Bug#803171: torbrowser-launcher: AppArmor profiles broken with latest Tor Browser

Tue, 27 Oct 2015 09:40:06 -0700 

Package: torbrowser-launcher
Version: 0.2.0-2
Severity: normal

Dear Maintainer,

   * What led up to the situation?

I installed torbrowser-launcher, on an uptodate sid installation with
apparmor enabled.

I switched the included profiles to enforce mode with:

$ sudo aa-enforce usr.bin.torbrowser-launcher
Setting /etc/apparmor.d/usr.bin.torbrowser-launcher to enforce mode.
$ sudo aa-enforce torbrowser.start-tor-browser
Setting /etc/apparmor.d/torbrowser.start-tor-browser to enforce mode.
$ sudo aa-enforce torbrowser.Browser.firefox
Setting /etc/apparmor.d/torbrowser.Browser.firefox to enforce mode.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

I tried to start torbrowser-launcher.

   * What was the outcome of this action?

$ torbrowser-launcher
Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.2.0
https://github.com/micahflee/torbrowser-launcher
Checked for update within 24 hours, skipping
Latest version of TBB is installed, launching
Traceback (most recent call last):
  File "/usr/bin/torbrowser-launcher", line 30, in <module>
    torbrowser_launcher.main()
  File "/usr/lib/python2.7/dist-packages/torbrowser_launcher/__init__.py", line 
69, in main
    app = Launcher(common, url_list)
  File "/usr/lib/python2.7/dist-packages/torbrowser_launcher/launcher.py", line 
117, in __init__
    self.start_launcher()
  File "/usr/lib/python2.7/dist-packages/torbrowser_launcher/launcher.py", line 
151, in start_launcher
    self.run(False)
  File "/usr/lib/python2.7/dist-packages/torbrowser_launcher/launcher.py", line 
634, in run
    subprocess.call([self.common.paths['tbb']['start']], 
cwd=self.common.paths['tbb']['dir_tbb'])
  File "/usr/lib/python2.7/subprocess.py", line 522, in call
    return Popen(*popenargs, **kwargs).wait()
  File "/usr/lib/python2.7/subprocess.py", line 710, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1335, in _execute_child
    raise child_exception
OSError: [Errno 13] Permission non accordée

   * What outcome did you expect instead?

I expect Tor Browser to start

   * Proposed solution

Adding the following in apparmor.d/local/ solved the problem for me.
These might need to be added to the profile shipped in the Debian
package.

$ cat apparmor.d/local/torbrowser.start-tor-browser
# Site-specific additions and overrides for torbrowser.start-tor-browser.
# For more details, please see /etc/apparmor.d/local/README.
/sbin/ldconfig ix,
/usr/bin/gcc-5 ix,
/usr/bin/env r,
/bin/bash ix,

$ cat apparmor.d/local/usr.bin.torbrowser-launcher
# Site-specific additions and overrides for usr.bin.torbrowser-launcher.
# For more details, please see /etc/apparmor.d/local/README.

/sbin/ldconfig rix,
/sbin/ldconfig.real rix,
/usr/bin/gcc-5 rix,
/bin/sed rix,
/usr/bin/tail ix,

@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}start-tor-browser.desktop
 rix,
@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/execdesktop
 ix,

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (900, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages torbrowser-launcher depends on:
ii  gnupg            1.4.19-6
ii  python           2.7.9-1
ii  python-gtk2      2.24.0-4
ii  python-lzma      0.5.3-3
ii  python-parsley   1.2-1
ii  python-psutil    2.2.1-3+b1
ii  python-twisted   15.2.1-1
ii  python-txsocksx  1.15.0.2-1
ii  tor              0.2.7.4-rc-1
ii  wmctrl           1.07-7

torbrowser-launcher recommends no packages.

Versions of packages torbrowser-launcher suggests:
ii  apparmor       2.10-2+b1
pn  python-pygame  <none>

-- Configuration Files:
/etc/apparmor.d/torbrowser.start-tor-browser changed:
$ diff -Naur deb/etc/apparmor.d/torbrowser.start-tor-browser 
/etc/apparmor.d/torbrowser.start-tor-browser
--- deb/etc/apparmor.d/torbrowser.start-tor-browser     2015-08-12 
12:35:34.000000000 +0200
+++ /etc/apparmor.d/torbrowser.start-tor-browser        2015-10-26 
14:58:35.692329726 +0100
@@ -1,6 +1,6 @@
 #include <tunables/global>

-/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}start-tor-browser
 flags=(complain) {
+/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}start-tor-browser
 {
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/fonts>

/etc/apparmor.d/usr.bin.torbrowser-launcher changed:
$ diff -Naur deb/etc/apparmor.d/usr.bin.torbrowser-launcher 
/etc/apparmor.d/usr.bin.torbrowser-launcher
--- etc/apparmor.d/usr.bin.torbrowser-launcher  2015-08-12 12:35:33.000000000 
+0200
+++ /etc/apparmor.d/usr.bin.torbrowser-launcher 2015-10-26 15:54:02.001050005 
+0100
@@ -1,7 +1,7 @@
 # Last Modified: Thu Jan  2 15:12:38 2014
 #include <tunables/global>

-/usr/bin/torbrowser-launcher flags=(complain) {
+/usr/bin/torbrowser-launcher {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/python>

-- no debconf information

Reply via email to