Tails

#1 Updated by segfault 2018-07-16 11:45:02

• Assignee set to segfault
• Target version set to Tails_3.9

#2 Updated by sajolida 2018-07-18 14:11:56

• Parent task set to Feature #14480

I understand that this is a regression introduced by our work on VeraCrypt → parenting to Feature #14480.

#3 Updated by intrigeri 2018-07-27 08:14:20

• related to Bug #15370: Onion Circuits cannot be started in Tails 3.6~rc1 added

#5 Updated by intrigeri 2018-07-27 08:16:13

• Subject changed from onioncircuits fails to start (permission denied error) to Onion Circuits fails to start (permission denied error)
• Affected tool set to Onion Circuits
• Deliverable for set to 299

#7 Updated by segfault 2018-07-30 14:34:12

• Assignee changed from segfault to intrigeri
• QA Check set to Info Needed

I would like to have a decision on this soon (quoting from description):

> We could fix this either by allowing access to this non-default path in our AppArmor profiles, or remove the non-default path and move the veracrypt_mounter package to a default path instead (for example /usr/lib/python3 or /usr/local/lib/python3.5).

intrigeri: What do you think we should do?

#8 Updated by intrigeri 2018-08-01 03:17:47

• Assignee changed from intrigeri to segfault
• QA Check deleted (Info Needed)

segfault wrote:
> intrigeri: What do you think we should do?

First step is to look at what happened upstream and in Debian wrt. abstractions/python since the version that lacks what we need.

If our problem has been fixed there, then let’s backport the fix via config/chroot_local-patches/. Else, let’s contribute a fix upstream and backport it in the same way.

#9 Updated by intrigeri 2018-08-01 03:18:03

• Priority changed from Normal to Elevated

(That’s a regression.)

#10 Updated by segfault 2018-08-01 11:05:42

• Assignee changed from segfault to intrigeri
• QA Check set to Info Needed

intrigeri wrote:
> segfault wrote:
> > intrigeri: What do you think we should do?
>
> First step is to look at what happened upstream and in Debian wrt. abstractions/python since the version that lacks what we need.
>
> If our problem has been fixed there, then let’s backport the fix via config/chroot_local-patches/. Else, let’s contribute a fix upstream and backport it in the same way.

Our problem was not solved there. And I don’t know whether upstream wants to allow a non-default path in the AppArmor profile, but we could ask them. But I want to make clear that this is not a bug in upstream - we added a new path to the Python search path and AppArmor doesn’t allow access to this path.

So, are you sure I should create a ticket about this upstream? Should this be in AppArmor itself or Debian?

#11 Updated by intrigeri 2018-08-02 00:50:17

• Assignee changed from intrigeri to segfault
• QA Check changed from Info Needed to Dev Needed

> So, are you sure I should create a ticket about this upstream?

I’m sure it’s worth proposing it, yes.

> Should this be in AppArmor itself or Debian?

AppArmor upstream.

#13 Updated by segfault 2018-08-05 20:07:33

• Description updated
• QA Check deleted (Dev Needed)

I created a merge request: https://gitlab.com/apparmor/apparmor/merge_requests/160

#14 Updated by intrigeri 2018-08-09 10:28:29

• Priority changed from Elevated to High

(Blocks merging feature/14481-TCRYPT-support-beta into devel.)

#15 Updated by segfault 2018-08-12 20:53:51

• Assignee changed from segfault to intrigeri
• QA Check set to Ready for QA

I pushed a commit on the Feature #14481 feature branch.

#16 Updated by intrigeri 2018-08-13 08:25:01

• Assignee changed from intrigeri to segfault
• QA Check changed from Ready for QA to Info Needed

> I pushed a commit on the Feature #14481 feature branch.

I can’t see that, please check and tell me the commit ID.

#18 Updated by segfault 2018-08-13 08:44:04

• Assignee changed from segfault to intrigeri
• QA Check changed from Info Needed to Ready for QA

#19 Updated by intrigeri 2018-08-13 09:33:14

• Status changed from Confirmed to In Progress
• % Done changed from 0 to 60

Code review passes, will now test.

#20 Updated by intrigeri 2018-08-13 18:26:27

• Assignee changed from intrigeri to segfault
• QA Check changed from Ready for QA to Dev Needed

> Code review passes, will now test.

This does not work for me. Onion Circuits still fails to start and I see:

AVC apparmor="DENIED" operation="open" profile="/usr/bin/onioncircuits" name="/usr/local/lib/python3/dist-packages/" pid=7962 comm="onioncircuits" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Looks like we need at least a /usr/local/lib/python3/dist-packages r, rule (probably folded into an existing one). I strongly advise you to test that your proposed fix does solve the problem this ticket is about before sending a new MR upstream :)

#24 Updated by segfault 2018-08-15 13:41:24

• Description updated
• Assignee changed from segfault to intrigeri
• QA Check changed from Dev Needed to Ready for QA
• Feature Branch set to feature/14481-TCRYPT-support-beta

Fixed by 8e0dc99fa48261069a79ff7bf2337fd179d3c5e7 and created a new merge request upstream (https://gitlab.com/apparmor/apparmor/merge_requests/171).

#26 Updated by intrigeri 2018-08-15 18:11:37

• Status changed from In Progress to Resolved
• Assignee deleted (intrigeri)
• % Done changed from 60 to 100
• QA Check changed from Ready for QA to Pass

I confirm it’s fixed on the topic branch.