[Bug 1235080] New: Tor-browser AppArmor-profiles failing: paths incorrect (AppArmor not activating)
https://bugzilla.suse.com/show_bug.cgi?id=1235080 Bug ID: 1235080 Summary: Tor-browser AppArmor-profiles failing: paths incorrect (AppArmor not activating) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: All OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: opensuse.k1akb@slmail.me QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- For Tor-Browser installations using the "Tor Browser Launcher" tool, AppArmor profiles are ineffective because their paths are incorrect. This concerns at least 3 files: - /etc/apparmor.d/torbrowser.Browser.firefox - /etc/apparmor.d/torbrowser.Tor.tor - /etc/apparmor.d/tunables/torbrowser In all cases, almost at the top: `@{torbrowser_firefox_executable} = /home/*/...` Issues, AFAICT: 1. Better to use `@{HOME}/.local/...` (instead of `/home/*/.local/...`) 2. Instead of `.../tor-browser_*/...`, it should read `.../tor-browser/...` in paths. (All very near top of the profile-files.) It seems that by default the profiles are configured as enforced, but `aa-status` does not show them to activate. After I make these changes and use `apparmor_parser -r <profile>` for all three profiles, then run Tor-Browser from the (KDE) launcher, everything works as expected and AppArmor activates according to `aa-status`. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235080 https://bugzilla.suse.com/show_bug.cgi?id=1235080#c1 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de Assignee|suse-beta@cboltz.de |badshah400@gmail.com --- Comment #1 from Christian Boltz <suse-beta@cboltz.de> --- These profiles are part of the torbrowser-launcher package, so let me reassign the bugreport to Atri, the package maintainer. (In reply to OpenSUSE Account from comment #0)
1. Better to use `@{HOME}/.local/...` (instead of `/home/*/.local/...`)
In the default config, @{HOME} is nearly the same as /home/*/ (it additionally includes /root/), so using it is indeed a good idea - especially for people who have a non-default location for home directories and have extended @{HOME} accordingly. Atri, this is something you might want to suggest/submit upstream.
2. Instead of `.../tor-browser_*/...`, it should read `.../tor-browser/...` in paths. (All very near top of the profile-files.)
In Tumbleweed, these lines already use .../tor-browser/..., for example @{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/TorBrowser/Tor/tor Atri, I'll leave it to you to check the package in Leap.
It seems that by default the profiles are configured as enforced, but `aa-status` does not show them to activate.
Did you test this directly after installing the package, or did you reboot between installing the package and testing? Reason for this question: the package doesn't load the profiles in %post, so they'll only be loaded automatically at the next reboot (or rcapparmor reload). That said - I just submitted https://build.opensuse.org/requests/1235717 so that the profiles get loaded after installing the package. (The SR does _not_ do anything for "1." and "2.".) Atri, if you need help with the AppArmor profiles, feel free to ask. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235080 https://bugzilla.suse.com/show_bug.cgi?id=1235080#c2 Atri Bhattacharya <badshah400@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #2 from Atri Bhattacharya <badshah400@gmail.com> --- Thanks for the report and suggested fixes. For Leap 16.0, I have now submitted <https://build.opensuse.org/requests/1236012> that would sync it to the Factory version including Christian's fixes. I understand the the package is not in Leap 15.5 or 15.6. Will send the fixes upstream by means of a PR this weekend. Thanks again for the help. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235080 https://bugzilla.suse.com/show_bug.cgi?id=1235080#c3 OpenSUSE Account <opensuse.k1akb@slmail.me> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |NEW --- Comment #3 from OpenSUSE Account <opensuse.k1akb@slmail.me> --- (In reply to Christian Boltz from comment #1)
These profiles [..]
In Tumbleweed, these lines already use .../tor-browser/..., for example
@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/ TorBrowser/Tor/tor
Atri, I'll leave it to you to check the package in Leap.
I would guess Leap is equally impacted because both download the latest binaries on-line.
It seems that by default the profiles are configured as enforced, but `aa-status` does not show them to activate.
Actually, I am not 100% sure about this statement, now that I think about it. To clarify, I installed AppArmor and profiles early, and only later started looking into it in more detail. I might have set some packages to 'enforce', so don't take this statement for truth just yet; better check to be sure.
Did you test this directly after installing the package, or did you reboot between installing the package and testing? Reason for this question: the package doesn't load the profiles in %post, so they'll only be loaded automatically at the next reboot (or rcapparmor reload).
I installed AppArmor and profiles months earlier. Both `aa-status` and `aa-exec` made very clear that tor-browser was not protected. The use of `apparmor_parser -r <profile>` (mentioned earlier with more details) did reliably demonstrate change of behavior, whenever I made changes to the profiles. I do not know if there is a difference with `rcapparmor reload` that you mention.
That said - I just submitted https://build.opensuse.org/requests/1235717 so that the profiles get loaded after installing the package. (The SR does _not_ do anything for "1." and "2.".)
Atri, if you need help with the AppArmor profiles, feel free to ask.
Also note bug #1235142 that I filed soon after, which follows up with firejail issues also, partially, related (it seems) to AppArmor. Note that I applied these changes myself and so far have seen no (evident, breaking) issues. Feel free to ask if you want me to check something in running tor-browser this way. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235080 https://bugzilla.suse.com/show_bug.cgi?id=1235080#c4 --- Comment #4 from OpenSUSE Account <opensuse.k1akb@slmail.me> --- (In reply to Atri Bhattacharya from comment #2)
Thanks for the report [..]
I understand the the package is not in Leap 15.5 or 15.6.
I'm a bit confused here. `zypper info torbrowser-launcher` lists it for me in repository "Main Repository", but I can't easily find it. The version is `0.3.6-bp156.2.1`. I think it should be in some (update-)repository. I noticed when searching 'software.opensuse.org', it listed a newer version, so maybe results are unreliable when the newest version isn't provided (yet). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235080 https://bugzilla.suse.com/show_bug.cgi?id=1235080#c5 --- Comment #5 from OpenSUSE Account <opensuse.k1akb@slmail.me> --- (In reply to Atri Bhattacharya from comment #2)
Thanks [..]
I understand the the package is not in Leap 15.5 or 15.6.
To my understanding, it is. See <https://download.opensuse.org/distribution/leap/15.6/repo/oss/noarch/> then search for 'torbrowser-launcher'. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235080 https://bugzilla.suse.com/show_bug.cgi?id=1235080#c6 --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to OpenSUSE Account from comment #3)
I installed AppArmor and profiles months earlier.
The question is: when did you install torbrowser-apparmor-profile (which ships the tor-browser profile)? Directly before opening this bugreport, or at least a reboot earlier?
The use of `apparmor_parser -r <profile>` (mentioned earlier with more details) did reliably demonstrate change of behavior, whenever I made changes to the profiles. I do not know if there is a difference with `rcapparmor reload` that you mention.
rcapparmor reload basically reloads all profiles using apparmor_parser -r /etc/apparmor.d/ (it also does a few checks, but these are probably not relevant here) (In reply to OpenSUSE Account from comment #5)
(In reply to Atri Bhattacharya from comment #2)
I understand the the package is not in Leap 15.5 or 15.6.
To my understanding, it is. See <https://download.opensuse.org/distribution/leap/15.6/repo/oss/noarch/> then search for 'torbrowser-launcher'.
Right, it lives in openSUSE:Backports:SLE-15-SP6 (actually in every SLE-15-SPx). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1235080 https://bugzilla.suse.com/show_bug.cgi?id=1235080#c7 --- Comment #7 from OpenSUSE Account <opensuse.k1akb@slmail.me> --- (In reply to Christian Boltz from comment #6)
(In reply to OpenSUSE Account from comment #3)
I installed AppArmor and profiles months earlier.
The question is: when did you install torbrowser-apparmor-profile (which ships the tor-browser profile)? Directly before opening this bugreport, or at least a reboot earlier?
There has been an earlier reboot, because I did not immediately look into this, i.e. AppArmor and torbrowser-launcher and torbrowser-apparmor-profiles were installed for a while already. I am a bit lost on why this is so relevant? Are you doubting some other part not mentioned? I mean, these profiles are supposed to be strictly mechanical, i.e. if the path matches it should match, and if the path does not match it should not match. Tbh, if you have any doubts in the profile itself, I'd rather you check for yourself instead of relying on my input. ':-)
The use of `apparmor_parser -r <profile>` [..]
rcapparmor reload basically reloads all profiles using apparmor_parser -r /etc/apparmor.d/ (it also does a few checks, but these are probably not relevant here)
Okay, so my experience and your expectations seem to align.
(In reply to OpenSUSE Account from comment #5)
(In reply to Atri Bhattacharya from comment #2)
I understand the the package is not in Leap 15.5 or 15.6.
To my understanding, it is. See <https://download.opensuse.org/distribution/leap/15.6/repo/oss/noarch/> then search for 'torbrowser-launcher'.
Right, it lives in openSUSE:Backports:SLE-15-SP6 (actually in every SLE-15-SPx).
Okay, so that seems to be cleared up. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com