[Pkg-privacy-maintainers] Bug#881496: Bug#881496: onioncircuits: python3/testing and apparmor/testing breaks onioncircuits

Sascha Steinbiss satta at debian.org
Mon Nov 20 18:20:08 UTC 2017


Hi all,

ah, this sheds some light on the situation. However:

>     audit[3722]: AVC apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onioncircuits" name="/usr/lib/python3.6/lib-dynload/_ctypes.cpython-36m-x86_64-linux-gnu.so" pid=3722 comm="onioncircuits" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

This is interesting, since the corresponding line in the python AppArmor
abstractions [1] (which are imported by the onioncircuits profile [2]) is:

  /usr/lib{,32,64}/python3.[0-6]/lib-dynload/*.so            mr,

which indeed already has the mmap flag set. It's been in testing for
some while now (since bzr revision #1671, which was the initial update
to upstream's 2.11.1).
I also can't see it being overridden anywhere. So I am not sure why this
permission should be denied...

Any ideas? (AppArmor-savvy team members?)

Cheers
Sascha


[1]
https://alioth.debian.org/scm/loggerhead/collab-maint/apparmor/view/head:/profiles/apparmor.d/abstractions/python
[2]
https://anonscm.debian.org/cgit/pkg-privacy/packages/onioncircuits.git/tree/apparmor/usr.bin.onioncircuits#n8

> So, python3/testing + apparmor/testing is a breaking
> combination. Downgrading to apparmor/stable fixes the problem.
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers stable
>   APT policy: (500, 'stable'), (70, 'unstable'), (60, 'testing'), (50, 'experimental')
> Architecture: amd64
>  (x86_64)
> 
> Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages onioncircuits depends on:
> ii  gir1.2-glib-2.0    1.54.1-3
> ii  gir1.2-gtk-3.0     3.22.26-1
> ii  python3-gi         3.22.0-2
> ii  python3-pycountry  17.5.14+ds1-0.1
> ii  python3-stem       1.6.0-1
> pn  python3:any        <none>
> 
> onioncircuits recommends no packages.
> 
> Versions of packages onioncircuits suggests:
> ii  tor-geoipdb  0.3.1.8-2
> 
> -- no debconf information
> 
> _______________________________________________
> Pkg-privacy-maintainers mailing list
> Pkg-privacy-maintainers at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-privacy-maintainers
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-privacy-maintainers/attachments/20171120/3fae8026/attachment-0001.sig>


More information about the Pkg-privacy-maintainers mailing list