https://bugzilla.suse.com/show_bug.cgi?id=1235142 Bug ID: 1235142 Summary: Tor-browser with firejail will fail to start when AppArmor active and (unmodified) firejail-profiles (torbrowser-launcher) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: All OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: opensuse.k1akb@slmail.me QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- This is likely a consequence in conjunction with reported bug #1235080. (Incorrect AppArmor profile for tor-browser, i.e. torbrowser-launcher package, fails to enforce apparmor-protections because of errors in apparmor-profile for torbrowser.) After having fixed the above, `firejail` fails to run Tor-browser (as installed by the TorBrowser-launcher). This is likely (IIUC) due to the default configuration of firejail (`/etc/firejail/firejail.config`) and the intended additional actions as described in the firejail torbrowser-launcher profile (`/etc/firejail/torbrowser-launcher.profile`). What happens: With AppArmor now correctly enforcing policies according to the torbrowser-launcher profile, tor-browser will start in an already somewhat restricted mode. Now, if launched with `firejail`, which is able to cooperate with AppArmor, it fails to start `tor` and consequently will not be able to establish any connections or any interaction at all with the tor network. There is no logging, but given some other behavior, it is very likely that the `tor` process will not even start/spawn. Likely due to necessary permissions being denied. To be specific, in facts: - `/etc/firejail/firejail.config` notes that `apparmor` support is enabled by default. - `/etc/firejail/torbrowser-launcher.profile` notes that `apparmor` is disabled by default, due to a note marked "IMPORTANT" that outlines extra steps that need to be taken: 1-line change in the AppArmor-profile in `/etc/apparmor.d/local/firejail-default`, i.e. "the relevant rule [..] will need to be uncommented [..]". - the mentioned rule is not uncommented by default. Resolution: I think it is relatively straight-forward but would like to have another pair of eyes that can confirm, that indeed 'apparmor' setting in firejail is active by default, and consequently there is a conflict due to documented additional requirement as mentioned in item 2. So, either default firejail config should disable 'apparmor' config by default (does not seem very appealing) or `apparmor` package should have this additional line uncommented by default. Right now, AppArmor and/or firejail cause issues when used with tor-browser due to either this or the other bug mentioned at the start of this post. It would be good to have configurations properly aligned. -- You are receiving this mail because: You are on the CC list for the bug.