[Pkg-privacy-maintainers] Bug#881496: Bug#881496: onioncircuits: python3/testing and apparmor/testing breaks onioncircuits
Sascha Steinbiss
satta at debian.org
Mon Nov 20 18:20:08 UTC 2017
Hi all,
ah, this sheds some light on the situation. However:
> audit[3722]: AVC apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onioncircuits" name="/usr/lib/python3.6/lib-dynload/_ctypes.cpython-36m-x86_64-linux-gnu.so" pid=3722 comm="onioncircuits" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
This is interesting, since the corresponding line in the python AppArmor
abstractions [1] (which are imported by the onioncircuits profile [2]) is:
/usr/lib{,32,64}/python3.[0-6]/lib-dynload/*.so mr,
which indeed already has the mmap flag set. It's been in testing for
some while now (since bzr revision #1671, which was the initial update
to upstream's 2.11.1).
I also can't see it being overridden anywhere. So I am not sure why this
permission should be denied...
Any ideas? (AppArmor-savvy team members?)
Cheers
Sascha
[1]
https://alioth.debian.org/scm/loggerhead/collab-maint/apparmor/view/head:/profiles/apparmor.d/abstractions/python
[2]
https://anonscm.debian.org/cgit/pkg-privacy/packages/onioncircuits.git/tree/apparmor/usr.bin.onioncircuits#n8
> So, python3/testing + apparmor/testing is a breaking
> combination. Downgrading to apparmor/stable fixes the problem.
>
> -- System Information:
> Debian Release: buster/sid
> APT prefers stable
> APT policy: (500, 'stable'), (70, 'unstable'), (60, 'testing'), (50, 'experimental')
> Architecture: amd64
> (x86_64)
>
> Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages onioncircuits depends on:
> ii gir1.2-glib-2.0 1.54.1-3
> ii gir1.2-gtk-3.0 3.22.26-1
> ii python3-gi 3.22.0-2
> ii python3-pycountry 17.5.14+ds1-0.1
> ii python3-stem 1.6.0-1
> pn python3:any <none>
>
> onioncircuits recommends no packages.
>
> Versions of packages onioncircuits suggests:
> ii tor-geoipdb 0.3.1.8-2
>
> -- no debconf information
>
> _______________________________________________
> Pkg-privacy-maintainers mailing list
> Pkg-privacy-maintainers at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-privacy-maintainers
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-privacy-maintainers/attachments/20171120/3fae8026/attachment-0001.sig>
More information about the Pkg-privacy-maintainers
mailing list