Project

General

Profile

Bug #16307

Broken Tor Browser on Buster: terminates when opening a file dialog

Added by CyrilBrulebois 3 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
Start date:
01/06/2019
Due date:
% Done:

100%

QA Check:
Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Browser

Description

Seen on <https://paste.debian.net/&gt;, clicking the “Browse” button leads to this for tor-browser, with two extra lines for clarity:

--- Startup messages ---
Fontconfig warning: "/usr/local/lib/tor-browser/TorBrowser/Data/fontconfig/fonts.conf", line 85: unknown element "blank" 
1546742616883    addons.webextension.{73a6fe31-595d-460b-a920-fcc0f8843232}    WARN    Loading extension '{73a6fe31-595d-460b-a920-fcc0f8843232}': Reading manifest: Error processing background.persistent: Event pages are not currently supported. This will run as a persistent background page.
Fontconfig warning: "/usr/local/lib/tor-browser/TorBrowser/Data/fontconfig/fonts.conf", line 85: unknown element "blank" 
1546742617998    addons.webextension.https-everywhere-eff@eff.org    WARN    Please specify whether you want browser_style or not in your browser_action options.
1546742617998    addons.webextension.{73a6fe31-595d-460b-a920-fcc0f8843232}    WARN    Please specify whether you want browser_style or not in your browser_action options.
1546742619405    addons.webextension.uBlock0@raymondhill.net    WARN    Loading extension 'uBlock0@raymondhill.net': Reading manifest: Error processing incognito: Invalid enumeration value "split" 
1546742619409    addons.webextension.uBlock0@raymondhill.net    WARN    Loading extension 'uBlock0@raymondhill.net': Reading manifest: Error processing sidebar_action.open_at_install: An unexpected property was found in the WebExtension manifest.
1546742619409    addons.webextension.uBlock0@raymondhill.net    WARN    Loading extension 'uBlock0@raymondhill.net': Reading manifest: Error processing storage: An unexpected property was found in the WebExtension manifest.
Fontconfig warning: "/usr/local/lib/tor-browser/TorBrowser/Data/fontconfig/fonts.conf", line 85: unknown element "blank" 

--- Trying to browse ---
(firefox:13189): Gtk-CRITICAL **: 02:44:02.682: Error creating directory /home/amnesia/.config/gtk-3.0: Permission denied

(firefox:13189): Gtk-WARNING **: 02:44:02.699: Could not load a pixbuf from /org/gtk/libgtk/icons/16x16/status/image-missing.png.
This may indicate that pixbuf loaders or the mime database could not be found.
**
Gtk:ERROR:../../../../gtk/gtkiconhelper.c:494:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /org/gtk/libgtk/icons/16x16/status/image-missing.png: Unrecognized image file format (gdk-pixbuf-error-quark, 3)
Redirecting call to abort() to mozalloc_abort

Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=21.8181) [GFX1-]: Receive IPC close with reason=AbnormalShutdown
[Child 13295, Chrome_ChildThread] WARNING: pipe error (3): Connection reset by peer: file /var/tmp/build/firefox-efdff96e8955/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=25.6962) [GFX1-]: Receive IPC close with reason=AbnormalShutdown
[Child 13251, Chrome_ChildThread] WARNING: pipe error (3): Connection reset by peer: file /var/tmp/build/firefox-efdff96e8955/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
Segmentation fault

Meanwhile, on the dmesg -w side (with another tor-browser process):


[ 1148.939816] audit: type=1400 audit(1546742961.676:518): apparmor="DENIED" operation="mkdir" profile="torbrowser_firefox" name="/home/amnesia/.config/gtk-3.0/" pid=13327 comm="firefox.real" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 1148.957485] audit: type=1400 audit(1546742961.692:519): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/mime.cache" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957490] audit: type=1400 audit(1546742961.692:520): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/globs2" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957494] audit: type=1400 audit(1546742961.692:521): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/magic" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957498] audit: type=1400 audit(1546742961.692:522): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/aliases" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957502] audit: type=1400 audit(1546742961.692:523): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/subclasses" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957505] audit: type=1400 audit(1546742961.692:524): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/icons" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957509] audit: type=1400 audit(1546742961.692:525): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/generic-icons" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957512] audit: type=1400 audit(1546742961.692:526): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/share/mime/mime.cache" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957519] audit: type=1400 audit(1546742961.692:527): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/share/mime/globs2" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Associated revisions

Revision c2b32514 (diff)
Added by intrigeri 3 months ago

AppArmor: patch tunables/share to workaround a parser bug in our complex situation (refs: #16307)

The parser gets confused and does not properly apply alias rules combined with
variables that have a list of space-separated values: as seen on #16307, without
this patch the kernel denies access to
/lib/live/mount/rootfs/filesystem.squashfs/usr/share/mime/mime.cache, which
should be equivalent to /usr/share/mime/mime.cache thanks to our alias rules,
and therefore allowed by abstractions/freedesktop.org based on
@{system_share_dirs}.

So let's make the parser's job a little bit easier by using alternations instead.

History

#1 Updated by intrigeri 3 months ago

  • Status changed from New to Confirmed
  • Assignee set to intrigeri
  • Affected tool set to Browser

Thanks! I'll take a look.

#2 Updated by intrigeri 3 months ago

Interestingly, Evince is not affected and I don't get why.

Next steps:

  • check if feature/16073-linux-4.19+force-all-tests is affected, i.e. is this a regression caused by Linux 4.19?
  • check if apparmor 2.13.2 (that migrates to testing today) fixes the problem

#3 Updated by intrigeri 3 months ago

intrigeri wrote:

  • check if feature/16073-linux-4.19+force-all-tests is affected, i.e. is this a regression caused by Linux 4.19?

It's not.

  • check if apparmor 2.13.2 (that migrates to testing today) fixes the problem

And if it does not: try on feature/buster with Stretch's apparmor parser.

#4 Updated by intrigeri 3 months ago

  • Subject changed from Broken tor-browser on buster: terminates when opening a file dialog to Broken Tor Browser on Buster: terminates when opening a file dialog

#5 Updated by intrigeri 3 months ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

intrigeri wrote:

  • check if apparmor 2.13.2 (that migrates to testing today) fixes the problem

And if it does not:

It does not.

try on feature/buster with Stretch's apparmor parser.

Downgrading to Stretch's apparmor and libapparmor1, choosing to keep our patched conffiles when dpkg asked, fixes it. Finally some hope! Next step: figure out which one, among the parser downgrade and the policy downgrade, did the trick.

#6 Updated by intrigeri 3 months ago

intrigeri wrote:

Downgrading to Stretch's apparmor and libapparmor1, choosing to keep our patched conffiles when dpkg asked, fixes it. Finally some hope! Next step: figure out which one, among the parser downgrade and the policy downgrade, did the trick.

On this frankenstein system:

  • upgrading to Buster's AA features file: still works
  • overwriting the apparmor_parser binary and /lib/x86_64-linux-gnu/libapparmor.so.1* with the version from Buster: still works

=> I think some part of the policy update between Stretch and Buster breaks our alias trick, somehow. Will kinda bisect it.

#7 Updated by intrigeri 3 months ago

Seems like the abstractions/freedesktop.org update, and more specifically the syntax used in the corresponding tunables/share, is the culprit.

This fixes the problem:

--- /lib/live/mount/rootfs/filesystem.squashfs/etc/apparmor.d/tunables/share    2018-09-05 16:51:53.000000000 +0000
+++ /etc/apparmor.d/tunables/share    2019-01-07 11:53:28.648000000 +0000
@@ -1,4 +1,4 @@
-@{flatpak_exports_root} = flatpak/exports flatpak/{app,runtime}/*/*/*/*/export
+@{flatpak_exports_root} = {flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}

 # System-wide directories with behaviour analogous to /usr/share
 # in patterns like the freedesktop.org basedir spec. These are

Looks like variable expansion of space-separated values works fine (e.g. in @{system_share_dirs}) but not recursively once combined with AppArmor aliases.

Will apply the policy fix in Tails and submit it upstream, where I'll be told whether it shall be reported as a parser bug or not.

#8 Updated by intrigeri 3 months ago

  • Status changed from In Progress to Resolved
  • Assignee deleted (intrigeri)
  • % Done changed from 10 to 100

#9 Updated by intrigeri 3 months ago

  • Priority changed from Normal to Elevated

Also available in: Atom PDF