[Pkg-privacy-maintainers] Bug#976461: torbrowser-launcher: fails to launch, apparmor=DENIED (incomplete fix for #908068?)

Andrew Gallagher andrewg at andrewg.com
Sat Dec 5 12:01:17 GMT 2020 

Package: torbrowser-launcher
Version: 0.3.3-2
Severity: important

Dear Maintainer,

I updated torbrowser-launcher from 0.2.9-1~bpo9+1 to 0.3.2-14~bpo10+1. This has rendered 
torbrowser-launcher unusable. When invoking, the following error appears in syslog:

```
Dec  5 11:24:37 whippet kernel: [7222867.725534] audit: type=1400 audit(1607167477.149:61): apparmor="DENIED" operation="exec" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/usr/bin/dirname" pid=6594 comm="firefox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
```

This appears to be either a regression to, or an incomplete fix for #908068. I noticed that the apparmor 
profile for torbrowser has been overridden, and the timestamp is the same as that of the upgrade:

```
andrewg at whippet:~$ ls -al /etc/apparmor.d/local/*tor*
-rw-r--r-- 1 root root 117 Jan  5  2015 /etc/apparmor.d/local/system_tor
-rw-r--r-- 1 root root   0 Nov  6 16:55 /etc/apparmor.d/local/torbrowser.Browser.firefox
-rw-r--r-- 1 root root 134 Jan 28  2018 /etc/apparmor.d/local/torbrowser.Browser.firefox.dpkg-dist
-rw-r--r-- 1 root root 135 Jan  5  2015 /etc/apparmor.d/local/torbrowser.start-tor-browser
-rw-r--r-- 1 root root   0 Nov  6 16:55 /etc/apparmor.d/local/torbrowser.Tor.tor
-rw-r--r-- 1 root root 125 Jan  5  2015 /etc/apparmor.d/local/torbrowser.Tor.tor.dpkg-old
-rw-r--r-- 1 root root 134 Jan  5  2015 /etc/apparmor.d/local/usr.bin.torbrowser-launcher
andrewg at whippet:~$ zgrep torbrowser /var/log/dpkg.log.1
2020-11-06 16:55:17 upgrade torbrowser-launcher:amd64 0.2.9-1~bpo9+1 0.3.2-14~bpo10+1
2020-11-06 16:55:17 status half-configured torbrowser-launcher:amd64 0.2.9-1~bpo9+1
2020-11-06 16:55:17 status unpacked torbrowser-launcher:amd64 0.2.9-1~bpo9+1
2020-11-06 16:55:17 status half-installed torbrowser-launcher:amd64 0.2.9-1~bpo9+1
2020-11-06 16:55:19 status unpacked torbrowser-launcher:amd64 0.3.2-14~bpo10+1
2020-11-06 16:55:42 configure torbrowser-launcher:amd64 0.3.2-14~bpo10+1 <none>
2020-11-06 16:55:42 status unpacked torbrowser-launcher:amd64 0.3.2-14~bpo10+1
2020-11-06 16:55:42 status half-configured torbrowser-launcher:amd64 0.3.2-14~bpo10+1
2020-11-06 16:55:43 status installed torbrowser-launcher:amd64 0.3.2-14~bpo10+1
```

It would appear that this change resulted from a failed attempt by apt to update the apparmor config 
for torbrowser-launcher. Further upgrading from stable to testing (0.3.3-2) did not resolve the issue. 
Moving the dpkg-old and/or dpkg-dist files over the zero-length originals did not help either. Purging 
and reinstalling torbrowser-launcher from buster-backports (0.3.2-14~bpo10+1) brought back fresh copies 
of the zero-length apparmor files and the problem persisted:

```
andrewg at whippet:~$ ls -al /etc/apparmor.d/local/*tor*
-rw-r--r-- 1 root root 117 Jan  5  2015 /etc/apparmor.d/local/system_tor
-rw-r--r-- 1 root root   0 Dec  5 11:48 /etc/apparmor.d/local/torbrowser.Browser.firefox
-rw-r--r-- 1 root root 135 Jan  5  2015 /etc/apparmor.d/local/torbrowser.start-tor-browser
-rw-r--r-- 1 root root   0 Dec  5 11:48 /etc/apparmor.d/local/torbrowser.Tor.tor
-rw-r--r-- 1 root root 134 Jan  5  2015 /etc/apparmor.d/local/usr.bin.torbrowser-launcher
```

Comparing with a working torbrowser-launcher on another machine, I see that two of the nonzero-size files
are not present:

```
andrewg at fred:~$ ls -al /etc/apparmor.d/local/*tor*
-rw-r--r-- 1 root root 117 Nov 12  2018 /etc/apparmor.d/local/system_tor
-rw-r--r-- 1 root root   0 Jan  8  2019 /etc/apparmor.d/local/torbrowser.Browser.firefox
-rw-r--r-- 1 root root   0 Jan  8  2019 /etc/apparmor.d/local/torbrowser.Browser.plugin-container
-rw-r--r-- 1 root root   0 Jan  8  2019 /etc/apparmor.d/local/torbrowser.Tor.tor
```

And yet removing both usr.bin.torbrowser-launcher and torbrowser.start-tor-browser from the offending 
machine has made no difference.

At this point I am out of ideas.

Andrew.

-- System Information:
Debian Release: 10.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'oldoldstable'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-10-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages torbrowser-launcher depends on:
ii  ca-certificates    20200601~deb10u1
ii  gnupg              2.2.12-1+deb10u1
ii  libdbus-glib-1-2   0.110-4
ii  python3            3.7.3-1
ii  python3-gpg        1.12.0-6
ii  python3-packaging  20.4-1
ii  python3-pyqt5      5.11.3+dfsg-1+b3
ii  python3-requests   2.21.0-1
ii  python3-socks      1.6.8+dfsg-1

Versions of packages torbrowser-launcher recommends:
ii  tor  0.3.5.10-1

Versions of packages torbrowser-launcher suggests:
ii  apparmor  2.13.2-10

-- Configuration Files:
/etc/apparmor.d/local/torbrowser.Browser.firefox changed:

/etc/apparmor.d/local/torbrowser.Tor.tor changed:


-- no debconf information

More information about the Pkg-privacy-maintainers mailing list