[pkg-apparmor] Bug#885522: apparmor breaks thunderbird's open link in firefox (quantum)

George Shuklin george.shuklin at gmail.com
Wed Dec 27 16:54:42 UTC 2017 

Package: apparmor
Version: 2.11.1-4
Severity: normal
Tags: patch

New firefox get rid of firefox.sh script and use binary
/usr/lib/firefox/firefox.
Apparmor profile for firefox is obsolete and prevents opening links in
thunderbird.

Dec 27 18:44:46 home audit[8966]: AVC apparmor="DENIED" operation="exec"
profile="thunderbird" name="/usr/lib/firefox/firefox" pid=8966
comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Dec 27 18:44:46 home kernel: audit: type=1400 audit(1514393086.417:68):
apparmor="DENIED" operation="exec" profile="thunderbird"
name="/usr/lib/firefox/firefox" pid=8966 comm="thunderbird" requested_mask="x"
denied_mask="x" fsuid=1000 ouid=0

To fix this problem /etc/apparmor.d/abstractions/ubuntu-browsers should allow
FF run:

(add line)

  /usr/lib/firefox/firefox Cx -> sanitized_helper




-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.65
ii  libc6                  2.25-5
ii  lsb-base               9.20170808
ii  python3                3.6.4~rc1-2

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn  apparmor-profiles        <none>
pn  apparmor-profiles-extra  <none>
pn  apparmor-utils           <none>

-- Configuration Files:
/etc/apparmor.d/abstractions/ubuntu-browsers changed:
  /usr/bin/arora Cx -> sanitized_helper,
  /usr/bin/conkeror Cx -> sanitized_helper,
  /usr/bin/dillo Cx -> sanitized_helper,
  /usr/bin/Dooble Cx -> sanitized_helper,
  /usr/bin/epiphany Cx -> sanitized_helper,
  /usr/bin/epiphany-browser Cx -> sanitized_helper,
  /usr/bin/epiphany-webkit Cx -> sanitized_helper,
  /usr/lib/fennec-*/fennec Cx -> sanitized_helper,
  /usr/bin/galeon Cx -> sanitized_helper,
  /usr/bin/kazehakase Cx -> sanitized_helper,
  /usr/bin/konqueror Cx -> sanitized_helper,
  /usr/bin/midori Cx -> sanitized_helper,
  /usr/bin/netsurf Cx -> sanitized_helper,
  /usr/bin/prism Cx -> sanitized_helper,
  /usr/bin/rekonq Cx -> sanitized_helper,
  /usr/bin/seamonkey Cx -> sanitized_helper,
  /usr/bin/sensible-browser Pixr,
  /usr/bin/chromium-browser Cx -> sanitized_helper,
  /usr/lib/chromium-browser/chromium-browser Cx -> sanitized_helper,
  # this should cover all firefox browsers and versions (including shiretoko
  # and abrowser)
  /usr/bin/firefox Cxr -> sanitized_helper,
  /usr/lib/firefox*/firefox*.sh Cx -> sanitized_helper,
  /usr/lib/firefox/firefox Cx -> sanitized_helper,
  /usr/lib/firefox-esr/firefox* Cx -> sanitized_helper,
  # Iceweasel
  /usr/bin/iceweasel Cxr -> sanitized_helper,
  /usr/lib/iceweasel/iceweasel Cx -> sanitized_helper,
  # some unpackaged, but popular browsers
  /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
  /usr/bin/opera Cx -> sanitized_helper,
  /opt/google/chrome{,-beta}/google-chrome{,-beta} Cx -> sanitized_helper,


-- debconf-show failed

More information about the pkg-apparmor-team mailing list