[Pkg-privacy-maintainers] Bug#874383: torbrowser-launcher: AppArmor failures

Sat Sep 9 17:42:42 UTC 2017

Control: tag -1 - moreinfo
Control: tag -1 + patch
Control: forwarded -1 https://github.com/micahflee/torbrowser-launcher/pull/280

Hi gregor,

gregor herrmann:
> On Fri, 08 Sep 2017 08:48:41 +0200, intrigeri wrote:
>> Can you please try replacing:
>> 
>>   owner /dev/shm/org.chromium.* rw,
>> 
>> with:
>> 
>>   owner /{dev,run}/shm/org.chromium.* rw,
>> 
>> … and then `sudo apparmor_parser -r /etc/apparmor.d/torbrowser.Browser.firefox'
>> and retry?

> Much better.

Great!

> At startup I get only ALLOWED messages: […]

All these messages are about another profile
(/etc/apparmor.d/usr.bin.torbrowser-launcher), that's shipped in
complain mode since 2 years since it's broken and unmaintained.
I wanted to wait a bit in the hope that someone gives it some more
care, but this did not happen, so I think I'll suggest upstream to
simply drop it at some point.

> After the tor circuit is established, and when the GUI appears
> there's one DENIED:

> Sep 8 14:58:48 jadzia kernel: [978237.358526] audit: type=1400
> audit(1504875528.229:7467): apparmor="DENIED" operation="open"
> profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox"
> name="/proc/29486/fd/" pid=29486 comm="Gecko_IOThread" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=1000

> (PID 29486 is
> /home/gregoa/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/plugin-container
> But I can still interact with the plugins.)

Interesting. FYI "plugin-container" has actually little to do with
plugins, it is a content rendering process:
https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox
https://wiki.mozilla.org/Electrolysis

I can't reproduce this on my system with
https://github.com/micahflee/torbrowser-launcher/pull/280 applied, so
I'll assume that some change I did there fixed this problem already.
Given this doesn't seem to cause any problem except noise in logs in
current sid, I'll ignore it and will focus on getting that pull
request merged upstream instead.

> After that I can enter a URL and go there without any further
> messages or any visible problems in the browser.

Excellent! Thanks for the excellent bug report and follow-up :)

>> If that works better for you, then I'll submit a pull request upstream
>> about this

Done: https://github.com/micahflee/torbrowser-launcher/pull/280/commits/72d385fb95f85fa7e6d1c2a8b7102b73f61c8e80

>> (and will ask my team-mates who actively maintain
>> torbrowser-launcher to consider applying the patch in Debian without
>> waiting for a new upstream release).

Roger, what about applying this change in the Debian packaging
for now? Note that my commit is on top of a branch that modifies these
profiles a lot, so it might be easier to simply patch the profile
shipped in 0.2.8-1 with the trivial change gregor has tested.

Cheers,
-- 
intrigeri