Onion Circuits cannot be started in Tails 3.6~rc1 (#15370) · Issues · tails / tails

Onion Circuits cannot be started in Tails 3.6~rc1

Originally created by @bertagaz on #15370 (Redmine)

I’ve noticed while testing 3.6~rc1 that onioncircuit failed to show its window when clicking on its icon. Failure in the logs shows problems with the apparmor profile and Tails python library:

audit[14270]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/onioncircuits" name="/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info" pid=14270 \
comm="onioncircuits" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: kauditd_printk_skb: 6 callbacks suppressed
kernel: audit: type=1400 audit(1520076835.695:35): apparmor="DENIED" operation="open" profile="/usr/bin/onioncircuits" \
name="/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info" pid=14270 comm="onioncircuits" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
onioncircuits.desktop[14270]: Traceback (most recent call last):
onioncircuits.desktop[14270]:   File "/usr/bin/onioncircuits", line 25, in <module>
onioncircuits.desktop[14270]:     import pycountry
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pycountry/__init__.py", line 12, in <module>
onioncircuits.desktop[14270]:     from pkg_resources import resource_filename
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3019, in <module>
onioncircuits.desktop[14270]:     @_call_aside
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3003, in _call_aside
onioncircuits.desktop[14270]:     f(*args, **kwargs)
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3032, in _initialize_master_working_set
onioncircuits.desktop[14270]:     working_set = WorkingSet._build_master()
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 646, in _build_master
onioncircuits.desktop[14270]:     ws = cls()
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 639, in __init__
onioncircuits.desktop[14270]:     self.add_entry(entry)
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 695, in add_entry
onioncircuits.desktop[14270]:     for dist in find_distributions(entry, True):
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2019, in find_on_path
onioncircuits.desktop[14270]:     path_item, entry, metadata, precedence=DEVELOP_DIST
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2432, in from_location
onioncircuits.desktop[14270]:     py_version=py_version, platform=platform, **kw
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2772, in _reload_version
onioncircuits.desktop[14270]:     md_version = _version_from_file(self._get_metadata(self.PKG_INFO))
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2397, in _version_from_file
onioncircuits.desktop[14270]:     line = next(iter(version_lines), '')
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2565, in _get_metadata
onioncircuits.desktop[14270]:     for line in self.get_metadata_lines(name):
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1872, in get_metadata_lines
onioncircuits.desktop[14270]:     return yield_lines(self.get_metadata(name))
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1858, in get_metadata
onioncircuits.desktop[14270]:     with io.open(self.path, encoding='utf-8', errors="replace") as f:
onioncircuits.desktop[14270]: PermissionError: [Errno 13] Permission denied: '/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info

The python apparmor abstraction should take care of that, but it does not seem to handle *.egg-info files.

Adding this line (or similar, this one is an adaption of one of the python abstraction) to the onioncircuit profile fixes the problem:

  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-9]}/dist-packages/*.egg-info r,

But I’m not sure of the syntax nor if that’s the best way to fix this issue.

Parent Task: #11198

Related issues

Related to #15732 (closed)

_Originally created by @bertagaz on [#15370 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15370)_

I’ve noticed while testing 3.6\~rc1 that onioncircuit failed to show its
window when clicking on its icon. Failure in the logs shows problems
with the apparmor profile and Tails python
    library:

audit[14270]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/onioncircuits" name="/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info" pid=14270 \
    comm="onioncircuits" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    kernel: kauditd_printk_skb: 6 callbacks suppressed
    kernel: audit: type=1400 audit(1520076835.695:35): apparmor="DENIED" operation="open" profile="/usr/bin/onioncircuits" \
    name="/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info" pid=14270 comm="onioncircuits" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    onioncircuits.desktop[14270]: Traceback (most recent call last):
    onioncircuits.desktop[14270]:   File "/usr/bin/onioncircuits", line 25, in <module>
    onioncircuits.desktop[14270]:     import pycountry
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pycountry/__init__.py", line 12, in <module>
    onioncircuits.desktop[14270]:     from pkg_resources import resource_filename
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3019, in <module>
    onioncircuits.desktop[14270]:     @_call_aside
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3003, in _call_aside
    onioncircuits.desktop[14270]:     f(*args, **kwargs)
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3032, in _initialize_master_working_set
    onioncircuits.desktop[14270]:     working_set = WorkingSet._build_master()
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 646, in _build_master
    onioncircuits.desktop[14270]:     ws = cls()
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 639, in __init__
    onioncircuits.desktop[14270]:     self.add_entry(entry)
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 695, in add_entry
    onioncircuits.desktop[14270]:     for dist in find_distributions(entry, True):
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2019, in find_on_path
    onioncircuits.desktop[14270]:     path_item, entry, metadata, precedence=DEVELOP_DIST
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2432, in from_location
    onioncircuits.desktop[14270]:     py_version=py_version, platform=platform, **kw
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2772, in _reload_version
    onioncircuits.desktop[14270]:     md_version = _version_from_file(self._get_metadata(self.PKG_INFO))
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2397, in _version_from_file
    onioncircuits.desktop[14270]:     line = next(iter(version_lines), '')
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2565, in _get_metadata
    onioncircuits.desktop[14270]:     for line in self.get_metadata_lines(name):
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1872, in get_metadata_lines
    onioncircuits.desktop[14270]:     return yield_lines(self.get_metadata(name))
    onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1858, in get_metadata
    onioncircuits.desktop[14270]:     with io.open(self.path, encoding='utf-8', errors="replace") as f:
    onioncircuits.desktop[14270]: PermissionError: [Errno 13] Permission denied: '/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info

The python apparmor abstraction should take care of that, but it does
not seem to handle `*.egg-info` files.

Adding this line (or similar, this one is an adaption of one of the
python abstraction) to the onioncircuit profile fixes the
problem:

``` 
  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-9]}/dist-packages/*.egg-info r,
```

But I’m not sure of the syntax nor if that’s the best way to fix this
issue.

Parent Task: tails/tails#11198

### Related issues

- **Related to** tails/tails#15732

Edited May 15, 2020 by bertagaz

To upload designs, you'll need to enable LFS. More information