Bug#960465: thunderbird: Xfce "preferred browser" setting ignored when AppArmor profile is enabled

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#960465: thunderbird: Xfce "preferred browser" setting ignored when AppArmor profile is enabled

Daniel Gnoutcheff-2
Package: thunderbird
Version: 1:68.8.0-1~deb10u1
Severity: minor

When running Thunderbird under Xfce with
/etc/apparmor.d/usr.bin.thunderbird enabled, Thunderbird always opens
URLs with sensible-browser, even if that is not the "preferred browser"
selected in Xfce's "Preferred Applications" settings panel
(exo-preferred-applications).  After `aa-disable /usr/bin/thunderbird`,
Thunderbird henceforth opens URLs in the right browser.

I suspect this is because the AppArmor profile prohibits exo-open (when
spawned by Thunderbird) from reading ~/.config/xfce4/helpers.rc, which
apparently is where Xfce keeps the user's application selections.  When
apparmor is enabled, opening a URL gives me this on Thunderbird's
stderr:

> (exo-helper-1:2307): libxfce4util-CRITICAL **: 17:43:07.428: Failed to parse file /home/gnoutchd/.config/xfce4/helpers.rc, ignoring.

And I get this in the journal:

> May 12 17:43:07 tbirdtest audit[2307]: AVC apparmor="DENIED" operation="open" profile="thunderbird" name="/home/gnoutchd/.config/xfce4/helpers.rc" pid=2307 comm="exo-helper-1" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> May 12 17:43:07 tbirdtest kernel: audit: type=1400 audit(1589319787.417:43): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/gnoutchd/.config/xfce4/helpers.rc" pid=2307 comm="exo-helper-1" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000


-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages thunderbird depends on:
ii  debianutils               4.8.6.1
ii  fontconfig                2.13.1-2
ii  libatk1.0-0               2.30.0-2
ii  libc6                     2.28-10
ii  libcairo-gobject2         1.16.0-4
ii  libcairo2                 1.16.0-4
ii  libdbus-1-3               1.12.16-1
ii  libdbus-glib-1-2          0.110-4
ii  libevent-2.1-6            2.1.8-stable-4
ii  libffi6                   3.2.1-9
ii  libfontconfig1            2.13.1-2
ii  libfreetype6              2.9.1-3+deb10u1
ii  libgcc1                   1:8.3.0-6
ii  libgdk-pixbuf2.0-0        2.38.1+dfsg-1
ii  libglib2.0-0              2.58.3-2+deb10u2
ii  libgtk-3-0                3.24.5-1
ii  libgtk2.0-0               2.24.32-3
ii  libjsoncpp1               1.7.4-3
ii  libpango-1.0-0            1.42.4-8~deb10u1
ii  libstartup-notification0  0.12-6
ii  libstdc++6                8.3.0-6
ii  libvpx5                   1.7.0-3+deb10u1
ii  libx11-6                  2:1.6.7-1
ii  libx11-xcb1               2:1.6.7-1
ii  libxcb-shm0               1.13.1-2
ii  libxcb1                   1.13.1-2
ii  libxext6                  2:1.3.3-1+b2
ii  libxrender1               1:0.9.10-1
ii  libxt6                    1:1.1.5-1+b3
ii  psmisc                    23.2-1
ii  x11-utils                 7.7+4
ii  zlib1g                    1:1.2.11.dfsg-1

Versions of packages thunderbird recommends:
ii  hunspell-en-us [hunspell-dictionary]  1:2018.04.16-1
pn  lightning                             <none>

Versions of packages thunderbird suggests:
ii  apparmor          2.13.2-10
ii  fonts-lyx         2.3.2-1
ii  libgssapi-krb5-2  1.17-3

-- no debconf information


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#960465: thunderbird: Xfce "preferred browser" setting ignored when AppArmor profile is enabled

Carsten Schoenert
Hello Vincas,

seems there is some more AppArmor related stuff to fix for Thunderbird
under Xfce. Could you please have a look?

Am 12.05.20 um 23:58 schrieb Daniel Gnoutcheff:

> Package: thunderbird
> Version: 1:68.8.0-1~deb10u1
> Severity: minor
>
> When running Thunderbird under Xfce with
> /etc/apparmor.d/usr.bin.thunderbird enabled, Thunderbird always opens
> URLs with sensible-browser, even if that is not the "preferred browser"
> selected in Xfce's "Preferred Applications" settings panel
> (exo-preferred-applications).  After `aa-disable /usr/bin/thunderbird`,
> Thunderbird henceforth opens URLs in the right browser.
>
> I suspect this is because the AppArmor profile prohibits exo-open (when
> spawned by Thunderbird) from reading ~/.config/xfce4/helpers.rc, which
> apparently is where Xfce keeps the user's application selections.  When
> apparmor is enabled, opening a URL gives me this on Thunderbird's
> stderr:
>
>> (exo-helper-1:2307): libxfce4util-CRITICAL **: 17:43:07.428: Failed to parse file /home/gnoutchd/.config/xfce4/helpers.rc, ignoring.
>
> And I get this in the journal:
>
>> May 12 17:43:07 tbirdtest audit[2307]: AVC apparmor="DENIED" operation="open" profile="thunderbird" name="/home/gnoutchd/.config/xfce4/helpers.rc" pid=2307 comm="exo-helper-1" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>> May 12 17:43:07 tbirdtest kernel: audit: type=1400 audit(1589319787.417:43): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/gnoutchd/.config/xfce4/helpers.rc" pid=2307 comm="exo-helper-1" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>
>
> -- System Information:
> Debian Release: 10.4
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.19.0-9-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
> LANGUAGE=en_US.utf8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages thunderbird depends on:
> ii  debianutils               4.8.6.1
> ii  fontconfig                2.13.1-2
> ii  libatk1.0-0               2.30.0-2
> ii  libc6                     2.28-10
> ii  libcairo-gobject2         1.16.0-4
> ii  libcairo2                 1.16.0-4
> ii  libdbus-1-3               1.12.16-1
> ii  libdbus-glib-1-2          0.110-4
> ii  libevent-2.1-6            2.1.8-stable-4
> ii  libffi6                   3.2.1-9
> ii  libfontconfig1            2.13.1-2
> ii  libfreetype6              2.9.1-3+deb10u1
> ii  libgcc1                   1:8.3.0-6
> ii  libgdk-pixbuf2.0-0        2.38.1+dfsg-1
> ii  libglib2.0-0              2.58.3-2+deb10u2
> ii  libgtk-3-0                3.24.5-1
> ii  libgtk2.0-0               2.24.32-3
> ii  libjsoncpp1               1.7.4-3
> ii  libpango-1.0-0            1.42.4-8~deb10u1
> ii  libstartup-notification0  0.12-6
> ii  libstdc++6                8.3.0-6
> ii  libvpx5                   1.7.0-3+deb10u1
> ii  libx11-6                  2:1.6.7-1
> ii  libx11-xcb1               2:1.6.7-1
> ii  libxcb-shm0               1.13.1-2
> ii  libxcb1                   1.13.1-2
> ii  libxext6                  2:1.3.3-1+b2
> ii  libxrender1               1:0.9.10-1
> ii  libxt6                    1:1.1.5-1+b3
> ii  psmisc                    23.2-1
> ii  x11-utils                 7.7+4
> ii  zlib1g                    1:1.2.11.dfsg-1
>
> Versions of packages thunderbird recommends:
> ii  hunspell-en-us [hunspell-dictionary]  1:2018.04.16-1
> pn  lightning                             <none>
>
> Versions of packages thunderbird suggests:
> ii  apparmor          2.13.2-10
> ii  fonts-lyx         2.3.2-1
> ii  libgssapi-krb5-2  1.17-3
>
> -- no debconf information
>

--
Regards
Carsten Schoenert

Reply | Threaded
Open this post in threaded view
|

Bug#960465: thunderbird: Xfce "preferred browser" setting ignored when AppArmor profile is enabled

Vincas Dargis
Control: user -1 [hidden email]
Control: usertag -1 modify-profile

Yes.

I've reproduced this on Debian 10 XFCE VM, and fix is just adding a single line:

```
owner @{HOME}/.config/xfce4/helpers.rc r,
```

I'll prepare upstream MR to update AA profile.

2020-05-15 09:35, Carsten Schoenert rašė:
> Hello Vincas,
>
> seems there is some more AppArmor related stuff to fix for Thunderbird
> under Xfce. Could you please have a look?