Project

General

Profile

Feature #12170

Upstream OnionCircuits AppArmor profile

Added by intrigeri over 2 years ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
01/24/2017
Due date:
% Done:

100%

Feature Branch:
bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile, https://salsa.debian.org/tails-team/tails/merge_requests/17
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Onion Circuits

Description

In Tails 2.10, anonym introduced an AppArmor profile for OnionCircuits. That's great! Now, IMO our commitment to upstreaming our stuff implies we should have this profile included in the upstream Git repo, and installed by the Debian package.


Related issues

Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed 03/22/2019

Associated revisions

Revision 45501805 (diff)
Added by intrigeri 3 months ago

Remove obsolete usr.bin.onioncircuits AppArmor profile (refs: #12170)

All Tails current branches now install onioncircuits 0.6-0.0tails1,
which ships a more current AppArmor profile than the one we
have in our own Git tree.

Revision e5c7754a
Added by intrigeri 3 months ago

Merge branch 'bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile' into stable

Fix-committed: #12170

History

#1 Updated by intrigeri over 2 years ago

Any reason I've missed why we should not, or cannot, do that?

#2 Updated by anonym over 2 years ago

  • Assignee changed from anonym to u

You'll find it in config/chroot_local-includes/etc/apparmor.d/usr.bin.onioncircuits. Thanks so much for taking over this from me! :))))))

#3 Updated by u over 2 years ago

I made a commit upstream and to the packaging.

Now I'll need to see if Sascha wants to prepare the new package or if I should do it and once it's in Debian, we can remove the profile from our own repository.

#4 Updated by intrigeri over 2 years ago

I made a commit upstream and to the packaging.

Now I'll need to see if Sascha wants to prepare the new package or if I should do it and once it's in Debian, we can remove the profile from our own repository.

Yeah! :)

#5 Updated by u over 2 years ago

  • Status changed from Confirmed to Resolved

Sascha integrated this, so I'm considering this as done.

#6 Updated by intrigeri about 2 years ago

  • Status changed from Resolved to In Progress
  • Target version changed from Tails_2.12 to Tails_3.2
  • % Done changed from 0 to 10

u wrote:

Sascha integrated this, so I'm considering this as done.

... and since then anonym updated the profile in tails.git (ad0d64919f54260b3cc8d19252f97345091fcafd) but nobody copied the change to OnionCircuit's repo. I've just done this.

IMO we should keep this ticket open as long as we replace the upstream profile with our own one, so next steps are:

  1. publish a new upstream release with the last AppArmor profile changes & fixes
  2. upload to sid
  3. install OnionCircuits from testing or sid instead of from our own repo (until a proper backport is needed)

Sascha, can you please do the first two steps and then reassign to me? Thanks!

Additionally, I've pushed some fixes because the profile that was upstreamed breaks OnionCircuits on my sid (https://bugs.debian.org/865843).

#7 Updated by intrigeri about 2 years ago

  • Assignee changed from u to sst

#8 Updated by sst about 2 years ago

Hi intrigeri, thanks for the feedback and sorry for the delay in answering.
I would be happy to upload a new version but I'm not sure I can tag new releases in the upstream repo on git-tails.immerda.ch -- in fact, I also never have before. That being said, I wouldn't mind uploading an onioncircuits-0.4+git20170625.0.ce92de8-1 but I agree it would be nicer doing this for a real upstream release. Do we want to ping Alan?

#9 Updated by intrigeri about 2 years ago

Hi Sascha!

I would be happy to upload a new version but I'm not sure I can tag new releases in the upstream repo on git-tails.immerda.ch -- in fact, I also never have before.

Indeed, I've verified you don't have write access to the upstream repo.

That being said, I wouldn't mind uploading an onioncircuits-0.4+git20170625.0.ce92de8-1

Let's avoid doing this and instead ensure we can put out new upstream releases when needed.

but I agree it would be nicer doing this for a real upstream release. Do we want to ping Alan?

Indeed, the current theory is that Alan is the upstream maintainer. But he wrote:

I'm happy to partcicpate to maintain Onion Circuits. However, I can't
promise to be responsive within a few weeks sometimes (and I don't even
speek about a few days...) so if people want more responsiveness and
have time to participate on the maintenance, I would love them joining!

So I see three options:

  • ask Alan to release 0.4.1 and wait until it happens (possibly 3-8 weeks)
  • you prepare the release in your own repo, then I review and merge it into the official repo
  • I release 0.4.1 myself

Regarding timing, as far as Tails is concerned we're in no hurry: we just need the updated package to be in Debian by mid-September. But I'm not a big fan of leaving OnionCircuits broken in Debian (for AppArmor users) for too long, so I suggest you ask Alan, and if he doesn't release 0.4.1 within 2 weeks, then either you or I prepare the new release. OK?

#10 Updated by sst about 2 years ago

Hi intrigeri,

[...]

I suggest you ask Alan, and if he doesn't release 0.4.1 within 2 weeks, then either you or I prepare the new release. OK?

That sounds like a plan. I'll send an email ASAP.

Cheers
Sascha

#11 Updated by anonym almost 2 years ago

  • Target version changed from Tails_3.2 to Tails_3.3

#12 Updated by anonym over 1 year ago

  • Target version changed from Tails_3.3 to Tails_3.5

#13 Updated by u over 1 year ago

The bug report (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865843) says that onioncircuits 0.5-1 has the relevant commits (made by intrigeri).

However when I compare upstream/master (called tails/ in my example) and packaging/master, I get a difference. sst: may you please clarify this difference:


git diff tails/master..master -- apparmor/usr.bin.onioncircuits
diff --git a/apparmor/usr.bin.onioncircuits b/apparmor/usr.bin.onioncircuits
index d29e984..413fbc7 100644
--- a/apparmor/usr.bin.onioncircuits
+++ b/apparmor/usr.bin.onioncircuits
@@ -18,7 +18,6 @@
   /usr/bin/ r,
   /usr/bin/onioncircuits r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/iso-codes/json/** r,
   /usr/share/xml/iso-codes/** r,
   owner @{PROC}/@{pid}/status r,

Thanks!

#14 Updated by u over 1 year ago

  • QA Check set to Info Needed

#15 Updated by anonym over 1 year ago

  • Target version changed from Tails_3.5 to Tails_3.6

#16 Updated by bertagaz over 1 year ago

  • Target version changed from Tails_3.6 to Tails_3.7

#17 Updated by bertagaz about 1 year ago

  • Target version changed from Tails_3.7 to Tails_3.8

#18 Updated by intrigeri about 1 year ago

  • Target version changed from Tails_3.8 to Tails_3.9

#19 Updated by intrigeri 10 months ago

  • Target version changed from Tails_3.9 to Tails_3.10.1

#20 Updated by intrigeri 9 months ago

  • Target version changed from Tails_3.10.1 to Tails_3.11

#21 Updated by CyrilBrulebois 7 months ago

  • Target version changed from Tails_3.11 to Tails_3.12

#22 Updated by anonym 6 months ago

  • Target version changed from Tails_3.12 to Tails_3.13

#23 Updated by CyrilBrulebois 4 months ago

  • Target version changed from Tails_3.13 to Tails_3.14

#24 Updated by intrigeri 3 months ago

  • Assignee changed from sst to intrigeri
  • QA Check deleted (Info Needed)

u wrote:

However when I compare upstream/master (called tails/ in my example) and packaging/master, I get a difference. sst: may you please clarify this difference:

IIRC there's been some miscommunication and two different 0.5 releases were published: one by Alan, another one by sst. Since then, segfault published 0.6 and updated the Debian packaging accordingly, which was non-trivial due to the aforementioned confusion, but 0.6 in Git (both upstream and Debian's Vcs-Git) should now be in a good shape, that resolves the problem you're raising here :)

Meanwhile:

  • the Debian package does install an AppArmor profile… which is actually more up-to-date than what we have in config/chroot_local-includes/etc/apparmor.d/usr.bin.onioncircuits
  • all current Tails branches install 0.6-0.0tails1, with the aforementioned updated profile

So it seems to me that the only remaining problem to solve here is: we still override the package-provided profile with our own, outdated one, which does not make any sense.

#25 Updated by intrigeri 3 months ago

#26 Updated by intrigeri 3 months ago

  • Feature Branch set to bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile

#27 Updated by intrigeri 3 months ago

  • Assignee deleted (intrigeri)
  • QA Check set to Ready for QA
  • Feature Branch changed from bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile to bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile, https://salsa.debian.org/tails-team/tails/merge_requests/17

Built an image locally, tested manually: the AppArmor profile is the one from the package as expected, OnionCircuits starts, displays circuits, and I see no error message related to OnionCircuits in the Journal. We have no automated tests coverage for this so I'll skip running the test suite.

#28 Updated by hefee 3 months ago

intrigeri wrote:

Built an image locally, tested manually: the AppArmor profile is the one from the package as expected, OnionCircuits starts, displays circuits, and I see no error message related to OnionCircuits in the Journal. We have no automated tests coverage for this so I'll skip running the test suite.

Sounds like reasonable testing. It is fine to merge.

#29 Updated by hefee 3 months ago

  • Assignee set to intrigeri
  • QA Check changed from Ready for QA to Pass

#30 Updated by intrigeri 3 months ago

  • Status changed from In Progress to Fix committed
  • % Done changed from 10 to 100

#31 Updated by intrigeri 3 months ago

  • Assignee deleted (intrigeri)

Thanks!

#32 Updated by intrigeri 2 months ago

  • Target version changed from Tails_3.14 to Tails_3.13.2

#33 Updated by anonym 2 months ago

  • Status changed from Fix committed to Resolved

#34 Updated by anonym 2 months ago

  • Target version changed from Tails_3.13.2 to Tails_3.14

#35 Updated by intrigeri 2 months ago

  • Target version changed from Tails_3.14 to Tails_3.13.2

Also available in: Atom PDF