Bug #15395

Enigmail & AppArmor: Cannot get key from keyserver after finding it

Added by emmapeel 2018-03-12 14:04:24 . Updated 2018-06-10 12:59:41 .

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
Target version:
Start date:
2018-03-12
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Email Client
Deliverable for:

Description

In Tails 3.6~rc1 I cannot download keys from the keyserver with the Key selection interface as I used to do until Tails 3.5. It seems like the apparmor profile should be updated:

Steps to reproduce:

- Open Thunderbird with Enigmail configured

- Try to send an email to a new email address (that has a public key on the keyservers)

- The Enigmail menu comes out, click on ‘Download missing keys’.
- The searchbox appears, you can select a key, but the system gets quite frozen and nothing happens.

On the logs, I see:

Mar 12 08:39:38 amnesia kernel: audit: type=1400 audit(1520843978.662:282820993): apparmor=“DENIED” operation=“file_lock” profile=“thunderbird//gpg” name=“/home/amnesia/.gnupg/tofu.db” pid=8570 comm=“gpg2” requested_mask=“k” denied_mask=“k” fsuid=1000 ouid=1000


Subtasks


Related issues

Related to Tails - Bug #11973: Confine Thunderbird with AppArmor Resolved 2016-11-20
Related to Tails - Bug #15610: AppArmor breaks importing public OpenPGP keys from email attachments Resolved 2018-05-21
Blocks Tails - Feature #15139: Core work 2018Q2: Foundations Team Resolved 2018-01-01
Blocked by Tails - Bug #15607: Upgrade to Thunderbird 52.8.0 Resolved 2018-05-19

History

#1 Updated by sajolida 2018-03-12 19:34:37

  • related to Bug #11973: Confine Thunderbird with AppArmor added

#2 Updated by sajolida 2018-03-12 19:36:42

  • Assignee set to anonym
  • Priority changed from Normal to Elevated
  • Target version set to Tails_3.7

I understand that this is a regression caused by Bug #11973. Reassigning to anonym who last work on Bug #11973.

#3 Updated by bertagaz 2018-03-13 03:10:14

  • Status changed from Confirmed to In Progress

Applied in changeset commit:4711cdfd91aebb29b887ce21d9e93071dde4865a.

#4 Updated by anonym 2018-03-13 10:16:50

  • Assignee changed from anonym to bertagaz
  • Target version changed from Tails_3.7 to Tails_3.6
  • % Done changed from 0 to 30

emmapeel wrote:
> In Tails 3.6~rc1 I cannot download keys from the keyserver with the Key selection interface as I used to do until Tails 3.5. It seems like the apparmor profile should be updated:
>
> Steps to reproduce:
>
> - Open Thunderbird with Enigmail configured
> - Try to send an email to a new email address (that has a public key on the keyservers)
> - The Enigmail menu comes out, click on ‘Download missing keys’.
> - The searchbox appears, you can select a key, but the system gets quite frozen and nothing happens.

Following these exact steps (without any persistence features enabled), I successfully download the recipient’s public key. So I cannot reproduce.

> On the logs, I see:
>
> Mar 12 08:39:38 amnesia kernel: audit: type=1400 audit(1520843978.662:282820993): apparmor=“DENIED” operation=“file_lock” profile=“thunderbird//gpg” name=“/home/amnesia/.gnupg/tofu.db” pid=8570 comm=“gpg2” requested_mask=“k” denied_mask=“k” fsuid=1000 ouid=1000

I did not see this, or any other entry. I wonder if this only happens when ~/.gnupg is persistent? And some non-default GnuPG configuration?

So, bert, I suggest you get a tester to look into the above hypotheses, and either update or remove the known issue depending on if anything can be reproduced.

#5 Updated by bertagaz 2018-03-13 10:56:06

  • Assignee changed from bertagaz to anonym
  • Target version changed from Tails_3.6 to Tails_3.7

anonym wrote:
> I did not see this, or any other entry. I wonder if this only happens when ~/.gnupg is persistent? And some non-default GnuPG configuration?
>
> So, bert, I suggest you get a tester to look into the above hypotheses, and either update or remove the known issue depending on if anything can be reproduced.

We’ve tested that briefly with emmapeel too yesterday, and indeed it appears this bug is triggered only when persistence is enabled. If tofu.db is moved out from .gnupg before using enigmail, then it works again, but I suspect that once the user fires gpg manually, the file will be recreated and the bug will reappear.

I’ve added a note about that in the known issues for 3.6, explaining to use Seahorse to fetch keys before sending an encrypted email to a new contact. This should still be fixed for 3.7 I think.

#6 Updated by anonym 2018-03-13 11:53:40

  • Target version changed from Tails_3.7 to Tails_3.6

bertagaz wrote:
> anonym wrote:
> > I did not see this, or any other entry. I wonder if this only happens when ~/.gnupg is persistent? And some non-default GnuPG configuration?
> >
> > So, bert, I suggest you get a tester to look into the above hypotheses, and either update or remove the known issue depending on if anything can be reproduced.
>
> We’ve tested that briefly with emmapeel too yesterday, and indeed it appears this bug is triggered only when persistence is enabled. If tofu.db is moved out from .gnupg before using enigmail, then it works again, but I suspect that once the user fires gpg manually, the file will be recreated and the bug will reappear.

Actually, the file is created when you sign a key. However, when I tested this in a session without persistence I still couldn’t reproduce. Interesting… I don’t know if this affects the known issue.

> I’ve added a note about that in the known issues for 3.6, explaining to use Seahorse to fetch keys before sending an encrypted email to a new contact.

Great!

> This should still be fixed for 3.7 I think.

Absolutely!

#7 Updated by bertagaz 2018-03-14 11:32:29

  • Target version changed from Tails_3.6 to Tails_3.7

#8 Updated by emmapeel 2018-03-16 14:26:52

I cannot reproduce this on Tails 3.6. Shall we close it? Who else saw it?

#9 Updated by sajolida 2018-03-16 22:18:32

  • QA Check changed from Dev Needed to Info Needed
  • Feature Branch set to web/14680-3.6-release-notes

I can’t reproduce that in 3.6 either…

anonym: If you agree with me please merge again web/14680-3.6-release-notes (with commit e6cd649727).

#10 Updated by blue9 2018-03-20 23:44:12

emmapeel wrote:
> I cannot reproduce this on Tails 3.6. Shall we close it? Who else saw it?

I’m seeing this in 3.6.1. (with persistence enabled). Key signing seems to trigger it as well. My logs continue filling up with `apparmor=“DENIED”` errors even after I quit Thunderbird. I had to manually kill a `/usr/bin/gpg2` process.

#11 Updated by intrigeri 2018-03-21 10:23:08

> I’m seeing this in 3.6.1. (with persistence enabled). Key signing seems to trigger it as well. My logs continue filling up with `apparmor=“DENIED”` errors even after I quit Thunderbird. I had to manually kill a `/usr/bin/gpg2` process.

Interesting! Can you please share the full error messages you see in the logs?

#12 Updated by intrigeri 2018-03-21 14:32:54

(Trying again to reassign.)

#13 Updated by blue9 2018-03-21 16:17:47

intrigeri wrote:
> Interesting! Can you please share the full error messages you see in the logs?

When I launch Thunderbird, I get:

<code class="diff">
Mar 21 09:01:00 amnesia thunderbird.desktop[4946]: + exec /usr/bin/thunderbird --class Thunderbird -profile /home/amnesia/.thunderbird/profile.default
Mar 21 09:01:00 amnesia thunderbird[4946]: Failed to parse /home/amnesia/.config/gtk-3.0/settings.ini: Permission denied
Mar 21 09:01:00 amnesia kernel: kauditd_printk_skb: 106139 callbacks suppressed
Mar 21 09:01:00 amnesia kernel: audit: type=1400 audit(1521648060.491:175629027): apparmor="DENIED" operation="open" profile="thunderbird" name="/live/persistence/TailsData_unlocked/dotfiles/.config/gtk-3.0/settings.ini" pid=4946 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 21 09:01:00 amnesia thunderbird[4946]: Unable to load /var/lib/dbus/machine-id: Failed to open file '/var/lib/dbus/machine-id': Permission denied
Mar 21 09:01:01 amnesia thunderbird.desktop[4946]: TorBirdy registered!
</code>

When I try to import a key through the Enigmail GUI, I get:

<code class="diff">
Mar 21 09:02:30 amnesia kernel: audit: type=1400 audit(1521648150.435:175629028): apparmor="DENIED" operation="open" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=5047 comm="gpg2" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
Mar 21 09:02:30 amnesia kernel: audit: type=1400 audit(1521648150.435:175629029): apparmor="DENIED" operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=5047 comm="gpg2" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
...
Mar 21 09:02:35 amnesia kernel: kauditd_printk_skb: 465143 callbacks suppressed
...
Mar 21 09:02:35 amnesia kernel: audit: type=1400 audit(1521648155.439:176056887): apparmor="DENIED" operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=5047 comm="gpg2" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
</code>

When I try to sign a key using the Enigmail GUI, I get:

<code class="diff">
Mar 21 08:58:45 amnesia kernel: audit: type=1400 audit(1521647925.939:170340275): apparmor="DENIED" operation="open" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=4808 comm="gpg2" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
Mar 21 08:58:45 amnesia kernel: audit: type=1400 audit(1521647925.939:170340276): apparmor="DENIED" operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=4808 comm="gpg2" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
...
Mar 21 08:58:50 amnesia kernel: kauditd_printk_skb: 461227 callbacks suppressed
...
Mar 21 08:58:50 amnesia kernel: audit: type=1400 audit(1521647930.943:170778392): apparmor="DENIED" operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=4808 comm="gpg2" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
</code>

#14 Updated by blue9 2018-03-21 16:49:51

blue9 wrote:
> …apparmor=“DENIED” operation=“open” profile=“thunderbird” name=“/live/persistence/TailsData_unlocked/dotfiles/.config/gtk-3.0/settings.ini”…

OK, that one is clearly my own fault. But the `tofu.db` stuff seems relevant.

#15 Updated by intrigeri 2018-03-22 10:27:59

Thanks blue9!

Can you please test my tentative fix?

  1. Start Tails as usual but set an Administration Password
  2. Apply https://gitlab.com/intrigeri/apparmor-profiles/commit/040d8631aa121888572b6e1cc8ebc1efe048813e to /etc/apparmor.d/usr.bin.thunderbird
  3. Run sudo apparmor_parser -r /etc/apparmor.d/usr.bin.thunderbird
  4. Start Thunderbird
  5. Try to perform the operations you’ve seen fail, monitor the logs, report success/failure and any denial you in the logs

Thanks!

#16 Updated by intrigeri 2018-03-22 10:28:49

  • Subject changed from Enigmail&Apparmour: Cannot get key from keyserver after finding it to Enigmail & AppArmor: Cannot get key from keyserver after finding it
  • Assignee changed from anonym to intrigeri
  • Feature Branch deleted (web/14680-3.6-release-notes)

#17 Updated by intrigeri 2018-03-22 10:29:00

#18 Updated by intrigeri 2018-03-22 14:23:22

intrigeri wrote:
> Thanks blue9!
>
> Can you please test my tentative fix?

(Once blue9 has confirmed this fix works, I’ll submit it upstream and then will apply it to the Debian packaging of Thunderbird.)

#19 Updated by blue9 2018-03-22 15:13:02

intrigeri wrote:
> Can you please test my tentative fix?

Thanks! That fixed the key import issue. Signing a key via Enigmail still produced the following:

<code class="text">
Mar 22 14:05:27 amnesia audit[11883]: AVC apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db-journal" pid=11883 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Mar 22 14:05:27 amnesia kernel: audit: type=1400 audit(1521727527.047:40): apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db-journal" pid=11883 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
</code>

I added the following to /etc/apparmor.d/usr.bin.thunderbird and it cleared up the key signing error:

<code class="text">
owner @{HOME}/.gnupg/tofu.db-journal rkw
</code>

Though, to be clear, I don’t know apparmor from a hole in the ground, so rkw may be overly permissive.

#20 Updated by intrigeri 2018-03-22 15:23:40

  • QA Check changed from Info Needed to Dev Needed

> Thanks! That fixed the key import issue. Signing a key via Enigmail still produced the following:
> […]
> I added the following to /etc/apparmor.d/usr.bin.thunderbird and it cleared up the key signing error:

Thanks for testing. I’ll propose something along these lines upstream.

#21 Updated by intrigeri 2018-03-23 05:45:48

intrigeri wrote:
> I’ll propose something along these lines upstream.

Done: https://gitlab.com/apparmor/apparmor-profiles/merge_requests/13. Once it’s merged upstream I’ll apply this change to the copy of the profile that’s in the Debian packaging of Thunderbird and then we’ll get it in Tails whenever we upgrade our Thunderbird package to a version that includes this change.

#22 Updated by intrigeri 2018-03-23 05:46:08

  • QA Check deleted (Dev Needed)
  • Type of work changed from Code to Communicate

#23 Updated by intrigeri 2018-03-28 18:35:43

  • Assignee changed from intrigeri to anonym
  • % Done changed from 30 to 50
  • Type of work changed from Communicate to Wait

Merged upstream, copied to src:thunderbird’s Vcs-Git. This will be fixed in thunderbird >> 52.7.0-1. anonym, it’s likely that you’ll rebase our custom package on top of that one once it’s out, so reassigning to you.

#24 Updated by blue9 2018-03-29 22:34:19

Plase let me know if I should create a new issue for this. Thunderbird’s apparmor profile also seems to be shutting down the import of public keys from attachments:

<code class="text">
Mar 29 20:17:12 amnesia kernel: audit: type=1400 audit(1522354632.625:5655774): apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name="/home/amnesia/.thunderbird/profile.default/tmp/enigmail_import/.#lk0x00...60.amnesia.21310" pid=21310 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
</code>

I added the last four lines of the following to /etc/apparmor.d/usr.bin.thunderbird, and it seems to have cleared things up. (The first four lines were already there.) Lines 5 and 7 were necessary to make key import work. Lines 6 and 8 were monkey-see-monkey-do; they may or may not be necessary.

<code class="text">
    owner /tmp/enigmail_import/.#lk0x[0-9a-f]*  rw,
    owner /tmp/enigmail_import/.#lk0x[0-9a-f]*x rwl,
    owner /tmp/enigmail_import/{keyring,trustdb}.lock rwl,
    owner /tmp/enigmail_import/{keyring,trustdb}{,~,.tmp} rw,
    owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/enigmail_import/.#lk0x[0-9a-f]*  rw,
    owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/enigmail_import/.#lk0x[0-9a-f]*x rwl,
    owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/enigmail_import/{keyring,trustdb}.lock rwl,
    owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/enigmail_import/{keyring,trustdb}{,~,.tmp} rw,
</code>

I verified the bug and tested the above fix with without persistence.

#25 Updated by intrigeri 2018-04-08 13:55:48

  • blocked by deleted (Feature #13245: Core work 2018Q1: Foundations Team)

#26 Updated by intrigeri 2018-04-08 13:55:51

#27 Updated by intrigeri 2018-04-10 08:53:42

> Plase let me know if I should create a new issue for this.

Yes, please.

#28 Updated by intrigeri 2018-04-13 11:48:32

  • QA Check set to Ready for QA

#29 Updated by intrigeri 2018-05-05 14:25:07

  • Target version changed from Tails_3.7 to Tails_3.8

intrigeri wrote:
> Merged upstream, copied to src:thunderbird’s Vcs-Git. This will be fixed in thunderbird >> 52.7.0-1. anonym, it’s likely that you’ll rebase our custom package on top of that one once it’s out, so reassigning to you.

I don’t think we’ll do this upgrade for Tails 3.7.

#30 Updated by blue9 2018-05-18 22:25:59

I now seem to be getting these tofu.db apparmor errors (on Tails 3.6.2 with an unpatched /etc/apparmor.d/usr.bin.thunderbird) even without any of the triggering events. This behaviour may have changed after I upgraded the Enigmail extension, but I can’t be sure. Once Thunderbird has been running for a while, my system freezes with Thunderbird, gpg and kauditd pegged at around 100% CPU.

My journalctl shows a great deal of the following:

<code class="text">
May 18 14:50:20 amnesia kernel: audit: type=1400 audit(1526680220.456:21987627): apparmor="DENIED" 
operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=16498 comm="gpg" 
requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
May 18 14:50:25 amnesia kernel: audit_log_start: 244824 callbacks suppressed
May 18 14:50:25 amnesia kernel: audit: audit_backlog=65 > audit_backlog_limit=64
May 18 14:50:25 amnesia kernel: audit: audit_lost=1082335 audit_rate_limit=0 audit_backlog_limit=64
May 18 14:50:25 amnesia kernel: audit: backlog limit exceeded
</code>

I added the six lines mentioned in this thread to /etc/apparmor.d/user.bin.thunderbird, re-parsed the file and will watch to see how it behaves. (More to the point, I’ll test again after upgrading to 3.7.)

#31 Updated by intrigeri 2018-05-21 13:35:47

  • blocked by Bug #15607: Upgrade to Thunderbird 52.8.0 added

#32 Updated by intrigeri 2018-05-21 13:41:19

  • related to Bug #15610: AppArmor breaks importing public OpenPGP keys from email attachments added

#33 Updated by intrigeri 2018-05-21 13:42:17

  • Assignee changed from anonym to intrigeri

intrigeri wrote:
> > Plase let me know if I should create a new issue for this.
>
> Yes, please.

I eventually did it myself: Bug #15610.

Regarding the tofu.db issue I’ll check that it’s fixed once Bug #15607 is done.

#34 Updated by intrigeri 2018-05-25 19:07:36

  • Assignee changed from intrigeri to segfault
  • Type of work changed from Wait to Code

Reviewing this on top of Bug #15607 should not take more than 0.5 hours. No code change as the work was done upstream (and merged as part of Bug #15607), so all you need to do is test & confirm that the bug is fixed.

#35 Updated by segfault 2018-05-27 11:44:25

  • Assignee changed from segfault to intrigeri
  • QA Check changed from Ready for QA to Pass

intrigeri wrote:
> Reviewing this on top of Bug #15607 should not take more than 0.5 hours. No code change as the work was done upstream (and merged as part of Bug #15607), so all you need to do is test & confirm that the bug is fixed.

I was able to successfully import a key from the keyservers and sign it. I also tested importing from an email attachment (Bug #15610) which still fails. I spent 10 minutes.

#36 Updated by intrigeri 2018-05-28 07:18:21

  • Status changed from In Progress to Fix committed

> I was able to successfully import a key from the keyservers and sign it. I also tested importing from an email attachment (Bug #15610) which still fails.

Thanks, merged.

> I spent 10 minutes.

Noted.

#37 Updated by intrigeri 2018-05-28 07:19:00

  • Assignee deleted (intrigeri)
  • % Done changed from 50 to 100

#38 Updated by intrigeri 2018-06-09 15:29:52

  • Target version changed from Tails_3.8 to Tails_3.7.1

#39 Updated by intrigeri 2018-06-10 12:57:20

  • Assignee set to BitingBird

#40 Updated by intrigeri 2018-06-10 12:58:25

  • Assignee deleted (BitingBird)

#41 Updated by intrigeri 2018-06-10 12:59:41

  • Status changed from Fix committed to Resolved