Page MenuHomePhabricator

Qubes-Whonix obfsproxy AppArmor issue
Closed, ResolvedPublic


Found in Qubes-Whonix 11. (Other versions untested.)

user@host:~$ obfsproxy -h
Traceback (most recent call last):
  File "/usr/bin/obfsproxy", line 5, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/dist-packages/", line 2876, in <module>
    working_set = WorkingSet._build_master()
  File "/usr/lib/python2.7/dist-packages/", line 440, in _build_master
    ws = cls()
  File "/usr/lib/python2.7/dist-packages/", line 433, in __init__
  File "/usr/lib/python2.7/dist-packages/", line 489, in add_entry
    for dist in find_distributions(entry, True):
  File "/usr/lib/python2.7/dist-packages/", line 1902, in find_on_path
    for entry in os.listdir(path_item):
OSError: [Errno 13] Permission denied: '/rw/usrlocal/lib/python2.7/dist-packages'
audit: type=1400 audit(1439566453.497:15): apparmor="DENIED" operation="open" profile="/usr/bin/obfsproxy" name="/rw/usrlocal/lib/python2.7/dist-packages/" pid=4078 comm="obfsproxy" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I have no idea why obfsproxy or some lib it is using tries to access /usr/local.

in Qubes, /usr/local is a symlink to /rw/usrlocal.



Event Timeline

Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick set Impact to Normal.
Patrick added subscribers: Patrick, troubadour, nrgaway, marmarek.


A real fix would require having an AppArmor option to follow symlinks.

fixed obfsproxy AppArmor issue "OSError: [Errno 13] Permission denied: '/rw/usrlocal/lib/python2.7/dist-packages'" -

Patrick claimed this task.
In T396#6413, @Patrick wrote:

AppArmor upstream feature request - symlink support:

Got Won't Fix.

Seth Arnold:

This is not a design choice that can be revisited; this is a consequence of the kernel internal implementation. Sorry.

Got another answer.

Christian Boltz (cboltz):

You can use alias rules for directory symlinks - add them to /etc/apparmor.d/tunables/alias. This avoids the need to modify all profiles.

For example, my /tmp/ is a symlink to /home/sys-tmp/, and the alias rule for it is

alias /tmp/ -> /home/sys-tmp/,

Another possible solution is using mount --bind instead of symlinks.

Actually, that's a much better solution.


alias /usr/local -> /rw/usrlocal/,

Tested. Works. Will revert the above commit (T396#6412). And use this solution instead. Does /etc/apparmor.d/tunables/home.d/qubes-whonix fit better into the qubes-whonix or the apparmor-profile-anondist package? @troubadour

Also suggested to Qubes to fix this at a higher level... (But in meanwhile we need the quicker above fix.)
Qubes /usr/local symlink /rw/usrlocal AppArmor issue:


fixed obfsproxy AppArmor issue "OSError: [Errno 13] Permission denied: '/rw/usrlocal/lib/python2.7/dist-packages'" using superior /etc/apparmor.d/tunables/home.d/qubes-whonix-anondist solution -