Page MenuHomePhabricator
Create Task
Maniphest T314

solve apparmor-profile-pidgin vs apparmor-profiles conflict
Closed, ResolvedPublic
Actions

Description

user@host:~$ sudo apt-get install apparmor-profiles apparmor-profile-pidgin
Reading package lists... Done
Building dependency tree
Reading state information... Done
apparmor-profiles is already the newest version.
The following NEW packages will be installed:
apparmor-profile-pidgin
0 upgraded, 1 newly installed, 0 to remove and 26 not upgraded.
10 not fully installed or removed.
Need to get 0 B/7,272 B of archives.
After this operation, 42.0 kB of additional disk space will be used.
Do you want to continue? [Y/n]
(Reading database ... 87205 files and directories currently installed.)
Preparing to unpack .../apparmor-profile-pidgin_3%3a1.2-1_all.deb ...
Unpacking apparmor-profile-pidgin (3:1.2-1) ...
dpkg: error processing archive /var/cache/apt/archives/apparmor-profile-pidgin_3%3a1.2-1_all.deb (--unpack):
trying to overwrite '/etc/apparmor.d/usr.bin.pidgin', which is also in package apparmor-profiles-extra 1.4
Errors were encountered while processing:
/var/cache/apt/archives/apparmor-profile-pidgin_3%3a1.2-1_all.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

Both, apparmor-profiles-extra and apparmor-profile-pidgin ship the pidgin profile. That conflicts.

Especially problematic, because apparmor-profiles-whonix depends on apparmor-profile-pidgin.

Is the pidgin profile from apparmor-profiles-extra okay? Do we recommend to install it?

What do we do with the apparmor-profile-pidgin package? Deprecate it? Or solve that conflict by using config-package-dev displace (I can add this if useful)? (fixed)

In T314#5003, @troubadour wrote:

There is an issue with some profiles form apparmor-profiles and apparmor-profiles-extra. They are not loaded because of conflicting x modifiers. The problem does not show in the host. Looking onto it.

Details

Impact
High

Related Objects

Event Timeline

Patrick created this task.May 17 2015, 10:27 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added projects: AppArmor, Whonix 11, bug.
Patrick set Impact to High.
Patrick added a subscriber: Patrick.
troubadour added a comment.EditedMay 18 2015, 10:02 PM

The pidgin profile from apparmor-profiles-extra is not okay in Whonix. See
https://www.whonix.org/forum/index.php/topic,97.msg6432.html#msg6432

On top of the kde messages, they include some Ubuntu abstractions that create some parsing errors in Whonix, preventing the profile to load.
https://www.whonix.org/forum/index.php/topic,97.msg6343.html#msg6343

Retested the profile from apparmor-profiles-extra in Whonix 11, same issues,

There was another issue, when after an update, a bunch of denied messages popped, and we replaced the adapted Debian profile with the original from Whonix.
https://www.whonix.org/forum/index.php/topic,97.msg7707.html#msg7707

Retested the adapted Debian profile in Whonix 11, okay except for one new kde message that shows in the host too. Not big problem. This is the one you merged in https://github.com/troubadoour/apparmor-profile-pidgin/commit/0b33fe34ef453f620e932d35eab1b2cb6937df6b

If we want to install apparmor-profiles-extra, we should probably use your magic (config-package-dev displace to replace the original profile with our modified one).

Patrick changed the task status from Open to Review.May 23 2015, 3:22 AM

solve apparmor-profile-pidgin package conflict with apparmor-profiles-extra by 'config-package-dev displace'ing /etc/apparmor.d/usr.bin.pidgin - https://phabricator.whonix.org/T314:
https://github.com/Whonix/apparmor-profile-pidgin/commit/aaa16a16de160cc8ef859d943d150ab1df080d68

Patrick closed this task as Resolved.May 24 2015, 5:16 PM

Fixed in Whonix 11.0.0.2.0-developers-only.

Running sudo apt-get install apparmor-profiles-whonxi apparmor-profiles apparmor-profiles-extra succeeded. (Currently from developers repository that was upgraded as per 11.0.0.2.0-developers-only.)

troubadour added a comment.May 27 2015, 10:59 PM

Updated apparmor-profile-pidgin.

Because it's working in jessie, usr.bin.pidgin.anondist is reverted to the Debian profile. There is an addition, a denied message for /usr/share/aspell.
https://github.com/troubadoour/apparmor-profile-pidgin/commit/7dde08febaa2fe8310c2eb3e377a248d6783b54c

There is an issue with some profiles form apparmor-profiles and apparmor-profiles-extra. They are not loaded because of conflicting x modifiers. The problem does not show in the host. Looking onto it.

troubadour reopened this task as Open.May 27 2015, 11:02 PM
Patrick added a comment.May 28 2015, 12:36 AM

Merged. And added to repository.

Patrick updated the task description. (Show Details)May 28 2015, 12:39 AM
Patrick renamed this task from apparmor-profile-pidgin package conflicts with apparmor-profiles-extra to apparmor, Whonix 11, conflicting x modifiers.May 28 2015, 11:06 PM
Patrick reassigned this task from Patrick to troubadour.
Patrick added a comment.Jun 3 2015, 3:37 PM
sudo aa-enforce /etc/apparmor.d/usr.bin.chromium-browser
Setting /etc/apparmor.d/usr.bin.chromium-browser to enforce mode.
Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 30, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 166, in cmd_enforce
    raise apparmor.AppArmorException(cmd_info[1])
apparmor.common.AppArmorException: 'profile has merged rule with conflicting x modifiers\nERROR processing regexs for profile sanitized_helper, failed to load\n'
Setting /etc/apparmor.d/usr.bin.evince to enforce mode.
Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 30, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 166, in cmd_enforce
    raise apparmor.AppArmorException(cmd_info[1])
apparmor.common.AppArmorException: 'profile has merged rule with conflicting x modifiers\nERROR processing regexs for profile sanitized_helper, failed to load\n'

The issue must be somewhere within these lines:
https://github.com/Whonix/apparmor-profile-anondist/blob/814ec01c4189ea0e897ba066ee3f914aa530f2ae/etc/apparmor.d/abstractions/base.anondist#L118-152

(Because when commenting those out, the profile can be loaded.)

troubadour added a comment.EditedJun 8 2015, 10:38 PM

I missed that post. Thanks for the finding.

Another one. config-package-dev displace installs the .orig file in /etc/apparmor.d. So after installing apparmor-profiles-extra, the original Pidgin profile is parsed by AppArmor, and we end up with the same situation.

Patrick added a comment.Jun 9 2015, 12:59 PM

What error do you get? The install error?

Unpacking apparmor-profiles-extra (1.4) ...
dpkg: error processing archive /var/cache/apt/archives/apparmor-profiles-extra_1.4_all.deb (--unpack):
 trying to overwrite '/etc/apparmor.d/usr.bin.pidgin', which is also in package apparmor-profile-pidgin 3:1.2-1
Errors were encountered while processing:
 /var/cache/apt/archives/apparmor-profiles-extra_1.4_all.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

That's maybe because apparmor-profile pidgin isn't updated in the Whonix jessie / developers repository. Still working on that (T342, T325).

Otherwise if somehow the .orig file is parsed, maybe instead of config-package-dev displace, I should have used config-package-dev hide. Then that file is moved out of the way.

Actually a different issue:
https://phabricator.whonix.org/T314#5122

I think this happens because /etc/apparmor.d/usr.bin.chromium-browser tries to grant rights to files located in /usr/share/ somewhere, while apparmor-profile-anondist /etc/apparmor.d/abstractions/base.anondist granted different rights.

troubadour added a comment.Jun 9 2015, 10:31 PM

It was not the install error, but the original file was parsed, provoking the conflicting x modifiers error.

The problem, along with the offending profiles (chromium-browser, evince) is solved in https://github.com/troubadoour/apparmor-profile-anondist/commit/fbf9542507b998751a4f727d7f90307c47ed831a

For executables, we have to give permissions to files individually, wildcards are not allowed, apparently. What is strange is that the Whonix profiles do not complain. Anyhow, I have been on and off on this for quite some time, and did not look at the obvious: base.anondist.

We can either remove the file displacement, or better I think, remove the Pidgin profile completely from Whonix, and users can install the one from apparmor-profiles-extra. They are similar, I was just removing some Ubuntu abstractions.

Patrick added a comment.Jun 9 2015, 10:44 PM
In T314#5374, @troubadour wrote:

It was not the install error, but the original file was parsed, provoking the conflicting x modifiers error.

I see. So I suppose if one deleted the .orig file, the issue would be gone?

The problem, along with the offending profiles (chromium-browser, evince) is solved in https://github.com/troubadoour/apparmor-profile-anondist/commit/fbf9542507b998751a4f727d7f90307c47ed831a

Nice! Merged!

We can either remove the file displacement, or better I think, remove the Pidgin profile completely from Whonix, and users can install the one from apparmor-profiles-extra. They are similar, I was just removing some Ubuntu abstractions.

Yeah. If the upstream profile works with Whonix, by all means, let's remove it.

If you want, I'll empty the package. Remove the apparmor profile and add a config-package-dev undisplace to restore original state. (And keep the empty package, perhaps it will be reintroduced in not so far future.)

troubadour added a comment.Jun 11 2015, 9:29 PM

The upstream profile works with Whonix, and it's probably safer to keep the empty package.

Patrick renamed this task from apparmor, Whonix 11, conflicting x modifiers to solve apparmor-profile-pidgin vs apparmor-profiles conflict.Jun 15 2015, 6:59 AM
Patrick edited projects, added Whonix 12; removed Whonix 11.

Clearing config-package-dev is non-trival. Postponing this to Whonix 12.

Patrick edited projects, added Whonix 13; removed Whonix 12.Sep 8 2015, 5:41 PM
Patrick changed the task status from Open to Review.Jan 21 2016, 9:48 PM

https://github.com/Whonix/apparmor-profile-pidgin/commit/af69e1447de8120e416c1d8af5dfa9944041c23d

TODO testing:

  1. install old packages on test system

sudo apt-get install apparmor-profile-pidgin apparmor-profiles apparmor-profiles-extra

  1. upgrade with newer package version
  1. Check if only /etc/apparmor.d/usr.bin.pidgin is the only file that exists

ls -la /etc/apparmor.d/usr.bin.pidgin*

Patrick closed this task as Resolved.Apr 28 2016, 3:55 AM
ls -la /etc/apparmor.d/usr.bin.pidgin*
-rw-r--r-- 1 root root 2155 Oct 19  2014 /etc/apparmor.d/usr.bin.pidgin.dpkg-new

Requires manual reinstallation of apparmor-profiles-extra.

sudo apt-get install --reinstall apparmor-profiles-extra
Whonix Issue Tracker · Unread Notifications · Open Issues · Homepage · Blog · Forum · Github · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer