Page MenuHomePhabricator

AppArmor & FoxyProxy denied message
Closed, ResolvedPublic

Description

https://forums.whonix.org/t/apparmor-foxyproxy

FoxyProxy works fine with Tor Browser 7.0a2 hardened, but the AppArmor message appears as follows:

apparmor="DENIED" operation="open"
profile="/home/**/tor-browser*/Browser/firefox"
name="/run/user/1000/dconf/user" pid=XXXX comm="firefox"
requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000

Details

Impact
Normal

Event Timeline

Patrick created this task.Apr 27 2017, 8:05 PM
JasonJAyalaP closed this task as Resolved.
JasonJAyalaP claimed this task.

I'll talk with torjunkie in the forum. I'll close this ticket because it's not a whonix 14 blocker, and every AA fix can't have its own ticket

Patrick reopened this task as Open.Jun 28 2017, 12:34 AM

Probably hasn't solved itself. This bug report presupposes quite a lot knowledge, isn't well described. Reproduction isn't obvious since it has two prerequisites. To explain what this is about and required for reproduction:

very AA fix can't have its own ticket

Why not? How else would we keep track of which ones are fixed?

JasonJAyalaP added a comment.EditedJun 29 2017, 12:00 AM

Probably hasn't solved itself.

You told him it wasn't a problem. But if you think it's worth it, alright.

Why not? How else would we keep track of which ones are fixed?

We have a "no unknown denied" policy with AA? Alright.

Patrick reopened this task as "Open".

And they're blockers? Fine with me.

To explain what this is about and required for reproduction

OK i'm investigating.

I opened a ticket on the FoxyProxy system:

Hi. I'm debugging an app armor profile for the tor browser bundle. A user noticed a denied message while using foxy proxy. The file the browser wants to access was /run/user/1000/dconf/user. (/run/user/1000 is the user-specific tmp directory)

I'm trying to replicate it with the latests version of FP standard and TBB/firefox

I noticed that the dconf folder and user file is created when FP is installed. I'm vaguely aware that dconf is a backend to GSettings (used to store settings, particularly for Gnome apps?). I'm guessing that FP uses this to store temporary values? I grepped the FP src for dconf/gsettings, but I'm unsure when exactly this file is read and written to. (I fiddled around with FP, but dconf/user is still empty).

Thanks for your time!

What do the other AA profiles do with the /run/user/1000? We give them access to 1000/APPNAME only?

Ahh. I see icedove has:

owner /run/user/[0-9]*/dconf/user rw

FP unfortunately uses dconf/user, which looks pretty generic and is shared by icedove, for example. I bet more apps use it. I don't see how these apps can have access to dconf/user (which I assume is necessary for their function) without the above line, therefore being able to see each other's tmp settings (while running)

owner /run/user/[0-9]*/dconf/user rw

If it works... Perhaps add it as comment.

Or does it work when denied?

JasonJAyalaP added a comment.EditedJun 29 2017, 2:19 AM

FP replied

Sorry, but we have no idea what dconf/settings is. FoxyProxy does not read or write to such a file

Or does it work when denied?

FP is certainly creating it. Or maybe firefox when it interacts with certain plugin features?
I cant get latest FP on latest TB to actually use that file (and generate an error). I'm not sure what torjunkie does to trigger it.

I cant get latest FP on latest TB to actually use that file (and generate an error). I'm not sure what torjunkie does to trigger it.

Actually use foxyproxy?

Do you got a proxy I can configure it to use? Still waiting for him to reply.

A local proxy should do. Use any of these guides.

(any from this list)

I doubt the proxy has to be functional for this apparmor warning to pop up.

JasonJAyalaP added a comment.EditedJun 30 2017, 5:28 AM

Ahh I see. I can setup i2p/freenet/zeronet and use FP to go through that.

I got zeronet working and browsing around. Latest aa profiles, aa-notify -p, journctl -f

No denied messages.

owner /run/user/[0-9]*/dconf/user rw

If it works... Perhaps add it as comment.

It would need to be added to tor browser aa profile. Are you willing to accept that? It seems some extensions save temporary info here and firefox creates it and uses it for them.

Or does it work when denied?

Torjunkie didn't say that FP stopped working. Or we can add the line to tor browser aa since sooner or later some extension will need access to it?

Actually use foxyproxy?
I doubt the proxy has to be functional for this apparmor warning to pop up.

The hell? Lol. I install FP, force a missing proxy, and get no message. You tell me to "actually use it" and setup it up with i2p/freenet/zeronet/etc. Then you say it doesn't make a difference? Ha. No matter. I did both things and can't get the denied message.

Ahh I see. I can setup i2p/freenet/zeronet and use FP to go through that.

I got zeronet working and browsing around. Latest aa profiles, aa-notify -p, journctl -f

No denied messages.

Great, so this can be closed until we hear back from anyone any instructions on how to reproduce this.

owner /run/user/[0-9]*/dconf/user rw

If it works... Perhaps add it as comment.

It would need to be added to tor browser aa profile. Are you willing to accept that? It seems some extensions save temporary info here and firefox creates it and uses it for them.

Why would I oppose a comment. A commented out command. It does nothing. It only helps users who need this. Who'd manually add it to the /etc/apparmor.d/local folder.

Or does it work when denied?

Torjunkie didn't say that FP stopped working. Or we can add the line to tor browser aa since sooner or later some extension will need access to it?

No.

Actually use foxyproxy?
I doubt the proxy has to be functional for this apparmor warning to pop up.

The hell? Lol. I install FP, force a missing proxy, and get no message. You tell me to "actually use it" and setup it up with i2p/freenet/zeronet/etc. Then you say it doesn't make a difference? Ha. No matter. I did both things and can't get the denied message.

Well, I am using various degrees of uncertainty words.

JasonJAyalaP closed this task as Resolved.EditedJul 1 2017, 2:56 AM

Ok. I added the commented line to home.tor-browser.firefox

I also noted that /run/user isn't in abstractions/user-tmp, which is out of date (only includes *tmp* directories and not the more modern /run/usr. Oh well).

JasonJAyalaP reopened this task as Open.Jul 1 2017, 3:27 AM

I get the message after a reboot.

audit: type=1400 audit(1498871907.064:25): apparmor="DENIED" operation="mkdir" profile="/home//tor-browser*/Browser/firefox" name="/run/user/1000/dconf/" pid=6407 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 1 01:18:27 host kernel: [ 348.994506] audit: type=1400 audit(1498871907.076:26): apparmor="DENIED" operation="mkdir" profile="/home/
/tor-browser*/Browser/firefox" name="/run/user/1000/dconf/" pid=6407 comm=64636F6E6620776F726B6572 requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

debugging now

Ok, the line should be:

owner /run/user/[0-9]*/** rwkl,

(I don't see why we need the * after 0-9, since it's supposed to be the user id, but icedove has it. Dunno.)

Added:

https://github.com/Whonix/apparmor-profile-torbrowser/blob/master/etc/apparmor.d/home.tor-browser.firefox#L105

As far as I can tell, firefox doesn't normally use /run/user for its tmp directory (which would be more modern). However, with certain extensions, it wants to use dconf inside /run/user.

owner /run/user/[0-9]*/** rwkl,

really should be part of abstractions/user-tmp, but that file is very old.

I really think that "access to the temp folder" should be a basic AA allowance. In fact, it is right now with #include user-tmp. However, user-tmp is so old (I'm guessing) it doesn't have /run/user/[0-9]/**

It's added as comment to the firefox profile, and I think it should be uncommented. You decide Patrick.

But it should be apart of abstractions/user-tmp. Are you comfortable doing this, Patrick? Who do I need to talk to in order to discuss updating user-tmp?

JasonJAyalaP (Jason J. Ayala P.):

But it should be apart of abstractions/user-tmp. Are you comfortable doing this, Patrick?

No.

Who do I need to talk to in order to discuss updating user-tmp?

dpkg -S /full/path/to/file/name

Please contact the maintainer of that package on their public bug tracker.

Reported but to app armor:
https://bugs.launchpad.net/apparmor/+bug/1702360

I will also add to the FP template information about uncommenting the # /run/user line.

@Patrick
the FP template says "Tor Browser will soon ship with sandboxing on an opt-in basis." Wasn't this rejected?

JasonJAyalaP closed this task as Resolved.Jul 4 2017, 11:28 PM

JasonJAyalaP (Jason J. Ayala P.):

the FP template says "Tor Browser will soon ship with sandboxing on an opt-in basis." Wasn't this rejected?

Not that I know.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

@Patrick 
the FP template says "Tor Browser will soon ship with sandboxing on an opt-in basis." Wasn't this rejected?

The problem is, that sandboxing isn't a hyperlink. Please make it one.
It's not referring to apparmor. It's referring to :

https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Sandboxed_Tor_Browser

After FoxyProxy is installed, you may see an app-armory warning you

about the denied creation of dconf/user. The current Debian profile for
Firefox does not yet include the modern temporary file location /run/user.

Please add a footnote with the link to the bug report. Otherwise it's
really hard to substantiate that claim in a year from now.

JasonJAyalaP added a comment.EditedJul 6 2017, 6:09 PM

According to their wiki that you linked to: "Active development is on indefinite hiatus." Do you still want FP to talk about and link to that?

Thanks for updating me! No, then this needs to be removed. And the sandboxed tor browser chanter moved to https://www.whonix.org/wiki/Deprecated.