Hello,
@Vincas
Could you take care please on this report?
Am 16.10.18 um 09:51 schrieb Tim Connors:
>> if it is related to AppArmor then the answer is simply No because the
>> AppArmor profile is disabled by default.
>
> Are you sure?
yes I'm sure, I've implemented this functionality into the thunderbird
package. ;)
> I've never touched anything apparmor related. It strikes
> me as a poorly thought out idea ("hey, lets block everything!", "hey,
> let's open everything again because it turns out everything is needed for
> basic functionality!").
Well, AppArmor is in principle a good thing. And yes the idea is to
block every thing that is not arranged in default places and enable some
things dedicated and depending for the application. That makes a system
of course more safe.
Most of such stuff we have found in applications are mostly corner cases
there some other upstream projects doings things that are questionable.
But that's life.
AppArmor is now a Recommends on the kernel packages and also as default
in Debian all Recommends get installed once you decide to install a package.
>> sudo aa-status --pretty-json | jq .profiles.thunderbird
> "enforce"
>
>> ls -lA /etc/apparmor.d/disable/
> total 0
>
>> sudo aa-disable /etc/apparmor.d/usr.bin.thunderbird
> Disabling /etc/apparmor.d/usr.bin.thunderbird.
>> ls -lA /etc/apparmor.d/disable/
> total 0
> lrwxrwxrwx 1 root root 35 Oct 16 18:33 usr.bin.thunderbird ->
> /etc/apparmor.d/usr.bin.thunderbird
>> sudo aa-status --pretty-json | jq .profiles.thunderbird
> null
>
> And thunderbird works again.
So the origin here is that AppArmor is blocking a needed action (like
also seen in the kernel log).
>>> At each focus event thereafter, the window flashes, and a system log
>>> message is output:
>>>
>>> Oct 15 12:06:27 weinberg kernel: [233610.647925] audit: type=1400
>>> audit(1539565587.008:2707): apparmor="DENIED" operation="mknod"
>>> profile="thunderbird" name="/run/shm/org.chromium.viOLay" pid=20087
>>> comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=2983 ouid=2983
>>>
>>> (different /run/shm/ tmp dir everytime)
>>>
>>> Stale apparmor profile affecting latest security update? Looks like
>>> #887973 but that was claimed to have been fixed in a version far far
>>> away.
>>>
>>> /etc/apparmor.d/usr.bin.thunderbird, provided by this version of
>>> thunderbird, still references only /dev/shm:
>>>
>>> owner /dev/shm/org.chromium.* rw, # for Chromium IPC
>>>
>>>
>>> I note also this report:
>>> https://lists.dyne.org/lurker/message/20180918.101827.26f69559.de.html
>>>
>>> But users shouldn't be updating /etc/apparmor.d files that are the
>>> responsibility of the package.
>>
>> Hm, I still don't see what this report is about. It looks like it this
>> is related to AppArmor.
>
> But I didn't knowingly install apparmor. If I try to remove it, half my
> system disappears (eg, python3). But thunderbird did install
> /etc/apparmor.d/usr.bin.thunderbird so thunderbird should make sure the
> profile is correct.
Agreed, but should is something different than must. And we try to do
this should of course. But we can not cover all possible eventualities
and heavily need the help of the user here.
And btw, we are talking about Debian not RedHat or SUSE, we are all
doing our work in our free time.
> Actually, let's try removing apparmor anyway:
>> sudo apt purge dh-apparmor libapparmor-perl libapparmor1
>
>> dpkg --get-selections | grep apparmor
>
>> thunderbird
> [GFX1-]: Failed to lock new back buffer.
>
> Ewwww! Still no go.
Of course, as long apparmor is on the system and the AppArmor profile
for Thunderbird is active without the correction this issue will happen.
You will need a line like this
owner /run/shm/org.chromium.* rw, # for Chromium IPC fix2
near the existing entry. But maybe there are other fixed needed afterwards.
> The *only* way of getting a working thunderbird appears to be making sure
> this symlink exists:
>
>> ls -lA /etc/apparmor.d/disable/
> total 0
> lrwxrwxrwx 1 root root 35 Oct 16 18:50 usr.bin.thunderbird ->
> /etc/apparmor.d/usr.bin.thunderbird
No, by this apparmor knows that it can ignore this profile. The correct
fix is to adjust the profile for AppArmor.
>> What have you done to get clearance on this?
>> Have you an enabled or a disabled AppArmor profile? I guess you are
>> running an active profile for Thunderbird.
>>
>> Do you have checked if any AddOn is possibly provoking your issues?
>>
>> https://wiki.debian.org/Thunderbird#Bug_Reporting_.2F_Issues
>
> When enforcing (ie, system default)
> thunderbird --safe-mode
> pops up a dialog that's also black, with a bunch of repeated messages per
> focus event:
> [GFX1-]: Failed to lock new back buffer.
--
Regards
Carsten Schoenert
