Thunderbird and apparmor

Post your tutorials and howtos here.
User avatar
ilu
Posts: 2682
Joined: 09 Oct 2013 12:45

Thunderbird and apparmor

Postby ilu » 22 Oct 2019 23:09

We've already linked the inability to open links from thunderbird to apparmor. Now I have the problem that on one system thunderbird can't send attachments and on another one thunderbird doesn't even start. The error messages where not very helpful: "Thunderbird profile missing or inaccessible", "Thunderbird cannot use the profile because it is in use", " Access was denied while trying to open files in your profile directory". After unsuccessfully debugging I'm now looking at /etc/apparmor.d/usr.bin.thunderbird. I'd hate to disable apparmor (correct way: sudo aa-disable /etc/apparmor.d/usr.bin.thunderbird), maybe the profile is at least partly fixable?

What I did:

1. sudo nano /etc/apparmor.d/usr.bin.thunderbird and remove the leading "#" from the line "include <local/usr.bin.thunderbird>"
2. sudo nano /etc/apparmor.d/local/usr.bin.thunderbird and put all necessary changes in here
3. sudo apparmor_parser -r /etc/apparmor.d/usr.bin.thunderbird

Problems and fixes:

1. The second system has an unusual setup with a moved ~/.cache folder - no surprise that apparmor doesn't like that.

Code: Select all

sudo dmesg -T | grep 'apparmor="DENIED"'
[Di Okt 22 18:20:44 2019] audit: type=1400 audit(1571761245.080:55): apparmor="DENIED" operation="mkdir" profile="thunderbird" name="/var/home/.../.cache/thunderbird/" pid=6752 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[Di Okt 22 18:20:44 2019] audit: type=1400 audit(1571761245.256:56): apparmor="DENIED" operation="open" profile="thunderbird" name="/var/home/.../.cache/mesa_shader_cache/index" pid=6762 comm="thunderbird" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
[Di Okt 22 18:20:45 2019] audit: type=1400 audit(1571761245.980:57): apparmor="DENIED" operation="mknod" profile="thunderbird" name="/var/home/.../.cache/fontconfig/2e755eb509a594ba7adde982574983b5-le64.cache-7.TMP-zha8pe" pid=6752 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[Di Okt 22 19:11:06 2019] audit: type=1400 audit(1571764266.621:72): apparmor="DENIED" operation="open" profile="thunderbird" name="/var/home/.../.cache/thumbnails/large/bf6ebb23fba0fbcbf529ec5a73d4c119.png" pid=7907 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
I fixed this by searching through the apparmor profile for "cache" and created adapted rules in /etc/apparmor.d/local/usr.bin.thunderbird.

2. Having the profile folder somewhere else outside of the standard location (both machines) is obviously also not acceptable.

Code: Select all

sudo dmesg -T | grep 'apparmor="DENIED"'
[Di Okt 22 19:11:57 2019] audit: type=1400 audit(1571764317.642:85): apparmor="DENIED" operation="file_lock" profile="thunderbird" name="/home/.../<some custom directory>/.parentlock" pid=7907 comm="thunderbird" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
I searched through the apparmor profile for "thunderbird" and created adapted rules in /etc/apparmor.d/local/usr.bin.thunderbird but just copy and replace was not enough. This got things working and also fixed the attachment problem:

Code: Select all

  owner @{HOME}/<some directoy path>/ rw,
  owner @{HOME}/<some directoy path>/** rw,
  owner @{HOME}/<some directoy path>/storage.sdb k,
  owner @{HOME}/<some directoy path>/*.{db,parentlock,sqlite}* k,
  owner @{HOME}/<some directoy path>/**/*.{db,parentlock,sqlite}* k, 
  owner @{HOME}/<some directoy path>/plugins/** rm,
  owner @{HOME}/<some directoy path>/**/plugins/** rm,
  owner @{HOME}/<some directoy path>/extensions/** mixrw,
3. Looks like nobody has ever tried to start from scratch?

Code: Select all

sudo dmesg -T | grep 'apparmor="DENIED"'
[Di Okt 22 19:49:07 2019] audit: type=1400 audit(1571766548.184:97): apparmor="DENIED" operation="mkdir" profile="thunderbird" name=<profile directory> pid=8518 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Vanished somehow.

4. WTF is this?

Code: Select all

sudo dmesg -T | grep 'apparmor="DENIED"'
[Di Okt 22 19:11:06 2019] audit: type=1400 audit(1571764266.589:69): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/.../.gtkrc-xfce" pid=7907 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[Di Okt 22 19:11:06 2019] audit: type=1400 audit(1571764266.589:70): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/.../.face" pid=7907 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[Di Okt 22 19:11:13 2019] audit: type=1400 audit(1571764273.977:75): apparmor="DENIED" operation="open" profile="thunderbird" name="/run/mount/utab" pid=7907 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Vanished somehow.

Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 1 guest