mailto from evince broken for thunderbird

Bug #648900 reported by Jamie Strandboge on 2010-09-27
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Jamie Strandboge
Jamie Strandboge
Jamie Strandboge

Bug Description

SRU Justification

1. impact of the bug is low for stable releases, but the fix is non-intrusive. It is included here as part of the 2.5.1 update for Lucid (LP: #660077)

2. This has been addressed during the maverick development cycle.

3. Patch adjusts the path for thunderbird in abstractions/ubuntu-email

* $ sudo apt-get install thunderbird
* Configure thunderbird as the preferred mail reader in System/Preferences/Preferred Applications
* open the attached PDF in evince and click on the mailto link

5. The regression potential is very low for this patch as it only adds additional access to launch thunderbird.

Binary package hint: apparmor

Recent thunderbird uploads changed the method in which thunderbird is invoked on the system, which breaks mailto links from Evince.

On lucid (via kern.log):
[ 112.195049] type=1503 audit(1285594428.701:15): operation="exec" pid=1504 parent=1 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/lib/thunderbird-3.0.8/"

On maverick (via audit.log):
type=AVC msg=audit(1285595037.768:31): apparmor="DENIED" operation="exec" parent=6519 profile="/usr/bin/evince" name="/usr/lib/thunderbird-3.1.4/" pid=6520 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Related branches

Changed in apparmor (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
summary: - mailto broken for thunderbird
+ mailto from evince broken for thunderbird
Changed in apparmor (Ubuntu Maverick):
milestone: none → ubuntu-10.10
description: updated
Changed in apparmor (Ubuntu Maverick):
status: Triaged → In Progress
Changed in apparmor (Ubuntu Lucid):
status: Triaged → In Progress
milestone: none → lucid-updates
Changed in apparmor (Ubuntu Maverick):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1~rc1-0ubuntu2

apparmor (2.5.1~rc1-0ubuntu2) maverick; urgency=low

  * abstractions/ubuntu-email: adjustment for ever-changing thunderbird path
    (LP: #648900)
 -- Jamie Strandboge <email address hidden> Mon, 27 Sep 2010 09:00:06 -0500

Changed in apparmor (Ubuntu Maverick):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

1. The evince AppArmor profile is enabled in the default install of Ubuntu. Thunderbird users clicking on a mailto: link in a PDF are presented with an error message stating that thunderbird can not be opened. Under some circumstances, this seems to work ok, but setting the mailto: application System/Preferences/Preferred Applications via will trigger the bug. Also, I'm told by the mozilla team that the thunderbird3 path needs to be added for the pending 3.0 - 3.1 migration.

2. The following is now being used in /etc/apparmor.d/abstractions/ubuntu-email in the development release of apparmor (2.5.1~rc1-0ubuntu2):
  /usr/lib/thunderbird-3*/thunderbird{,.sh} PUx,

This line is what should be added to Lucid.

3. attached is the proposed patch

a) install thunderbid with 'sudo apt-get install thunderbird'
b) go to System/Preferences/Preferred Applications and select Thunderbird as the mail reader
c) open the attached test_hyperlink.pdf (from lp:qa-regression-testing) and click on the email hyperlink

5. The regression potential is considered minimal since only more access is being allowed in the ubuntu-email abstraction.

Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand) wrote :

Uploaded 2.5-0ubuntu3.1 to lucid-proposed.

description: updated

Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See for documentation how to enable and use -proposed. Thank you in advance!

Changed in apparmor (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: added: verification-needed
Jamie Strandboge (jdstrand) wrote :

Upgraded to 2.5.1-0ubuntu0.10.04.1 in lucid-proposed and this issue is resolved.

Martin Pitt (pitti) on 2010-12-14
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    - don't ship aa-update-browser and its man page (requires
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/ apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/ use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put ...

Changed in apparmor (Ubuntu Lucid):
status: Fix Committed → Fix Released
tags: added: testcase
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers