[Pkg-privacy-maintainers] Bug#874383: torbrowser-launcher: AppArmor failures

gregor herrmann gregoa at debian.org
Fri Sep 8 13:04:17 UTC 2017 

On Fri, 08 Sep 2017 08:48:41 +0200, intrigeri wrote:

> > Sep 5 18:21:18 jadzia kernel: [848718.105570] audit: type=1400
> > audit(1504628478.309:7268): apparmor="DENIED" operation="mknod"
> > profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox"
> > name="/run/shm/org.chromium.Ob3qhH" pid=19088 comm=57656220436F6E74656E74
> > requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
> > [...]
> > and loading any page just hangs.
> Ouch! On my system (sid, systemd) /run/shm is a symlink to /dev/shm,
> so "owner /dev/shm/org.chromium.* rw," is enough. I suspect that:

Oh, yeah, that makes sense.
 
> Can you please try replacing:
> 
>   owner /dev/shm/org.chromium.* rw,
> 
> with:
> 
>   owner /{dev,run}/shm/org.chromium.* rw,
> 
> … and then `sudo apparmor_parser -r /etc/apparmor.d/torbrowser.Browser.firefox'
> and retry?

Much better.

At startup I get only ALLOWED messages:

Sep  8 14:58:42 jadzia kernel: [978231.420401] audit: type=1400 audit(1504875522.291:7386): apparmor="ALLOWED" operation="exec" profile="/usr/bin/torbrowser-launcher" name="/sbin/ldconfig" pid=29296 comm="torbrowser-laun" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Sep  8 14:58:42 jadzia kernel: [978231.421179] audit: type=1400 audit(1504875522.292:7387): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/torbrowser-launcher//null-/sbin/ldconfig" name="/sbin/ldconfig" pid=29296 comm="ldconfig" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
Sep  8 14:58:42 jadzia kernel: [978231.421186] audit: type=1400 audit(1504875522.292:7388): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/torbrowser-launcher//null-/sbin/ldconfig" name="/sbin/ldconfig" pid=29296 comm="ldconfig" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep  8 14:58:42 jadzia kernel: [978231.421355] audit: type=1400 audit(1504875522.292:7389): apparmor="ALLOWED" operation="open" profile="/usr/bin/torbrowser-launcher//null-/sbin/ldconfig" name="/etc/ld.so.cache" pid=29296 comm="ldconfig" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep  8 14:58:42 jadzia kernel: [978231.524279] audit: type=1400 audit(1504875522.395:7390): apparmor="ALLOWED" operation="exec" profile="/usr/bin/torbrowser-launcher" name="/usr/bin/gpgconf" pid=29299 comm="torbrowser-laun" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Sep  8 14:58:42 jadzia kernel: [978231.525244] audit: type=1400 audit(1504875522.396:7391): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/torbrowser-launcher//null-/usr/bin/gpgconf" name="/usr/bin/gpgconf" pid=29299 comm="gpgconf" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
Sep  8 14:58:42 jadzia kernel: [978231.525249] audit: type=1400 audit(1504875522.396:7392): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/torbrowser-launcher//null-/usr/bin/gpgconf" name="/usr/bin/gpgconf" pid=29299 comm="gpgconf" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep  8 14:58:42 jadzia kernel: [978231.525252] audit: type=1400 audit(1504875522.396:7393): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/torbrowser-launcher//null-/usr/bin/gpgconf" name="/lib/x86_64-linux-gnu/ld-2.24.so" pid=29299 comm="gpgconf" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
Sep  8 14:58:42 jadzia kernel: [978231.525254] audit: type=1400 audit(1504875522.396:7394): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/torbrowser-launcher//null-/usr/bin/gpgconf" name="/lib/x86_64-linux-gnu/ld-2.24.so" pid=29299 comm="gpgconf" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep  8 14:58:42 jadzia kernel: [978231.525329] audit: type=1400 audit(1504875522.396:7395): apparmor="ALLOWED" operation="open" profile="/usr/bin/torbrowser-launcher//null-/usr/bin/gpgconf" name="/etc/ld.so.preload" pid=29299 comm="gpgconf" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

After the tor circuit is established, and when the GUI appears
there's one DENIED:

Sep  8 14:58:48 jadzia kernel: [978237.358518] kauditd_printk_skb: 71 callbacks suppressed
Sep  8 14:58:48 jadzia kernel: [978237.358526] audit: type=1400 audit(1504875528.229:7467): apparmor="DENIED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/proc/29486/fd/" pid=29486 comm="Gecko_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

(PID 29486 is
/home/gregoa/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/plugin-container
But I can still interact with the plugins.)

After that I can enter a URL and go there without any further
messages or any visible problems in the browser.
 
> If that works better for you, then I'll submit a pull request upstream
> about this (and will ask my team-mates who actively maintain
> torbrowser-launcher to consider applying the patch in Debian without
> waiting for a new upstream release).

Sounds good, thanks!


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Madonna: Like A Virgin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-privacy-maintainers/attachments/20170908/3da89ab5/attachment.sig>

More information about the Pkg-privacy-maintainers mailing list