[Pkg-privacy-maintainers] Bug#944218: torbrowser-launcher: Cannot start Tor Browser after first update from esr68: updater not allowed by apparmor policy

Eloi entfe001 at gmail.com
Wed Nov 6 08:06:51 GMT 2019 

Package: torbrowser-launcher
Version: 0.3.2-2~bpo10+1
Severity: important

Dear Maintainer,

Once Tor Browser updated itself to Firefox ESR 68, next update will fail
with an AppArmor DENIED error for the updater executable.

Please note that this *does not* happen on update from previous ESR, but
once the latest ESR is installed and a new update is ready for install.

My guess with a quick glance on the AppArmor profile is that the updater
executable helper has been moved to a new position, just at the same place
where the main executable resides instead of some subdirectory.

With that guess I modified the AppArmor local profile which is attached
to this bug report, which also includes a local fix as suggested on bug
#942901.

Please note that my knowlegde of both AppArmor and Firefox internals is
very limited and my change, while allowing Tor Browser to update itself
and then run again, may not be the right solution wrt security.


-- System Information:
Debian Release: 10.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=ca_ES.UTF-8, LC_CTYPE=ca_ES.UTF-8 (charmap=UTF-8),
LANGUAGE=ca (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages torbrowser-launcher depends on:
ii  ca-certificates   20190110
ii  libdbus-glib-1-2  0.110-4
ii  python3           3.7.3-1
ii  python3-gpg       1.12.0-6
ii  python3-pyqt5     5.11.3+dfsg-1+b3
ii  python3-requests  2.21.0-1
ii  python3-socks     1.6.8+dfsg-1

Versions of packages torbrowser-launcher recommends:
ii  tor  0.3.5.8-1

Versions of packages torbrowser-launcher suggests:
ii  apparmor  2.13.2-10

-- Configuration Files:
/etc/apparmor.d/local/torbrowser.Browser.firefox changed:
owner /{dev,run}/shm/org.mozilla.*.* rw,
owner @{torbrowser_home_dir}/updater ix,


-- no debconf information

More information about the Pkg-privacy-maintainers mailing list