m.

BTW I'm not allowed to use Linux without Apparmor in homeoffice, because of compliance guide.
Image
SolydX 10 64 - Debian Buster

User avatar
ilu
Posts: 1907
Joined: 09 Oct 2013 12:45

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby ilu » 17 Apr 2018 11:59

Ah you are on EE, so you've got the fixed version already.

Sorry I can't help you. Does everything else work as expected? Only thunderbird links? Maybe you need to ask in an apparmor forum if there is any ...

I know this is no solution but if your employer cares about security it has advantages not to be able to open links out of thunderbird. If you can't click on anything in an email you can't be phished easily. Copy/pasting the link takes just a second more and raises your awareness about where you are going. Don't hit me I'm just trying to see the positive side ...

User avatar
mil3s
Posts: 51
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 27 Apr 2018 17:36

Where can I ask, is not an ubuntu question or fedora question, which forum is the correct for a solydx apparmor problem?
I have the same problem with my solydx 32bit testing system.
Image
SolydX 10 64 - Debian Buster

User avatar
ilu
Posts: 1907
Joined: 09 Oct 2013 12:45

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby ilu » 27 Apr 2018 18:05

I'm fairly sure that this is not a Solydxk specific problem. Searching for apparmor+thunderbird+profile+problem returns a lot of hits which sound similar to your problem. It's a either a debian problem or a general apparmor problem or a mozilla problem. When you ask in another forum you can safely say you are using debian stable. But you should mention that firefox is installed under /opt.

Maybe try something else first: You could backup your firefox profile data and deinstall firefox by installing firefox-esr. Now you have a standard debian system. Adapt the apparmor profile to firefox-esr and try again. Let's see whether firefox installed under /opt has anything to do with it.

And please better check that you have apparmor version 2.12-1 minimum. All lower versions are buggy.

User avatar
mil3s
Posts: 51
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 30 Apr 2018 08:23

It is Apparmor version 2.12-4 installed.

Firefox-ESR is working well out of the box without any changes. Solydxk Firefox in /opt is not working.
I dont want an ESR, how can I use Debian's Firefox instead of Solydx?

So I would say the problem is issued by the solydx Firefox version.
Solydxk needs a apparmor adjustment profile?
Image
SolydX 10 64 - Debian Buster

User avatar
ilu
Posts: 1907
Joined: 09 Oct 2013 12:45

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby ilu » 30 Apr 2018 13:51

No, the problem is not with the firefox version but with software installed under /opt. Software not being delivered from the main repo (which is debian in our case and which has firefox ESR) is usually installed under /opt.

The thunderbird profile doesn't accept linking to a program under /opt. Or maybe the main settings of apparmor forbid that. You'll need to dig deep and understand what does what in the apparmor settings. I have no idea.

You are not alone with your problem, read this: https://bugs.debian.org/cgi-bin/bugrepo ... bug=882672

The only way I know is a way around the problem, but no solution: use firefox esr for the links and install another browser for usual browsing, f.e. waterfox. Having different browsers (or browser profiles) for different tasks is in fact a good idea security-wise.

User avatar
mil3s
Posts: 51
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 30 Apr 2018 14:05

Ok, I understand. I'm quite new in apparmor, could a solydxk developer take a look on it?

In fact there is a adjustment needed. Would not be "solydx-system-adjustments-10" the correct place for it?
Image
SolydX 10 64 - Debian Buster

User avatar
ilu
Posts: 1907
Joined: 09 Oct 2013 12:45

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby ilu » 30 Apr 2018 14:12

No. Apparmor is not installed by default on solydxk and it would need its own adjustment package. It is not a solydxk problem anyway. As you can see from the bug report I quoted (I edited my post, pls read again) not even the debian people manage to get the thundbird apparmor profile right, so they disabled it in the latest version.

You can try to figure it out. Report back and I'll try to help as good as I can. If this results in a solution it might end in an adjustment package.

Or you'll have to work around the problem, as I said: use esr for the links and another firefox-based browser like Palemoon or Waterfox. You need another browser because firefox itself doesn't allow 2 independent installations on the same system - edit: That's not true, I have both firefoxes ... how did I do that? I think I took firefox from the mozilla website and installed it manually. I need to update manually though and use different profiles, without profile management firefox will use the same profile and that won't work. But I'm using Waterfox for some time now and can recommend it. I don't know about Waterfox or Palemoon apparmor profiles though ... but they will sit in /opt like firefox does and you got firefox working, didn't you?

User avatar
mil3s
Posts: 51
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 30 Apr 2018 14:44

No, I will not install another browser.
My quick and dirty workaround is, to move /opt/firefox -> /usr/lib/firefox and create a symlink from /usr/lib/firefox to /opt/firefox.

And I had to add:

Code: Select all

 /sys/devices/pci*/**/device r,
to "/etc/apparmor.d/usr.bin.thunderbird"

So I can work and update. Maybe the bug will be fixed someday. Or I will have time to figure it out next time.
Image
SolydX 10 64 - Debian Buster

User avatar
ilu
Posts: 1907
Joined: 09 Oct 2013 12:45

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby ilu » 30 Apr 2018 21:28

Does opening the links from thinderbird in firefox work with this fix?

If it does maybe we could figure out a way how firefox could be installed to usr/lib/ per default to avoid the problem with /opt.

User avatar
mil3s
Posts: 51
Joined: 13 Aug 2014 13:22

Re: Apparmor: cant open hyperlinks in Thunderbird

Postby mil3s » 01 May 2018 06:39

Hi Ilu,
yes all is working like expected. Links are working too. Update today to 59.0.3 was successful.
Image
SolydX 10 64 - Debian Buster


Return to “Software”

Who is online

Users browsing this forum: No registered users and 3 guests