Bug#881496: [Pkg-privacy-maintainers] Bug#881496: onioncircuits: python3/testing and apparmor/testing breaks onioncircuits

[intrigeri]

Control: tag -1 + moreinfo

Hi Mykola,

Sascha Steinbiss:
> ah, this sheds some light on the situation. However:

>> audit[3722]: AVC apparmor="DENIED" operation="file_mmap"
>> profile="/usr/bin/onioncircuits"
>> name="/usr/lib/python3.6/lib-dynload/_ctypes.cpython-36m-x86_64-linux-gnu.so"
>> pid=3722 comm="onioncircuits" requested_mask="m" denied_mask="m" fsuid=1000 
>> ouid=0

> This is interesting, since the corresponding line in the python AppArmor
> abstractions [1] (which are imported by the onioncircuits profile [2]) is:

>   /usr/lib{,32,64}/python3.[0-6]/lib-dynload/*.somr,

> which indeed already has the mmap flag set. It's been in testing for
> some while now (since bzr revision #1671, which was the initial update
> to upstream's 2.11.1).
> I also can't see it being overridden anywhere. So I am not sure why this
> permission should be denied...

Can you please share the content of your
/etc/apparmor.d/abstractions/python file?

Cheers,
-- 
intrigeri

Processed: Re: Bug#881496: [Pkg-privacy-maintainers] Bug#881496: onioncircuits: python3/testing and apparmor/testing breaks onioncircuits

[Debian Bug Tracking System]

Processing control commands:

> tag -1 + moreinfo
Bug #881496 [onioncircuits] onioncircuits: current python3/testing breaks 
onioncircuits
Added tag(s) moreinfo.

-- 
881496: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881496
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#881496: [Pkg-privacy-maintainers] Bug#881496: onioncircuits: python3/testing and apparmor/testing breaks onioncircuits

[Sascha Steinbiss]

Hi all,

ah, this sheds some light on the situation. However:

> audit[3722]: AVC apparmor="DENIED" operation="file_mmap" 
> profile="/usr/bin/onioncircuits" 
> name="/usr/lib/python3.6/lib-dynload/_ctypes.cpython-36m-x86_64-linux-gnu.so" 
> pid=3722 comm="onioncircuits" requested_mask="m" denied_mask="m" fsuid=1000 
> ouid=0

This is interesting, since the corresponding line in the python AppArmor
abstractions [1] (which are imported by the onioncircuits profile [2]) is:

  /usr/lib{,32,64}/python3.[0-6]/lib-dynload/*.somr,

which indeed already has the mmap flag set. It's been in testing for
some while now (since bzr revision #1671, which was the initial update
to upstream's 2.11.1).
I also can't see it being overridden anywhere. So I am not sure why this
permission should be denied...

Any ideas? (AppArmor-savvy team members?)

Cheers
Sascha


[1]
https://alioth.debian.org/scm/loggerhead/collab-maint/apparmor/view/head:/profiles/apparmor.d/abstractions/python
[2]
https://anonscm.debian.org/cgit/pkg-privacy/packages/onioncircuits.git/tree/apparmor/usr.bin.onioncircuits#n8

> So, python3/testing + apparmor/testing is a breaking
> combination. Downgrading to apparmor/stable fixes the problem.
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers stable
>   APT policy: (500, 'stable'), (70, 'unstable'), (60, 'testing'), (50, 
> 'experimental')
> Architecture: amd64
>  (x86_64)
> 
> Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages onioncircuits depends on:
> ii  gir1.2-glib-2.01.54.1-3
> ii  gir1.2-gtk-3.0 3.22.26-1
> ii  python3-gi 3.22.0-2
> ii  python3-pycountry  17.5.14+ds1-0.1
> ii  python3-stem   1.6.0-1
> pn  python3:any
> 
> onioncircuits recommends no packages.
> 
> Versions of packages onioncircuits suggests:
> ii  tor-geoipdb  0.3.1.8-2
> 
> -- no debconf information
> 
> ___
> Pkg-privacy-maintainers mailing list
> pkg-privacy-maintain...@lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-privacy-maintainers
> 



signature.asc
Description: OpenPGP digital signature