Bug #17404: DENIED entries for profile="thunderbird//gpg" in Tails 4.2

Bug #17404

DENIED entries for profile="thunderbird//gpg" in Tails 4.2

Added by CyrilBrulebois 2020-01-07 18:48:54 . Updated 2020-01-08 22:01:30 .

Status:

Duplicate

Priority:

Normal

Assignee:

Category:

Target version:

Tails_4.3

Start date:

Due date:

% Done:

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

Noticed by nodens during the test session for the Tails 4.2 release, I’m forwarding the findings verbatim:

Test:

* Check that all seems well during init: (automate: [[!tails_ticket 10277]])
  - `systemctl --failed --all` should say `0 loaded units listed`
  - the output of `sudo journalctl` should seem OK.

Findings:

Init looks fine. Lots of apparmor deny for thunderbird//gpg profile, though:

Jan 07 10:25:39 amnesia audit[8243]: AVC apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/org.chromium.1PupJ4" pid=8243 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 07 10:25:39 amnesia audit[8243]: AVC apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/org.chromium.t6bJRI" pid=8243 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 07 10:25:39 amnesia audit[8243]: AVC apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/org.chromium.oXu5Zm" pid=8243 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 07 10:25:39 amnesia audit[8243]: AVC apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/org.chromium.SAXu80" pid=8243 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 07 10:25:39 amnesia audit[8243]: AVC apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/org.chromium.9Wl1gF" pid=8243 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 07 10:25:39 amnesia audit[8243]: AVC apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/org.chromium.njBCrj" pid=8243 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 07 10:25:39 amnesia audit[8243]: AVC apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name=2F686F6D652F616D6E657369612F2E7468756E646572626972642F70726F66696C652E64656661756C742F4D61696C2F4C6F63616C20466F6C646572732F66696C7465726C6F672E68746D6C pid=8243 comm="gpg" requested_mask="a" denied_mask="a" fsuid=1000 ouid=1000
Jan 07 10:25:39 amnesia audit[8243]: AVC apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/home/amnesia/.thunderbird/profile.default/ImapMail/imap.riseup-1.net/filterlog.html" pid=8243 comm="gpg" requested_mask="a" denied_mask="a" fsuid=1000 ouid=1000
Jan 07 10:25:39 amnesia audit[8243]: AVC apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/org.chromium.YcoNgm" pid=8243 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Note: encrypting, decrypting, signing, verifying, importing keys work with thunderbird/enigmail, so I don’t think it’s a big issue, but it clutters the log.

Subtasks

Related issues

Is duplicate of Tails - Bug #17390: Silence AppArmor false positive denials: Thunderbird, Tor Browser

Confirmed

History

#1 Updated by intrigeri 2020-01-08 21:59:03

is duplicate of Bug #17390: Silence AppArmor false positive denials: Thunderbird, Tor Browser added

#2 Updated by intrigeri 2020-01-08 22:01:30

Status changed from Confirmed to Duplicate

> Note: encrypting, decrypting, signing, verifying, importing keys work with thunderbird/enigmail, so I don’t think it’s a big issue, but it clutters the log.

Agreed! This matches the reasons for fixing sort of things, that that I mentioned on Bug #17390. I’m merging these tickets as the overhead to handle these separately feels too big.