Feature #12170
Upstream OnionCircuits AppArmor profile
100%
Description
In Tails 2.10, anonym introduced an AppArmor profile for OnionCircuits. That’s great! Now, IMO our commitment to upstreaming our stuff implies we should have this profile included in the upstream Git repo, and installed by the Debian package.
Subtasks
History
#1 Updated by intrigeri 2017-01-24 15:43:18
Any reason I’ve missed why we should not, or cannot, do that?
#2 Updated by anonym 2017-03-19 19:04:40
- Assignee deleted (
anonym)
You’ll find it in config/chroot_local-includes/etc/apparmor.d/usr.bin.onioncircuits. Thanks so much for taking over this from me! :))))))
#3 Updated by Anonymous 2017-03-19 20:49:42
I made a commit upstream and to the packaging.
Now I’ll need to see if Sascha wants to prepare the new package or if I should do it and once it’s in Debian, we can remove the profile from our own repository.
#4 Updated by intrigeri 2017-03-19 21:35:40
> I made a commit upstream and to the packaging.
> Now I’ll need to see if Sascha wants to prepare the new package or if I should do it and once it’s in Debian, we can remove the profile from our own repository.
Yeah! :)
#5 Updated by Anonymous 2017-04-08 10:52:06
- Status changed from Confirmed to Resolved
Sascha integrated this, so I’m considering this as done.
#6 Updated by intrigeri 2017-06-25 07:18:17
- Status changed from Resolved to In Progress
- Target version changed from Tails_2.12 to Tails_3.2
- % Done changed from 0 to 10
u wrote:
> Sascha integrated this, so I’m considering this as done.
… and since then anonym updated the profile in tails.git (commit:ad0d64919f54260b3cc8d19252f97345091fcafd) but nobody copied the change to OnionCircuit’s repo. I’ve just done this.
IMO we should keep this ticket open as long as we replace the upstream profile with our own one, so next steps are:
- publish a new upstream release with the last AppArmor profile changes & fixes
- upload to sid
- install OnionCircuits from testing or sid instead of from our own repo (until a proper backport is needed)
Sascha, can you please do the first two steps and then reassign to me? Thanks!
Additionally, I’ve pushed some fixes because the profile that was upstreamed breaks OnionCircuits on my sid (https://bugs.debian.org/865843).
#7 Updated by intrigeri 2017-06-25 07:18:41
- Assignee set to sst
#8 Updated by sst 2017-06-30 06:16:32
Hi intrigeri, thanks for the feedback and sorry for the delay in answering.
I would be happy to upload a new version but I’m not sure I can tag new releases in the upstream repo on git-tails.immerda.ch — in fact, I also never have before. That being said, I wouldn’t mind uploading an onioncircuits-0.4+git20170625.0.ce92de8-1 but I agree it would be nicer doing this for a real upstream release. Do we want to ping Alan?
#9 Updated by intrigeri 2017-06-30 08:18:16
Hi Sascha!
> I would be happy to upload a new version but I’m not sure I can tag new releases in the upstream repo on git-tails.immerda.ch — in fact, I also never have before.
Indeed, I’ve verified you don’t have write access to the upstream repo.
> That being said, I wouldn’t mind uploading an onioncircuits-0.4+git20170625.0.ce92de8-1
Let’s avoid doing this and instead ensure we can put out new upstream releases when needed.
> but I agree it would be nicer doing this for a real upstream release. Do we want to ping Alan?
Indeed, the current theory is that Alan is the upstream maintainer. But he wrote:
I'm happy to partcicpate to maintain Onion Circuits. However, I can't
promise to be responsive within a few weeks sometimes (and I don't even
speek about a few days...) so if people want more responsiveness and
have time to participate on the maintenance, I would love them joining!So I see three options:
- ask Alan to release 0.4.1 and wait until it happens (possibly 3-8 weeks)
- you prepare the release in your own repo, then I review and merge it into the official repo
- I release 0.4.1 myself
Regarding timing, as far as Tails is concerned we’re in no hurry: we just need the updated package to be in Debian by mid-September. But I’m not a big fan of leaving OnionCircuits broken in Debian (for AppArmor users) for too long, so I suggest you ask Alan, and if he doesn’t release 0.4.1 within 2 weeks, then either you or I prepare the new release. OK?
#10 Updated by sst 2017-06-30 23:59:15
Hi intrigeri,
[…]
> I suggest you ask Alan, and if he doesn’t release 0.4.1 within 2 weeks, then either you or I prepare the new release. OK?
That sounds like a plan. I’ll send an email ASAP.
Cheers
Sascha
#11 Updated by anonym 2017-09-28 18:29:32
- Target version changed from Tails_3.2 to Tails_3.3
#12 Updated by anonym 2017-11-15 11:30:51
- Target version changed from Tails_3.3 to Tails_3.5
#13 Updated by Anonymous 2018-01-16 11:58:22
The bug report (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865843) says that onioncircuits 0.5-1 has the relevant commits (made by intrigeri).
However when I compare upstream/master (called tails/ in my example) and packaging/master, I get a difference. sst: may you please clarify this difference:
git diff tails/master..master -- apparmor/usr.bin.onioncircuits
diff --git a/apparmor/usr.bin.onioncircuits b/apparmor/usr.bin.onioncircuits
index d29e984..413fbc7 100644
--- a/apparmor/usr.bin.onioncircuits
+++ b/apparmor/usr.bin.onioncircuits
@@ -18,7 +18,6 @@
/usr/bin/ r,
/usr/bin/onioncircuits r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
- /usr/share/iso-codes/json/** r,
/usr/share/xml/iso-codes/** r,
owner @{PROC}/@{pid}/status r,
Thanks!
#14 Updated by Anonymous 2018-01-19 11:02:04
- QA Check set to Info Needed
#15 Updated by anonym 2018-01-23 19:52:38
- Target version changed from Tails_3.5 to Tails_3.6
#16 Updated by bertagaz 2018-03-14 11:32:13
- Target version changed from Tails_3.6 to Tails_3.7
#17 Updated by bertagaz 2018-05-10 11:09:18
- Target version changed from Tails_3.7 to Tails_3.8
#18 Updated by intrigeri 2018-06-26 16:27:55
- Target version changed from Tails_3.8 to Tails_3.9
#19 Updated by intrigeri 2018-09-05 16:26:54
- Target version changed from Tails_3.9 to Tails_3.10.1
#20 Updated by intrigeri 2018-10-24 17:03:38
- Target version changed from Tails_3.10.1 to Tails_3.11
#21 Updated by CyrilBrulebois 2018-12-16 13:54:27
- Target version changed from Tails_3.11 to Tails_3.12
#22 Updated by anonym 2019-01-30 11:59:15
- Target version changed from Tails_3.12 to Tails_3.13
#23 Updated by CyrilBrulebois 2019-03-20 14:35:09
- Target version changed from Tails_3.13 to Tails_3.14
#24 Updated by intrigeri 2019-04-13 06:55:04
- Assignee changed from sst to intrigeri
- QA Check deleted (
Info Needed)
u wrote:
> However when I compare upstream/master (called tails/ in my example) and packaging/master, I get a difference. sst: may you please clarify this difference:
IIRC there’s been some miscommunication and two different 0.5 releases were published: one by Alan, another one by sst. Since then, segfault published 0.6 and updated the Debian packaging accordingly, which was non-trivial due to the aforementioned confusion, but 0.6 in Git (both upstream and Debian’s Vcs-Git) should now be in a good shape, that resolves the problem you’re raising here :)
Meanwhile:
- the Debian package does install an AppArmor profile… which is actually more up-to-date than what we have in
config/chroot_local-includes/etc/apparmor.d/usr.bin.onioncircuits - all current Tails branches install 0.6-0.0tails1, with the aforementioned updated profile
So it seems to me that the only remaining problem to solve here is: we still override the package-provided profile with our own, outdated one, which does not make any sense.
#25 Updated by intrigeri 2019-04-13 06:55:17
- blocks Feature #16209: Core work: Foundations Team added
#26 Updated by intrigeri 2019-04-13 07:00:11
- Feature Branch set to bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile
#27 Updated by intrigeri 2019-04-13 07:38:41
- Assignee deleted (
intrigeri) - QA Check set to Ready for QA
- Feature Branch changed from bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile to bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile, https://salsa.debian.org/tails-team/tails/merge_requests/17
Built an image locally, tested manually: the AppArmor profile is the one from the package as expected, OnionCircuits starts, displays circuits, and I see no error message related to OnionCircuits in the Journal. We have no automated tests coverage for this so I’ll skip running the test suite.
#28 Updated by hefee 2019-04-15 13:42:16
intrigeri wrote:
> Built an image locally, tested manually: the AppArmor profile is the one from the package as expected, OnionCircuits starts, displays circuits, and I see no error message related to OnionCircuits in the Journal. We have no automated tests coverage for this so I’ll skip running the test suite.
Sounds like reasonable testing. It is fine to merge.
#29 Updated by hefee 2019-04-15 13:42:35
- Assignee set to intrigeri
- QA Check changed from Ready for QA to Pass
#30 Updated by intrigeri 2019-04-15 15:35:19
- Status changed from In Progress to Fix committed
- % Done changed from 10 to 100
Applied in changeset commit:tails|e5c7754a59a09fcf87be0d451f60555ba9f8fd26.
#32 Updated by intrigeri 2019-05-05 08:23:52
- Target version changed from Tails_3.14 to Tails_3.13.2
#33 Updated by anonym 2019-05-06 15:00:51
- Status changed from Fix committed to Resolved
#34 Updated by anonym 2019-05-06 15:03:12
- Target version changed from Tails_3.13.2 to Tails_3.14
#35 Updated by intrigeri 2019-05-06 18:15:36
- Target version changed from Tails_3.14 to Tails_3.13.2