Bug #15370
Onion Circuits cannot be started in Tails 3.6~rc1
100%
Description
I’ve noticed while testing 3.6~rc1 that onioncircuit failed to show its window when clicking on its icon. Failure in the logs shows problems with the apparmor profile and Tails python library:
audit[14270]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/onioncircuits" name="/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info" pid=14270 \
comm="onioncircuits" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: kauditd_printk_skb: 6 callbacks suppressed
kernel: audit: type=1400 audit(1520076835.695:35): apparmor="DENIED" operation="open" profile="/usr/bin/onioncircuits" \
name="/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info" pid=14270 comm="onioncircuits" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
onioncircuits.desktop[14270]: Traceback (most recent call last):
onioncircuits.desktop[14270]: File "/usr/bin/onioncircuits", line 25, in <module>
onioncircuits.desktop[14270]: import pycountry
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pycountry/__init__.py", line 12, in <module>
onioncircuits.desktop[14270]: from pkg_resources import resource_filename
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3019, in <module>
onioncircuits.desktop[14270]: @_call_aside
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3003, in _call_aside
onioncircuits.desktop[14270]: f(*args, **kwargs)
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3032, in _initialize_master_working_set
onioncircuits.desktop[14270]: working_set = WorkingSet._build_master()
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 646, in _build_master
onioncircuits.desktop[14270]: ws = cls()
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 639, in __init__
onioncircuits.desktop[14270]: self.add_entry(entry)
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 695, in add_entry
onioncircuits.desktop[14270]: for dist in find_distributions(entry, True):
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2019, in find_on_path
onioncircuits.desktop[14270]: path_item, entry, metadata, precedence=DEVELOP_DIST
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2432, in from_location
onioncircuits.desktop[14270]: py_version=py_version, platform=platform, **kw
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2772, in _reload_version
onioncircuits.desktop[14270]: md_version = _version_from_file(self._get_metadata(self.PKG_INFO))
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2397, in _version_from_file
onioncircuits.desktop[14270]: line = next(iter(version_lines), '')
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2565, in _get_metadata
onioncircuits.desktop[14270]: for line in self.get_metadata_lines(name):
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1872, in get_metadata_lines
onioncircuits.desktop[14270]: return yield_lines(self.get_metadata(name))
onioncircuits.desktop[14270]: File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1858, in get_metadata
onioncircuits.desktop[14270]: with io.open(self.path, encoding='utf-8', errors="replace") as f:
onioncircuits.desktop[14270]: PermissionError: [Errno 13] Permission denied: '/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-infoThe python apparmor abstraction should take care of that, but it does not seem to handle *.egg-info files.
Adding this line (or similar, this one is an adaption of one of the python abstraction) to the onioncircuit profile fixes the problem:
/usr/local/lib{,32,64}/python{2.[4-7],3.[0-9]}/dist-packages/*.egg-info r,But I’m not sure of the syntax nor if that’s the best way to fix this issue.
Subtasks
Related issues
|
Related to Tails - |
Resolved | 2018-07-16 |
History
#1 Updated by intrigeri 2018-03-05 10:35:44
- Subject changed from Onioncircuit does not show its window to Onion Circuits cannot be started in Tails 3.6~rc1
- Assignee set to segfault
- Priority changed from Normal to Elevated
- Parent task set to Feature #11198
Anyway, I believe this regression was introduced by Feature #11753 => assigning to segfault.
First, deleting /usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info appears to fix the problem here. Do we need that file the ISO? If not, the simplest solution might be to exclude it from the SquashFS (config/chroot_local-includes/usr/share/amnesia/build/mksquashfs-excludes).
Second, if we do need that file for some reason, as bertagaz explained the fix requires modifying an AppArmor abstraction, which should be done upstream and as a local patch (until Tails is based on a version of Debian that includes the fix).
#2 Updated by bertagaz 2018-03-05 11:06:34
intrigeri wrote:
>
> First, deleting /usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info appears to fix the problem here. Do we need that file the ISO? If not, the simplest solution might be to exclude it from the SquashFS (config/chroot_local-includes/usr/share/amnesia/build/mksquashfs-excludes).
IIRC (but that should be confirmed) Debian python packages do not ship this file, only the .egg one.
#3 Updated by segfault 2018-03-06 22:38:48
- Assignee changed from segfault to bertagaz
- QA Check set to Ready for QA
bertagaz wrote:
> IIRC (but that should be confirmed) Debian python packages do not ship this file, only the .egg one.
This seems to be incorrect, there are a lot of .egg-info files in /usr/lib/python3/dist-packages/.
intrigeri wrote:
> First, deleting /usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info appears to fix the problem here. Do we need that file the ISO? If not, the simplest solution might be to exclude it from the SquashFS (config/chroot_local-includes/usr/share/amnesia/build/mksquashfs-excludes).
The file contains metadata about the Python package. I guess we don’t need it, but I’m not entirely sure. Anyway, I think I found another solution: If we use setuptools instead of distutils to install the Python package, it creates a .egg file, which includes both the code and metadata, and which is allowed to be accessed in abstractions/python. I implemented this in commit b64a6801f126f0c417fdae260849b0e8f13869ec in bugfix/15370-onioncircuits-not-starting and commit f5c43131734dd732fea7b3e4d852d723ec78e021 in pythonlib.
> Second, if we do need that file for some reason, as bertagaz explained the fix requires modifying an AppArmor abstraction, which should be done upstream and as a local patch (until Tails is based on a version of Debian that includes the fix).
I think the .egg-info files should actually be included in the AppArmor profile, because they are installed by a lot of packages and, as seen here, it will break unrelated apps if such a package is installed locally.
#4 Updated by segfault 2018-03-06 22:42:20
By the way, I have no idea why Python only tries to open the .egg-info files in /usr/local/lib/python3.5/dist-packages and not the ones in /usr/lib/python3/dist-packages.
#5 Updated by bertagaz 2018-03-11 18:37:58
- Status changed from Confirmed to Fix committed
- Assignee deleted (
bertagaz) - % Done changed from 0 to 100
- QA Check changed from Ready for QA to Pass
segfault wrote:
> bertagaz wrote:
> > IIRC (but that should be confirmed) Debian python packages do not ship this file, only the .egg one.
>
> This seems to be incorrect, there are a lot of .egg-info files in /usr/lib/python3/dist-packages/.
Hmm, yes, after some research it seems I was wrong, sorry.
> intrigeri wrote:
> > First, deleting /usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info appears to fix the problem here. Do we need that file the ISO? If not, the simplest solution might be to exclude it from the SquashFS (config/chroot_local-includes/usr/share/amnesia/build/mksquashfs-excludes).
>
> The file contains metadata about the Python package. I guess we don’t need it, but I’m not entirely sure. Anyway, I think I found another solution: If we use setuptools instead of distutils to install the Python package, it creates a .egg file, which includes both the code and metadata, and which is allowed to be accessed in abstractions/python. I implemented this in commit b64a6801f126f0c417fdae260849b0e8f13869ec in bugfix/15370-onioncircuits-not-starting and commit f5c43131734dd732fea7b3e4d852d723ec78e021 in pythonlib.
I’ve merged that, with a commit on top of it (e0b24a215182fe386ce2940639b115039cdfadaa): config/chroot_local-packageslists/tails-common.list is used to install packages inside the ISO. If you need a package during the hooks at build time, we have a function to install and desintall it as you’ll see.
> > Second, if we do need that file for some reason, as bertagaz explained the fix requires modifying an AppArmor abstraction, which should be done upstream and as a local patch (until Tails is based on a version of Debian that includes the fix).
>
> I think the .egg-info files should actually be included in the AppArmor profile, because they are installed by a lot of packages and, as seen here, it will break unrelated apps if such a package is installed locally.
So we need to open a bug upstream it seems. I’ll open another ticket for that.
#6 Updated by bertagaz 2018-03-11 19:51:25
- Status changed from Fix committed to In Progress
Applied in changeset commit:e0b24a215182fe386ce2940639b115039cdfadaa.
#7 Updated by bertagaz 2018-03-11 19:51:25
- Status changed from In Progress to Fix committed
Applied in changeset commit:22b28db396a5e0f46579c3923be1671dd9e2a3bb.
#8 Updated by bertagaz 2018-03-14 11:04:14
- Status changed from Fix committed to Resolved
#9 Updated by intrigeri 2018-07-27 08:14:21
- related to
Bug #15732: Onion Circuits fails to start (permission denied error) added