Hello Andrea,
Am 02.01.19 um 16:09 schrieb Andrea Borgia:
> I could not attach a text file from /tmp and discovered that apparmor
> was preventing me from doing that:> syslog:Jan 2 12:37:02 mononoke kernel:
> [65507.015542] audit:
type=1400 audit(1546429022.613:50): apparmor="DENIED" operation="open"
profile="thunderbird" name="/tmp/hdparm.txt" pid=21962
comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
that is the desired effect if apparmor is active for Thunderbird.
> However, both README.apparmor and the package changelog explicitly
> state that the thunderbird apparmor profile is disabled by default,
> yet /etc/apparmor.d/usr.bin.thunderbird is installed and active.> aa-status
> --pretty-json | jq .profiles.thunderbird ---> "enforce"
>
> Based on the number of similar apparmor bugs on thunderbird, I'd say
> my system is behaving as expected but the documentation is outdated.
The behavior how the AA profile is getting installed and deactivated on
first time installation hasn't changed for a bit more than a year now.
The package comes (still) with the following apparmor related files.
> $ dpkg -L thunderbird | grep apparmor
> /etc/apparmor.d
> /etc/apparmor.d/disable
> /etc/apparmor.d/usr.bin.thunderbird
> /usr/share/doc/thunderbird/README.apparmor
But there is also the postinst script that is responsible how the
package is installed or updated and handled.
> $ head -n80 /var/lib/dpkg/info/thunderbird.postinst | tail -n9
> # Disable apparmor on new installations and when we're upgrading from
> # a version that had it enabled by default
> if test -n "$2" && dpkg --compare-versions "$2" gt "1:52.5.0-1~"; then
> : # Leave the disable/ symlink at users choice if
> # upgrading from a version that ships the symlink
> else
> mkdir -p /etc/apparmor.d/disable
> [ -f /etc/apparmor.d/disable/usr.bin.thunderbird ] || ln -s
> /etc/apparmor.d/usr.bin.thunderbird
> /etc/apparmor.d/disable/usr.bin.thunderbird
> fi
Note that $2 is the <most-recently-configured-version> and is only
available if another version of thunderbird was installed while the
postinst script is running. And this is also the case if you haven't
purged a package while removing from your system.
So if you now encountering issues would mean that you have enabled the
apparmor profile by yourself after the version that is used in the
postinst script or you doing a update from a version prior to this
version. Stretch never had Thunderbird 1:52.5.0-1~deb9u1, the closest
version smaller to that version was 1:52.4.0-1~deb9u1.
Denying the reading of any file from /tmp without specification is
correct. You can read every file, also in subfolders, from your home folder!
> owner @{HOME}/** r,
Some files and folders are excluded for valid reasons later also in the
AA profile.
So you maybe need to rethink how AppArmor is intended to help you for
preventing to some things wrong? Don't use /tmp for picking up files as
an attachment.
> In that case, could you please revise it?
Sorry, I see nothing that needs to be changed.
--
Regards
Carsten Schoenert
