[pkg-apparmor] Bug#884787: apparmor-profiles-extra: Pidgin fails to load plugin from home directory

Tue Dec 19 18:32:44 UTC 2017

Package: apparmor-profiles-extra
Version: 1.16
Severity: normal

error message:

Dez 19 19:04:05 kernel: audit: type=1400 audit(1513706645.170:80): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/pidgin" name="~/.purple/plugins/lurch.so" pid=11948 comm="pidgin" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000

I added the following line to the apparmor profile:

  owner @{HOME}/.purple/plugins/*.so m,

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor-profiles-extra depends on:
ii  apparmor  2.11.1-4

apparmor-profiles-extra recommends no packages.

apparmor-profiles-extra suggests no packages.

-- Configuration Files:
/etc/apparmor.d/usr.bin.pidgin changed:
/usr/bin/pidgin {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/dbus-session>
  #include <abstractions/dbus-strict>
  #include <abstractions/dconf>
  #include <abstractions/enchant>
  #include <abstractions/gnome>
  #include <abstractions/gstreamer>
  #include <abstractions/ibus>
  #include <abstractions/launchpad-integration>
  #include <abstractions/nameservice>
  #include <abstractions/private-files-strict>
  #include <abstractions/ssl_certs>
  #include <abstractions/ubuntu-browsers>
  #include <abstractions/ubuntu-helpers>
  #include <abstractions/user-download>
  dbus receive
       bus=system
       path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.NetworkManager
       member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged,PropertiesChanged}
       peer=(label=unconfined),
  dbus send
       bus=system
       path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.NetworkManager
       member=state
       peer=(label=unconfined),
  deny ptrace,
  deny capability sys_ptrace,
  deny @{HOME}/.local/share/applications/wine/ r,
  owner @{HOME}/.gstreamer*/ rw,
  owner @{HOME}/.gstreamer*/** rw,
  owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
  owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
  owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
  /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Pix -> gst_plugin_scanner,
  owner @{HOME}/.purple/ rw,
  owner @{HOME}/.purple/** rwk,
  owner @{HOME}/.purple/plugins/*.so m,
  owner @{HOME}/.config/indicators/ rw,
  owner @{HOME}/.config/indicators/** rw,
  owner @{HOME}/.local/share/applications/ r,
  # Uncomment the two following lines if you want to allow Pidgin to update
  # any DConf setting:
  # owner @{HOME}/.{cache,config}/dconf/user rw,
  # owner /{,var/}run/user/[0-9]*/dconf/user rwk,
  /{usr/,}bin/dash rix,
  /{usr/,}bin/which rix,
  # NB: the preferred browser and proxy settings must be configured
  # in the GNOME preferences: this profile does not allow running
  # the corresponding external configuration applications.
  /usr/bin/gconftool-2 rPix,
  /usr/bin/gnome-open rmix,
  /usr/bin/gsettings rix,
  /usr/bin/gvfs-open rmix,
  /usr/bin/pidgin r,
  /usr/bin/xdg-open rmix,
  /etc/purple/prefs.xml r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/lib/frei0r-1/*.so rm,
  /usr/lib/@{multiarch}/libvisual-*/**.so rm,
  /usr/lib/pidgin/*.so rm,
  /usr/lib/purple*/*.so rm,
  # pidgin-blinklight plugin
  /usr/lib/pidgin-blinklight/blinklight-fixperm rPix,
  @{PROC}/acpi/ibm/light rwk,
  /usr/share/purple/ca-certs/ r,
  /usr/share/purple/ca-certs/** r,
  /usr/share/tcltk/** r,
  /usr/share/themes/ r,
  owner @{PROC}/@{pid}/auxv r,
  owner @{PROC}/@{pid}/fd/ r,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.pidgin>
}

-- no debconf information