Page 1 of 2

Apparmor: cant open hyperlinks in Thunderbird

Posted: 05 Apr 2018 17:58
by mil3s
Hello community,
we have in solydx firefox in /opt/firefox. This is not default like ubuntu and debian. So apparmor profiles will not proper work.

When I want to open a hyperlink in thunderbird, I cant open it in firefox. And additional I get a gpg error.

Here is the logfile:
Apr 5 19:37:17 ... apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/usr/share/thunderbird/extensions/langpack-de@thunderbird.mozilla.org.xpi" pid=3919 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 5 19:37:19 ... apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=3943 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
I tried some fixes, but I have less apparmor experiences.

I added in /etc/apparmor.d/abstractions/ubuntu-browsers

Code: Select all

/opt/firefox/firefox* Cx -> sanitized_helper,
and in /etc/apparmor.d/usr.bin.thunderbird

Code: Select all

/opt/firefox/firefox Cx -> sanitized_helper,
/opt/firefox/firefox m,
But that's not correct. How can I fix it proper? Thank you in advance.

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 06 Apr 2018 08:05
by kurotsugi
AFAIK you need to register new profiles for firefox. edit the default profiles should works too

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 06 Apr 2018 09:18
by mil3s
Has somebody a working profile for firefox and for thunderbird?

Maybe it would be fine for the solydxk repository like a solydxk-apparmor-profiles package?
This would be great for stable and the for community version.

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 06 Apr 2018 15:19
by kurotsugi

Code: Select all

    /path/to/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
since the main program in this case is thunderbird, we might need to add this line to ubuntu-email abstraction too. since I'm not using thunderbird you'll need to replace to the correct path.

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 06 Apr 2018 17:21
by mil3s

Code: Select all

# which thunderbird
/usr/bin/thunderbird
So I added to /etc/apparmor.d/abstractions/ubuntu-email:

Code: Select all

/usr/bin/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
I still get :

Code: Select all

apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci0000:00/0000:00:0b.0/0000:05:00.0/vendor" pid=3598 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=3697 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
What can I do?

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 07 Apr 2018 08:13
by kurotsugi
https://askubuntu.com/questions/916009/ ... f-apparmor

this link suggested that you need to add permission to each processes.

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 09 Apr 2018 09:01
by mil3s
This:

Code: Select all

apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci0000:00/0000:00:0b.0/0000:05:00.0/vendor" pid=3598 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
should be solved by this?
/sys/devices/pci*/**/vendor r,
in /etc/apparmor.d/usr.bin.thunderbird
But it doesn't.

And I still cant open a hyperlink from thunderbird in firefox.
I still get this:

Code: Select all

apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=3673 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Is really nobody using apparmor in solydx?? Schoelje, ilu?

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 11 Apr 2018 21:32
by ilu
No, I'm not - it's on my to-do list but that list is really long ....

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 15 Apr 2018 21:00
by ilu
mil3s did you see this bug report https://bugs.debian.org/cgi-bin/bugrepo ... bug=882043 ?

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 17 Apr 2018 10:28
by mil3s
Yes and I still get:
apparmor="DENIED" operation="file_mmap" profile="thunderbird//sanitized_helper" name="/opt/firefox/firefox" pid=5637 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
How can I fix this "m" error ?? I have an entry for m.

BTW I'm not allowed to use Linux without Apparmor in homeoffice, because of compliance guide.

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 17 Apr 2018 11:59
by ilu
Ah you are on EE, so you've got the fixed version already.

Sorry I can't help you. Does everything else work as expected? Only thunderbird links? Maybe you need to ask in an apparmor forum if there is any ...

I know this is no solution but if your employer cares about security it has advantages not to be able to open links out of thunderbird. If you can't click on anything in an email you can't be phished easily. Copy/pasting the link takes just a second more and raises your awareness about where you are going. Don't hit me I'm just trying to see the positive side ...

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 27 Apr 2018 17:36
by mil3s
Where can I ask, is not an ubuntu question or fedora question, which forum is the correct for a solydx apparmor problem?
I have the same problem with my solydx 32bit testing system.

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 27 Apr 2018 18:05
by ilu
I'm fairly sure that this is not a Solydxk specific problem. Searching for apparmor+thunderbird+profile+problem returns a lot of hits which sound similar to your problem. It's a either a debian problem or a general apparmor problem or a mozilla problem. When you ask in another forum you can safely say you are using debian stable. But you should mention that firefox is installed under /opt.

Maybe try something else first: You could backup your firefox profile data and deinstall firefox by installing firefox-esr. Now you have a standard debian system. Adapt the apparmor profile to firefox-esr and try again. Let's see whether firefox installed under /opt has anything to do with it.

And please better check that you have apparmor version 2.12-1 minimum. All lower versions are buggy.

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 30 Apr 2018 08:23
by mil3s
It is Apparmor version 2.12-4 installed.

Firefox-ESR is working well out of the box without any changes. Solydxk Firefox in /opt is not working.
I dont want an ESR, how can I use Debian's Firefox instead of Solydx?

So I would say the problem is issued by the solydx Firefox version.
Solydxk needs a apparmor adjustment profile?

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 30 Apr 2018 13:51
by ilu
No, the problem is not with the firefox version but with software installed under /opt. Software not being delivered from the main repo (which is debian in our case and which has firefox ESR) is usually installed under /opt.

The thunderbird profile doesn't accept linking to a program under /opt. Or maybe the main settings of apparmor forbid that. You'll need to dig deep and understand what does what in the apparmor settings. I have no idea.

You are not alone with your problem, read this: https://bugs.debian.org/cgi-bin/bugrepo ... bug=882672

The only way I know is a way around the problem, but no solution: use firefox esr for the links and install another browser for usual browsing, f.e. waterfox. Having different browsers (or browser profiles) for different tasks is in fact a good idea security-wise.

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 30 Apr 2018 14:05
by mil3s
Ok, I understand. I'm quite new in apparmor, could a solydxk developer take a look on it?

In fact there is a adjustment needed. Would not be "solydx-system-adjustments-10" the correct place for it?

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 30 Apr 2018 14:12
by ilu
No. Apparmor is not installed by default on solydxk and it would need its own adjustment package. It is not a solydxk problem anyway. As you can see from the bug report I quoted (I edited my post, pls read again) not even the debian people manage to get the thundbird apparmor profile right, so they disabled it in the latest version.

You can try to figure it out. Report back and I'll try to help as good as I can. If this results in a solution it might end in an adjustment package.

Or you'll have to work around the problem, as I said: use esr for the links and another firefox-based browser like Palemoon or Waterfox. You need another browser because firefox itself doesn't allow 2 independent installations on the same system - edit: That's not true, I have both firefoxes ... how did I do that? I think I took firefox from the mozilla website and installed it manually. I need to update manually though and use different profiles, without profile management firefox will use the same profile and that won't work. But I'm using Waterfox for some time now and can recommend it. I don't know about Waterfox or Palemoon apparmor profiles though ... but they will sit in /opt like firefox does and you got firefox working, didn't you?

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 30 Apr 2018 14:44
by mil3s
No, I will not install another browser.
My quick and dirty workaround is, to move /opt/firefox -> /usr/lib/firefox and create a symlink from /usr/lib/firefox to /opt/firefox.

And I had to add:

Code: Select all

 /sys/devices/pci*/**/device r,
to "/etc/apparmor.d/usr.bin.thunderbird"

So I can work and update. Maybe the bug will be fixed someday. Or I will have time to figure it out next time.

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 30 Apr 2018 21:28
by ilu
Does opening the links from thinderbird in firefox work with this fix?

If it does maybe we could figure out a way how firefox could be installed to usr/lib/ per default to avoid the problem with /opt.

Re: Apparmor: cant open hyperlinks in Thunderbird

Posted: 01 May 2018 06:39
by mil3s
Hi Ilu,
yes all is working like expected. Links are working too. Update today to 59.0.3 was successful.