Awk permission denied when run through msmtp

Question

I am using gpg2 and awk jointly with msmtp to send emails in emacs. This is the relevant portion of my .msmtprc file

account gmail
host smtp.gmail.com
from myusername@gmail.com
auth on
port 465
user myusername@gmail.com
passwordeval gpg2 -q --for-your-eyes-only --no-tty -d ~/.authinfo.gpg | awk '/machine smtp.gmail.com login myusername@gmail.com/ {print $NF}'

and this is how my .authinfo.gpg file looks like

machine smtp.gmail.com login myusername@gmail.com port 465 password myverysecretpassword
machine imap.gmail.com login myusername@gmail.com port 993 password myverysecretpassword

For some reason the command in the above passwordeval field runs fine in the terminal, i.e. it outputs the password, but when I run it with msmtp

echo -e "Subject: Test Mail\r\n\r\nThis is a test mail" |msmtp --debug --from=default -t myusername@gmail.com

awk returns a permission error.

loaded user configuration file /home/myusername/.msmtprc
falling back to default account
sh: 1: awk: Permission denied
msmtp: cannot read output of 'gpg2 -q --for-your-eyes-only --no-tty -d ~/.authinfo.gpg | awk '/machine smtp.gmail.com login myusername@gmail.com/ {print $NF}''

I'm completely at a loss of what might be wrong here. This issue appeared after an OS upgrade. I have run chmod 600 on the .msmtprc file as well. Any help is greatly appreciated.

Other info

• I've tried to use plain password temporarily and it works
• I've tried to give 777 permissions to .msmtprc temporarily and it didn't work
• I've tried to reinstall msmtp and it didn't work
• I've tried to use sed instead of awk and I get an identical permission error (for sed).
• This other post might be related? It sort of suggests that the .msmtprc owner might be relevant. In my case I am the owner of the file.

Versions used

GNU Awk 5.0.1, API: 2.0 (GNU MPFR 4.0.2, GNU MP 6.2.0) Copyright (C) 1989, 1991-2019 Free Software Foundation.

gpg (GnuPG) 2.2.19 libgcrypt 1.8.5 Copyright (C) 2019 Free Software Foundation, Inc.

msmtp version 1.8.6 Platform: x86_64-pc-linux-gnu TLS/SSL library: GnuTLS

Answer 1

Thanks to advice from marlam I found out that this issue is due to an overly restrictive AppArmor profile for msmtp. I am led to assume that my new OS version is more stringent with regards to usage of msmtp (good thing I guess). Unfortunately this often happens on Debian and Ubuntu and it confuses many users. The commands I've used to solve it are

sudo ln -s /etc/apparmor.d/usr.bin.msmtp /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.msmtp 

Answer 2

Removing the AppArmor protection is one solution. Augmenting the AppArmor profile to include awk is a better solution.

In /etc/apparmor.d/usr.bin.msmtp add the following line:

*** usr.bin.msmtp.old   2022-01-13 08:22:33.301883304 +0100
--- usr.bin.msmtp       2022-01-13 08:23:41.550280850 +0100
***************
*** 50,55 ****
--- 50,57 ----
      /tmp/            rw,
      owner /tmp/*     rw,
  
+     /usr/bin/awk         PUx,
      /usr/bin/secret-tool PUx,
      /usr/bin/gpg{,2}     PUx,
      /usr/bin/pass        PUx,

so that the helpers section looks like this:

  # secret helpers
  /{,usr/}bin/bash Cx -> helpers,
  /{,usr/}bin/dash Cx -> helpers,
  profile helpers {
    #include <abstractions/base>
    /{,usr/}bin/bash mr,
    /{,usr/}bin/dash mr,
    /tmp/            rw,
    owner /tmp/*     rw,

    /usr/bin/awk         PUx,
    /usr/bin/secret-tool PUx,
    /usr/bin/gpg{,2}     PUx,
    /usr/bin/pass        PUx,
    /usr/bin/head        PUx,
    /usr/bin/keyring     PUx,
    /{,usr/}bin/cat      PUx,
  }

Afterwards run

# Mind the small r (reload), do not use capital R (remove)
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.msmtp