Bug#996662: Additional information
I checked a few other packages quickly. It seems like evolution email client has no apparmor profile. Thunderbird mail client has an apparmor profile and the symlink works, but the apparmor profile seems to be including /etc/apparmor.d/abstractions/ubuntu-helpers which seems to provide symlink support, but also has security warnings. I also tried following as described in the qtox documentation in /etc/apparmor.d/tunables/usr.bin.qtox. "Create /etc/apparmor.d/tunables/usr.bin.qtox.d/local file to append values as..." However, apparmor failed to load the new profile saying that variable "qtox_additional_rw_dirs" was already created. Changing /etc/apparmor.d/tunables/usr.bin.qtox partially worked, the profile was loaded, but all history was gone from qtox. I also was able to create a new profile, but all history was lost between sessions. As a last resort, I tried a bind mount, and that works. The steps are below. I make the original directory chmod 000 when it is not yet bound to ensure that qtox doesn't write to it if ever the bind fails. However, a symlink would be better. There should be a way in the qtox code to open the symlink without de-referencing it, but I would have to look later. There is also probably a way to make the apparmor profile work for symlinks. See "man realpath". realpath will resolve the symlink, but option -s will preserve the symlink in the path. Bind mount alternative (user called user, thus ~/ is /home/user): mkdir /test/ mv ~/.config/tox /test/ mkdir ~/.config/tox chmod 000 ~/.config/tox mount --bind /test/tox ~/.config/tox umount ~/.config/tox Make it automatic on startup (add the following to fstab) nano /etc/fstab /test/tox /home/user/.config/tox none defaults,bind 0 0
Bug#996662: Additional information
Understood, but I am testing on vanilla debian installs which always includes apparmor. I haven't had this issue with any other vanilla debian packages with apparmor. A specific example is evolution email client. I am not sure if it is the way tox is reading the config or if it is specific to the qtox apparmor profile. I will have to dig further. ‐‐‐ Original Message ‐‐‐ On Thursday, October 21, 2021 3:08 PM, Yangfl wrote: > debian-testing debian-test...@protonmail.com 于2021年10月21日周四 下午9:48写道: > > > Yangfl: Symlink outside of home, for example, if on a symlinked network > > drive or usb, etc. > > Directory has appropriate permissions. Seems to be apparmor (see my more > > recent post), since works when apparmor is deactivate. > > Sent with ProtonMail Secure Email. > > Then I'd rather mark this issue as wontfix since apparmor really did > thr right thing to stop program from accessing files outside of /home.
Bug#996662: Additional information
Yangfl: Symlink outside of home, for example, if on a symlinked network drive or usb, etc. Directory has appropriate permissions. Seems to be apparmor (see my more recent post), since works when apparmor is deactivate. Sent with [ProtonMail](https://protonmail.com) Secure Email.
Bug#996662: Additional information
It seems like apparmor is blocking access to the symlink target. Qtox works with symlinks after deactivating apparmor. I guess the qtox apparmor profile needs to be corrected. apparmor="DENIED" operation="open" profile="qtox" name="/test/.config/tox/qtox.ini" pid=1082 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 apparmor="DENIED" operation="open" profile="qtox" name="/test/.config/tox/test.tox" pid=1082 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 apparmor="DENIED" operation="mknod" profile="qtox" name="/test/.config/tox/test.lock" pid=1082 comm="qtox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Bug#996662: Additional information
Have no idea about apparmor, but any help is appreciated. debian-testing 于2021年10月21日周四 下午11:22写道: > > Understood, but I am testing on vanilla debian installs which always includes > apparmor. I haven't had this issue with any other vanilla debian packages > with apparmor. A specific example is evolution email client. > > I am not sure if it is the way tox is reading the config or if it is specific > to the qtox apparmor profile. I will have to dig further. > > > > ‐‐‐ Original Message ‐‐‐ > On Thursday, October 21, 2021 3:08 PM, Yangfl wrote: > > > debian-testing debian-test...@protonmail.com 于2021年10月21日周四 下午9:48写道: > > > > > Yangfl: Symlink outside of home, for example, if on a symlinked network > > > drive or usb, etc. > > > Directory has appropriate permissions. Seems to be apparmor (see my more > > > recent post), since works when apparmor is deactivate. > > > Sent with ProtonMail Secure Email. > > > > Then I'd rather mark this issue as wontfix since apparmor really did > > thr right thing to stop program from accessing files outside of /home. > >
Bug#996662: Additional information
debian-testing 于2021年10月21日周四 下午9:48写道: > > Yangfl: Symlink outside of home, for example, if on a symlinked network drive > or usb, etc. > > Directory has appropriate permissions. Seems to be apparmor (see my more > recent post), since works when apparmor is deactivate. > > > Sent with ProtonMail Secure Email. > Then I'd rather mark this issue as wontfix since apparmor really did thr right thing to stop program from accessing files outside of /home.