Project

General

Profile

Bug #15370

Feature #11198: Port complex shell scripts into Python

Onion Circuits cannot be started in Tails 3.6~rc1

Added by bertagaz over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
Start date:
03/03/2018
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Onion Circuits

Description

I've noticed while testing 3.6~rc1 that onioncircuit failed to show its window when clicking on its icon. Failure in the logs shows problems with the apparmor profile and Tails python library:

audit[14270]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/onioncircuits" name="/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info" pid=14270 \
comm="onioncircuits" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: kauditd_printk_skb: 6 callbacks suppressed
kernel: audit: type=1400 audit(1520076835.695:35): apparmor="DENIED" operation="open" profile="/usr/bin/onioncircuits" \
name="/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info" pid=14270 comm="onioncircuits" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
onioncircuits.desktop[14270]: Traceback (most recent call last):
onioncircuits.desktop[14270]:   File "/usr/bin/onioncircuits", line 25, in <module>
onioncircuits.desktop[14270]:     import pycountry
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pycountry/__init__.py", line 12, in <module>
onioncircuits.desktop[14270]:     from pkg_resources import resource_filename
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3019, in <module>
onioncircuits.desktop[14270]:     @_call_aside
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3003, in _call_aside
onioncircuits.desktop[14270]:     f(*args, **kwargs)
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3032, in _initialize_master_working_set
onioncircuits.desktop[14270]:     working_set = WorkingSet._build_master()
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 646, in _build_master
onioncircuits.desktop[14270]:     ws = cls()
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 639, in __init__
onioncircuits.desktop[14270]:     self.add_entry(entry)
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 695, in add_entry
onioncircuits.desktop[14270]:     for dist in find_distributions(entry, True):
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2019, in find_on_path
onioncircuits.desktop[14270]:     path_item, entry, metadata, precedence=DEVELOP_DIST
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2432, in from_location
onioncircuits.desktop[14270]:     py_version=py_version, platform=platform, **kw
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2772, in _reload_version
onioncircuits.desktop[14270]:     md_version = _version_from_file(self._get_metadata(self.PKG_INFO))
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2397, in _version_from_file
onioncircuits.desktop[14270]:     line = next(iter(version_lines), '')
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2565, in _get_metadata
onioncircuits.desktop[14270]:     for line in self.get_metadata_lines(name):
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1872, in get_metadata_lines
onioncircuits.desktop[14270]:     return yield_lines(self.get_metadata(name))
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1858, in get_metadata
onioncircuits.desktop[14270]:     with io.open(self.path, encoding='utf-8', errors="replace") as f:
onioncircuits.desktop[14270]: PermissionError: [Errno 13] Permission denied: '/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info

The python apparmor abstraction should take care of that, but it does not seem to handle *.egg-info files.

Adding this line (or similar, this one is an adaption of one of the python abstraction) to the onioncircuit profile fixes the problem:

  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-9]}/dist-packages/*.egg-info r,

But I'm not sure of the syntax nor if that's the best way to fix this issue.


Related issues

Related to Tails - Bug #15732: Onion Circuits fails to start (permission denied error) Resolved 07/16/2018

Associated revisions

Revision e0b24a21 (diff)
Added by bertagaz over 1 year ago

Don't install python3-setuptools in the ISO.

Refs: #15370

Revision 22b28db3
Added by bertagaz over 1 year ago

Merge branch 'bugfix/15370-onioncircuits-not-starting' into testing

Fix-committed: #15370

History

#1 Updated by intrigeri over 1 year ago

  • Subject changed from Onioncircuit does not show its window to Onion Circuits cannot be started in Tails 3.6~rc1
  • Assignee set to segfault
  • Priority changed from Normal to Elevated
  • Parent task set to #11198

Anyway, I believe this regression was introduced by #11753 => assigning to segfault.

First, deleting /usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info appears to fix the problem here. Do we need that file the ISO? If not, the simplest solution might be to exclude it from the SquashFS (config/chroot_local-includes/usr/share/amnesia/build/mksquashfs-excludes).

Second, if we do need that file for some reason, as bertagaz explained the fix requires modifying an AppArmor abstraction, which should be done upstream and as a local patch (until Tails is based on a version of Debian that includes the fix).

#2 Updated by bertagaz over 1 year ago

intrigeri wrote:

First, deleting /usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info appears to fix the problem here. Do we need that file the ISO? If not, the simplest solution might be to exclude it from the SquashFS (config/chroot_local-includes/usr/share/amnesia/build/mksquashfs-excludes).

IIRC (but that should be confirmed) Debian python packages do not ship this file, only the .egg one.

#3 Updated by segfault over 1 year ago

  • Assignee changed from segfault to bertagaz
  • QA Check set to Ready for QA

bertagaz wrote:

IIRC (but that should be confirmed) Debian python packages do not ship this file, only the .egg one.

This seems to be incorrect, there are a lot of .egg-info files in /usr/lib/python3/dist-packages/.

intrigeri wrote:

First, deleting /usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info appears to fix the problem here. Do we need that file the ISO? If not, the simplest solution might be to exclude it from the SquashFS (config/chroot_local-includes/usr/share/amnesia/build/mksquashfs-excludes).

The file contains metadata about the Python package. I guess we don't need it, but I'm not entirely sure. Anyway, I think I found another solution: If we use setuptools instead of distutils to install the Python package, it creates a .egg file, which includes both the code and metadata, and which is allowed to be accessed in abstractions/python. I implemented this in commit b64a6801f126f0c417fdae260849b0e8f13869ec in bugfix/15370-onioncircuits-not-starting and commit f5c43131734dd732fea7b3e4d852d723ec78e021 in pythonlib.

Second, if we do need that file for some reason, as bertagaz explained the fix requires modifying an AppArmor abstraction, which should be done upstream and as a local patch (until Tails is based on a version of Debian that includes the fix).

I think the .egg-info files should actually be included in the AppArmor profile, because they are installed by a lot of packages and, as seen here, it will break unrelated apps if such a package is installed locally.

#4 Updated by segfault over 1 year ago

By the way, I have no idea why Python only tries to open the .egg-info files in /usr/local/lib/python3.5/dist-packages and not the ones in /usr/lib/python3/dist-packages.

#5 Updated by bertagaz over 1 year ago

  • Status changed from Confirmed to Fix committed
  • Assignee deleted (bertagaz)
  • % Done changed from 0 to 100
  • QA Check changed from Ready for QA to Pass

segfault wrote:

bertagaz wrote:

IIRC (but that should be confirmed) Debian python packages do not ship this file, only the .egg one.

This seems to be incorrect, there are a lot of .egg-info files in /usr/lib/python3/dist-packages/.

Hmm, yes, after some research it seems I was wrong, sorry.

intrigeri wrote:

First, deleting /usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info appears to fix the problem here. Do we need that file the ISO? If not, the simplest solution might be to exclude it from the SquashFS (config/chroot_local-includes/usr/share/amnesia/build/mksquashfs-excludes).

The file contains metadata about the Python package. I guess we don't need it, but I'm not entirely sure. Anyway, I think I found another solution: If we use setuptools instead of distutils to install the Python package, it creates a .egg file, which includes both the code and metadata, and which is allowed to be accessed in abstractions/python. I implemented this in commit b64a6801f126f0c417fdae260849b0e8f13869ec in bugfix/15370-onioncircuits-not-starting and commit f5c43131734dd732fea7b3e4d852d723ec78e021 in pythonlib.

I've merged that, with a commit on top of it (e0b24a215182fe386ce2940639b115039cdfadaa): config/chroot_local-packageslists/tails-common.list is used to install packages inside the ISO. If you need a package during the hooks at build time, we have a function to install and desintall it as you'll see.

Second, if we do need that file for some reason, as bertagaz explained the fix requires modifying an AppArmor abstraction, which should be done upstream and as a local patch (until Tails is based on a version of Debian that includes the fix).

I think the .egg-info files should actually be included in the AppArmor profile, because they are installed by a lot of packages and, as seen here, it will break unrelated apps if such a package is installed locally.

So we need to open a bug upstream it seems. I'll open another ticket for that.

#6 Updated by bertagaz over 1 year ago

  • Status changed from Fix committed to In Progress

#7 Updated by bertagaz over 1 year ago

  • Status changed from In Progress to Fix committed

#8 Updated by bertagaz over 1 year ago

  • Status changed from Fix committed to Resolved

#9 Updated by intrigeri about 1 year ago

  • Related to Bug #15732: Onion Circuits fails to start (permission denied error) added

Also available in: Atom PDF