Project

General

Profile

Feature #12170

Upstream OnionCircuits AppArmor profile

Added by intrigeri about 3 years ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
01/24/2017
Due date:
% Done:

100%

Feature Branch:
bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile, https://salsa.debian.org/tails-team/tails/merge_requests/17
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Onion Circuits

Description

In Tails 2.10, anonym introduced an AppArmor profile for OnionCircuits. That's great! Now, IMO our commitment to upstreaming our stuff implies we should have this profile included in the upstream Git repo, and installed by the Debian package.


Related issues

Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

Associated revisions

Revision 45501805 (diff)
Added by intrigeri 11 months ago

Remove obsolete usr.bin.onioncircuits AppArmor profile (refs: #12170)

All Tails current branches now install onioncircuits 0.6-0.0tails1,
which ships a more current AppArmor profile than the one we
have in our own Git tree.

Revision e5c7754a
Added by intrigeri 11 months ago

Merge branch 'bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile' into stable

Fix-committed: #12170

History

#1 Updated by intrigeri about 3 years ago

Any reason I've missed why we should not, or cannot, do that?

#2 Updated by anonym almost 3 years ago

  • Assignee changed from anonym to Anonymous

You'll find it in config/chroot_local-includes/etc/apparmor.d/usr.bin.onioncircuits. Thanks so much for taking over this from me! :))))))

#3 Updated by Anonymous almost 3 years ago

I made a commit upstream and to the packaging.

Now I'll need to see if Sascha wants to prepare the new package or if I should do it and once it's in Debian, we can remove the profile from our own repository.

#4 Updated by intrigeri almost 3 years ago

I made a commit upstream and to the packaging.

Now I'll need to see if Sascha wants to prepare the new package or if I should do it and once it's in Debian, we can remove the profile from our own repository.

Yeah! :)

#5 Updated by Anonymous almost 3 years ago

  • Status changed from Confirmed to Resolved

Sascha integrated this, so I'm considering this as done.

#6 Updated by intrigeri over 2 years ago

  • Status changed from Resolved to In Progress
  • Target version changed from Tails_2.12 to Tails_3.2
  • % Done changed from 0 to 10

u wrote:

Sascha integrated this, so I'm considering this as done.

... and since then anonym updated the profile in tails.git (ad0d64919f54260b3cc8d19252f97345091fcafd) but nobody copied the change to OnionCircuit's repo. I've just done this.

IMO we should keep this ticket open as long as we replace the upstream profile with our own one, so next steps are:

  1. publish a new upstream release with the last AppArmor profile changes & fixes
  2. upload to sid
  3. install OnionCircuits from testing or sid instead of from our own repo (until a proper backport is needed)

Sascha, can you please do the first two steps and then reassign to me? Thanks!

Additionally, I've pushed some fixes because the profile that was upstreamed breaks OnionCircuits on my sid (https://bugs.debian.org/865843).

#7 Updated by intrigeri over 2 years ago

  • Assignee changed from Anonymous to sst

#8 Updated by sst over 2 years ago

Hi intrigeri, thanks for the feedback and sorry for the delay in answering.
I would be happy to upload a new version but I'm not sure I can tag new releases in the upstream repo on git-tails.immerda.ch -- in fact, I also never have before. That being said, I wouldn't mind uploading an onioncircuits-0.4+git20170625.0.ce92de8-1 but I agree it would be nicer doing this for a real upstream release. Do we want to ping Alan?

#9 Updated by intrigeri over 2 years ago

Hi Sascha!

I would be happy to upload a new version but I'm not sure I can tag new releases in the upstream repo on git-tails.immerda.ch -- in fact, I also never have before.

Indeed, I've verified you don't have write access to the upstream repo.

That being said, I wouldn't mind uploading an onioncircuits-0.4+git20170625.0.ce92de8-1

Let's avoid doing this and instead ensure we can put out new upstream releases when needed.

but I agree it would be nicer doing this for a real upstream release. Do we want to ping Alan?

Indeed, the current theory is that Alan is the upstream maintainer. But he wrote:

I'm happy to partcicpate to maintain Onion Circuits. However, I can't
promise to be responsive within a few weeks sometimes (and I don't even
speek about a few days...) so if people want more responsiveness and
have time to participate on the maintenance, I would love them joining!

So I see three options:

  • ask Alan to release 0.4.1 and wait until it happens (possibly 3-8 weeks)
  • you prepare the release in your own repo, then I review and merge it into the official repo
  • I release 0.4.1 myself

Regarding timing, as far as Tails is concerned we're in no hurry: we just need the updated package to be in Debian by mid-September. But I'm not a big fan of leaving OnionCircuits broken in Debian (for AppArmor users) for too long, so I suggest you ask Alan, and if he doesn't release 0.4.1 within 2 weeks, then either you or I prepare the new release. OK?

#10 Updated by sst over 2 years ago

Hi intrigeri,

[...]

I suggest you ask Alan, and if he doesn't release 0.4.1 within 2 weeks, then either you or I prepare the new release. OK?

That sounds like a plan. I'll send an email ASAP.

Cheers
Sascha

#11 Updated by anonym over 2 years ago

  • Target version changed from Tails_3.2 to Tails_3.3

#12 Updated by anonym over 2 years ago

  • Target version changed from Tails_3.3 to Tails_3.5

#13 Updated by Anonymous about 2 years ago

The bug report (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865843) says that onioncircuits 0.5-1 has the relevant commits (made by intrigeri).

However when I compare upstream/master (called tails/ in my example) and packaging/master, I get a difference. sst: may you please clarify this difference:


git diff tails/master..master -- apparmor/usr.bin.onioncircuits
diff --git a/apparmor/usr.bin.onioncircuits b/apparmor/usr.bin.onioncircuits
index d29e984..413fbc7 100644
--- a/apparmor/usr.bin.onioncircuits
+++ b/apparmor/usr.bin.onioncircuits
@@ -18,7 +18,6 @@
   /usr/bin/ r,
   /usr/bin/onioncircuits r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/iso-codes/json/** r,
   /usr/share/xml/iso-codes/** r,
   owner @{PROC}/@{pid}/status r,

Thanks!

#14 Updated by Anonymous about 2 years ago

  • QA Check set to Info Needed

#15 Updated by anonym about 2 years ago

  • Target version changed from Tails_3.5 to Tails_3.6

#16 Updated by bertagaz almost 2 years ago

  • Target version changed from Tails_3.6 to Tails_3.7

#17 Updated by bertagaz almost 2 years ago

  • Target version changed from Tails_3.7 to Tails_3.8

#18 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.8 to Tails_3.9

#19 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.9 to Tails_3.10.1

#20 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.10.1 to Tails_3.11

#21 Updated by CyrilBrulebois about 1 year ago

  • Target version changed from Tails_3.11 to Tails_3.12

#22 Updated by anonym about 1 year ago

  • Target version changed from Tails_3.12 to Tails_3.13

#23 Updated by CyrilBrulebois 11 months ago

  • Target version changed from Tails_3.13 to Tails_3.14

#24 Updated by intrigeri 11 months ago

  • Assignee changed from sst to intrigeri
  • QA Check deleted (Info Needed)

u wrote:

However when I compare upstream/master (called tails/ in my example) and packaging/master, I get a difference. sst: may you please clarify this difference:

IIRC there's been some miscommunication and two different 0.5 releases were published: one by Alan, another one by sst. Since then, segfault published 0.6 and updated the Debian packaging accordingly, which was non-trivial due to the aforementioned confusion, but 0.6 in Git (both upstream and Debian's Vcs-Git) should now be in a good shape, that resolves the problem you're raising here :)

Meanwhile:

  • the Debian package does install an AppArmor profile… which is actually more up-to-date than what we have in config/chroot_local-includes/etc/apparmor.d/usr.bin.onioncircuits
  • all current Tails branches install 0.6-0.0tails1, with the aforementioned updated profile

So it seems to me that the only remaining problem to solve here is: we still override the package-provided profile with our own, outdated one, which does not make any sense.

#25 Updated by intrigeri 11 months ago

#26 Updated by intrigeri 11 months ago

  • Feature Branch set to bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile

#27 Updated by intrigeri 11 months ago

  • Assignee deleted (intrigeri)
  • QA Check set to Ready for QA
  • Feature Branch changed from bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile to bugfix/12170-drop-obsolete-onioncircuits-AppArmor-profile, https://salsa.debian.org/tails-team/tails/merge_requests/17

Built an image locally, tested manually: the AppArmor profile is the one from the package as expected, OnionCircuits starts, displays circuits, and I see no error message related to OnionCircuits in the Journal. We have no automated tests coverage for this so I'll skip running the test suite.

#28 Updated by hefee 11 months ago

intrigeri wrote:

Built an image locally, tested manually: the AppArmor profile is the one from the package as expected, OnionCircuits starts, displays circuits, and I see no error message related to OnionCircuits in the Journal. We have no automated tests coverage for this so I'll skip running the test suite.

Sounds like reasonable testing. It is fine to merge.

#29 Updated by hefee 11 months ago

  • Assignee set to intrigeri
  • QA Check changed from Ready for QA to Pass

#30 Updated by intrigeri 11 months ago

  • Status changed from In Progress to 11
  • % Done changed from 10 to 100

#31 Updated by intrigeri 11 months ago

  • Assignee deleted (intrigeri)

Thanks!

#32 Updated by intrigeri 10 months ago

  • Target version changed from Tails_3.14 to Tails_3.13.2

#33 Updated by anonym 10 months ago

  • Status changed from 11 to Resolved

#34 Updated by anonym 10 months ago

  • Target version changed from Tails_3.13.2 to Tails_3.14

#35 Updated by intrigeri 10 months ago

  • Target version changed from Tails_3.14 to Tails_3.13.2

Also available in: Atom PDF