On Mon, 15 Oct 2018, Carsten Schoenert wrote:
> Hi,
>
> Am 15.10.18 um 03:21 schrieb Tim Connors:
> > Package: thunderbird
> > Version: 1:60.0-3~deb9u1
> > Severity: important
> >
> > At thunderbird startup, I get a completely blank display, associated
> > with terminal message: [GFX1-]: Failed to lock new back buffer.
> >
> > (I presume this bug should be grave, but how can I be the only person
> > on the planet affected by it? The package is completely unusable to
> > me as of the update.)
>
> if it is related to AppArmor then the answer is simply No because the
> AppArmor profile is disabled by default.
Are you sure? I've never touched anything apparmor related. It strikes
me as a poorly thought out idea ("hey, lets block everything!", "hey,
let's open everything again because it turns out everything is needed for
basic functionality!").
> sudo aa-status --pretty-json | jq .profiles.thunderbird
"enforce"
> ls -lA /etc/apparmor.d/disable/
total 0
> sudo aa-disable /etc/apparmor.d/usr.bin.thunderbird
Disabling /etc/apparmor.d/usr.bin.thunderbird.
> ls -lA /etc/apparmor.d/disable/
total 0
lrwxrwxrwx 1 root root 35 Oct 16 18:33 usr.bin.thunderbird ->
/etc/apparmor.d/usr.bin.thunderbird
> sudo aa-status --pretty-json | jq .profiles.thunderbird
null
And thunderbird works again.
> > At each focus event thereafter, the window flashes, and a system log
> > message is output:
> >
> > Oct 15 12:06:27 weinberg kernel: [233610.647925] audit: type=1400
> > audit(1539565587.008:2707): apparmor="DENIED" operation="mknod"
> > profile="thunderbird" name="/run/shm/org.chromium.viOLay" pid=20087
> > comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=2983 ouid=2983
> >
> > (different /run/shm/ tmp dir everytime)
> >
> > Stale apparmor profile affecting latest security update? Looks like
> > #887973 but that was claimed to have been fixed in a version far far
> > away.
> >
> > /etc/apparmor.d/usr.bin.thunderbird, provided by this version of
> > thunderbird, still references only /dev/shm:
> >
> > owner /dev/shm/org.chromium.* rw, # for Chromium IPC
> >
> >
> > I note also this report:
> > https://lists.dyne.org/lurker/message/20180918.101827.26f69559.de.html
> >
> > But users shouldn't be updating /etc/apparmor.d files that are the
> > responsibility of the package.
>
> Hm, I still don't see what this report is about. It looks like it this
> is related to AppArmor.
But I didn't knowingly install apparmor. If I try to remove it, half my
system disappears (eg, python3). But thunderbird did install
/etc/apparmor.d/usr.bin.thunderbird so thunderbird should make sure the
profile is correct.
Actually, let's try removing apparmor anyway:
> sudo apt purge dh-apparmor libapparmor-perl libapparmor1
> dpkg --get-selections | grep apparmor
> thunderbird
[GFX1-]: Failed to lock new back buffer.
Ewwww! Still no go.
The *only* way of getting a working thunderbird appears to be making sure
this symlink exists:
> ls -lA /etc/apparmor.d/disable/
total 0
lrwxrwxrwx 1 root root 35 Oct 16 18:50 usr.bin.thunderbird ->
/etc/apparmor.d/usr.bin.thunderbird
> What have you done to get clearance on this?
> Have you an enabled or a disabled AppArmor profile? I guess you are
> running an active profile for Thunderbird.
>
> Do you have checked if any AddOn is possibly provoking your issues?
>
> https://wiki.debian.org/Thunderbird#Bug_Reporting_.2F_Issues
When enforcing (ie, system default)
thunderbird --safe-mode
pops up a dialog that's also black, with a bunch of repeated messages per
focus event:
[GFX1-]: Failed to lock new back buffer.
--
Tim Connors
