Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix AppArmor support when using the bundled Tor #234

Merged
merged 2 commits into from
Jun 23, 2016
Merged

Fix AppArmor support when using the bundled Tor #234

merged 2 commits into from
Jun 23, 2016

Conversation

intrigeri
Copy link
Collaborator

Without these changes, torbrowser-launcher 0.2.4 is unusable with AppArmor enabled on current Debian unstable: the bundled Tor fails to start. Note that these changes are only needed when using the bundled Tor, as opposed as the system-wide Tor daemon; that's why I didn't experience this problem earlier personally.

I guess this will fix #230.
@intrigeri
AppArmor: allow Tor to load the bundled libraries.
b928de8 
I suspect that the sole reason why this was not diagnosed again is that
those of us who use AppArmor with torbrowser-launcher point it to the
system's Tor daemon.
@intrigeri
AppArmor: allow Firefox to start Tor without libc's Secure Execution.
33f1d89 
It needs to know what LD_LIBRARY_PATH was set to, otherwise it won't
be able to load its bundled libraries, and then all kinds of problems
can arise, such as not finding needed symbols in the version of these
libraries installed system-wide.

In practice, due to Secure Execution I have seen Tor fail to start
due to evutil_secure_rng_set_urandom_device_file not being found
on a current Debian unstable system.
@micahflee micahflee merged commit a7c32c5 into torproject:master Jun 23, 2016
@nbraud
Copy link
Contributor

nbraud commented Jun 27, 2016
edited
Loading

@intrigeri Seems not to be sufficient: on the latest packaged version of torbrowser-launcher, using the AppArmor profile from git, tor fails to start.

Here are the policy violations, obtained by running journalctl -b -f | grep DENIED:

Jun 28 00:43:11 harbard audit[10735]: AVC apparmor="DENIED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/run/udev/data/c226:0" pid=10735 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 28 00:43:11 harbard audit[10733]: AVC apparmor="DENIED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=10733 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 28 00:43:11 harbard audit[10733]: AVC apparmor="DENIED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/sys/devices/system/cpu/cpu0/cache/index2/size" pid=10733 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 28 00:43:13 harbard audit[10733]: AVC apparmor="DENIED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/run/connman/resolv.conf" pid=10733 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Interestingly, /run/connman/resolv.conf is discovered despite access to /etc/resolv.conf being (silently) denied.

Nevermind the entire message, I was being sleep-addled.
@nbraud
Copy link
Contributor

nbraud commented Jun 27, 2016

@intrigeri Confirmed that this solves the install/running issues for the current, stable Tor Browser.
I was unable to test updating yet.
@nbraud
Copy link
Contributor

nbraud commented Jun 27, 2016

@intrigeri Confirmed that updating works, by decompressing v6.0.1 in ~/.local/share/torbrowser and upgrading to 6.0.2 through the usual Tor Browser self-upgrade.

@micahflee Could you tag a release so that this gets into Debian?
This is a pretty important fix.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@intrigeri @nbraud @micahflee