Page MenuHomePhabricator

Qubes-Whonix obfsproxy AppArmor issue
Closed, ResolvedPublic

Description

Found in Qubes-Whonix 11. (Other versions untested.)

user@host:~$ obfsproxy -h
Traceback (most recent call last):
  File "/usr/bin/obfsproxy", line 5, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2876, in <module>
    working_set = WorkingSet._build_master()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 440, in _build_master
    ws = cls()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 433, in __init__
    self.add_entry(entry)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 489, in add_entry
    for dist in find_distributions(entry, True):
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1902, in find_on_path
    for entry in os.listdir(path_item):
OSError: [Errno 13] Permission denied: '/rw/usrlocal/lib/python2.7/dist-packages'
audit: type=1400 audit(1439566453.497:15): apparmor="DENIED" operation="open" profile="/usr/bin/obfsproxy" name="/rw/usrlocal/lib/python2.7/dist-packages/" pid=4078 comm="obfsproxy" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I have no idea why obfsproxy or some lib it is using tries to access /usr/local.

in Qubes, /usr/local is a symlink to /rw/usrlocal.

Details

Impact
Normal

Event Timeline

Patrick created this task.Aug 14 2015, 6:33 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick set Impact to Normal.
Patrick added subscribers: Patrick, troubadour, nrgaway, marmarek.
Patrick added a comment.EditedAug 14 2015, 6:49 PM

Related:

A real fix would require having an AppArmor option to follow symlinks.

Workaround...
fixed obfsproxy AppArmor issue "OSError: [Errno 13] Permission denied: '/rw/usrlocal/lib/python2.7/dist-packages'" - https://phabricator.whonix.org/T396:
https://github.com/Whonix/apparmor-profile-anondist/commit/d8a5faec3a71a52b5dab79e092dcbaeeb99c6f7d

AppArmor upstream feature request - symlink support:
https://bugs.launchpad.net/apparmor/+bug/1485055

Patrick closed this task as Resolved.Aug 14 2015, 6:56 PM
Patrick claimed this task.
In T396#6413, @Patrick wrote:

AppArmor upstream feature request - symlink support:
https://bugs.launchpad.net/apparmor/+bug/1485055

Got Won't Fix.

Seth Arnold:

This is not a design choice that can be revisited; this is a consequence of the kernel internal implementation. Sorry.

Got another answer.

Christian Boltz (cboltz):

You can use alias rules for directory symlinks - add them to /etc/apparmor.d/tunables/alias. This avoids the need to modify all profiles.
For example, my /tmp/ is a symlink to /home/sys-tmp/, and the alias rule for it is

alias /tmp/ -> /home/sys-tmp/,

Another possible solution is using mount --bind instead of symlinks.

Patrick reopened this task as Open.Aug 15 2015, 8:41 PM

Actually, that's a much better solution.

/etc/apparmor.d/tunables/home.d/qubes-whonix:

alias /usr/local -> /rw/usrlocal/,

Tested. Works. Will revert the above commit (T396#6412). And use this solution instead. Does /etc/apparmor.d/tunables/home.d/qubes-whonix fit better into the qubes-whonix or the apparmor-profile-anondist package? @troubadour

Also suggested to Qubes to fix this at a higher level... (But in meanwhile we need the quicker above fix.)
Qubes /usr/local symlink /rw/usrlocal AppArmor issue:
https://github.com/QubesOS/qubes-issues/issues/1122

Patrick closed this task as Resolved.Aug 19 2015, 7:45 PM

Reverted:
https://github.com/Whonix/apparmor-profile-anondist/commit/da380cfe87c53aab16c9c4a60ccb396752a5b3c6

fixed obfsproxy AppArmor issue "OSError: [Errno 13] Permission denied: '/rw/usrlocal/lib/python2.7/dist-packages'" using superior /etc/apparmor.d/tunables/home.d/qubes-whonix-anondist solution - https://phabricator.whonix.org/T396:
https://github.com/Whonix/apparmor-profile-anondist/commit/8785d3124c75dc39c6da2f1753e19b02d625a987