Project

General

Profile

Bug #16914

"More information" link in OnionShare settings doesn't open

Added by sajolida about 2 months ago. Updated 22 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
bugfix/16914-onionshare-xdg-open
Type of work:
Code
Blueprint:
Starter:
Affected tool:
OnionShare

Description

In a64f183bae:

  1. Open OnionShare
  2. Open the Settings dialog
  3. Click on "More information"
  4. Nothing happens

Related issues

Related to Tails - Bug #16913: Hide Tor settings in OnionShare Confirmed
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

Associated revisions

Revision da0c5116 (diff)
Added by segfault 24 days ago

Update OnionShare AppArmor profile (refs: #16914)

OnionShare fails to open the URL providing more information about
Stealth Onion Services. The added AppArmor rules allow executing
xdg-open and dependencies to fix this.

Revision c22e6fa5 (diff)
Added by segfault 22 days ago

Update OnionShare AppArmor profile (refs: #16914)

OnionShare fails to open the URL providing more information about
Stealth Onion Services. The added AppArmor rules allow executing
xdg-open and dependencies to fix this.

Edited by intrigeri:

- Remove unnecessary permission to execute cut, head, awk, mawk, sed, tr, and
xdg-mime.
- Add missing permission to execute gio-launch-desktop.

Revision 02ea848c
Added by segfault 22 days ago

Merge branch 'bugfix/16914-onionshare-xdg-open' into devel (Closes: #16914)

History

#1 Updated by intrigeri about 1 month ago

  • Status changed from New to Confirmed
  • Assignee set to intrigeri

That's caused by AppArmor:

audit[9159]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/onionshare-gui" name="/usr/bin/xdg-open" pid=9159 comm="onionshare-gui" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Unfortunately, there's probably no way to allow this without also allowing OnionShare to do tons of other dangerous things. I'll think about it some more.

@sajolida, do you agree that while it's annoying, it's yet another smallish bug, not particularly more important/urgent than others we've known for years, and therefore not a blocker for the 4.0 release?

#2 Updated by sajolida about 1 month ago

  • Related to Bug #16913: Hide Tor settings in OnionShare added

#3 Updated by sajolida about 1 month ago

I agree.

This link is meant to open a webpage in Tor Browser. Many other
applications already do that in Tails (eg. Thunderbird and Pidgin), so
maybe the way forward would be to change how this is done in the
upstream code to be compatible with Tails.

#4 Updated by intrigeri about 1 month ago

so maybe the way forward would be to change how this is done in the upstream code to be compatible with Tails.

The upstream code already does the same thing as Pidgin or Thunderbird.

To fix this, we need to open up the AppArmor profile a bit. We've done so (well, I did that on my volunteer time) in AppArmor upstream for Pidgin and Thunderbird because it felt like opening links was part of their core functionality that the vast majority of users expect to work out-of-the-box. The situation is quite different for a "More information" link in a Settings dialog that I bet most users won't ever open. I'll take a look at some point to see if the security risk vs. benefit is worth it. I bet the risk is low and we'll fix that, but I have to check. Either way, that does not sound like a 4.0 release blocker.

#5 Updated by intrigeri 24 days ago

  • Assignee deleted (intrigeri)

#6 Updated by segfault 24 days ago

  • Assignee set to segfault

#7 Updated by segfault 24 days ago

  • Status changed from Confirmed to In Progress

#8 Updated by segfault 24 days ago

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (segfault)
  • Feature Branch set to bugfix/16914-onionshare-xdg-open

#9 Updated by intrigeri 24 days ago

  • Status changed from Needs Validation to In Progress

Hi @segfault,

I've applied these changes to the AppArmor profile in a running Tails (built from devel earlier today) and clicking that link still fails. In the logs, I see a denial about an attempt to execute /usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop. Same when clicking the "Help" button. I wonder what's the difference between my test environment and yours. Maybe we need to steal the rule about gio-launch-desktop that I see in the evince and thunderbird profiles?

#10 Updated by intrigeri 24 days ago

(In any case, it's not a release blocker, so if you have extra time for Tails today or later this week, better do the code review of #12092 and we can handle this one later :)

#11 Updated by intrigeri 22 days ago

#12 Updated by intrigeri 22 days ago

  • Assignee set to intrigeri

(This seems to be the kind of simple things I can handle in the state I am in today.)

#13 Updated by intrigeri 22 days ago

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (intrigeri)

#14 Updated by intrigeri 22 days ago

(I've built an image locally and verified it fixes the bug. This branch impacts nothing that we test on Jenkins so I'm not waiting for CI to pass before submitting for review.)

#15 Updated by segfault 22 days ago

  • Status changed from Needs Validation to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF