Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Qubes /usr/local symlink /rw/usrlocal AppArmor issue #1122

Closed
adrelanos opened this issue Aug 15, 2015 · 7 comments
Closed

Qubes /usr/local symlink /rw/usrlocal AppArmor issue #1122

adrelanos opened this issue Aug 15, 2015 · 7 comments
Labels
C: core C: templates

Comments

@adrelanos
Copy link
Member

issue description:
I found a Qubes specific AppArmor issue.

Qubes symlinks /usr/local to /rw/usrlocal and AppArmor does not like this.

user@host:~$ obfsproxy -h
Traceback (most recent call last):
  File "/usr/bin/obfsproxy", line 5, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2876, in <module>
    working_set = WorkingSet._build_master()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 440, in _build_master
    ws = cls()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 433, in __init__
    self.add_entry(entry)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 489, in add_entry
    for dist in find_distributions(entry, True):
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1902, in find_on_path
    for entry in os.listdir(path_item):
OSError: [Errno 13] Permission denied: '/rw/usrlocal/lib/python2.7/dist-packages'

audit: type=1400 audit(1439566453.497:15): apparmor="DENIED" operation="open" profile="/usr/bin/obfsproxy" name="/rw/usrlocal/lib/python2.7/dist-packages/" pid=4078 comm="obfsproxy" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Upstream AppArmor won't add symlink support:
https://bugs.launchpad.net/apparmor/+bug/1485055

proposed solution:

I am suggesting to ship a file /etc/apparmor.d/tunables/home.d/qubes with the following content:

alias /usr/local -> /rw/usrlocal/,

Also some explanatory comment should be added. And perhaps this will needs to be extended over time with more entries. There is also a file /etc/apparmor.d/tunables/home.d/ubuntu already, so this seems appropriate. In which package? qubes-core-agent, I suppose?

If this solution sounds alright to you, I can send a pull request.
@nrgaway
Copy link

nrgaway commented Aug 17, 2015

I assume you have tested this already. Just wanted to make sure that an alias will not effect the mounting of /rw/usrlocal to /usr/local?

@adrelanos
Copy link
Member Author

Yes, this is tested and working.

Doesn't affect that. Affecting mount should be far outside of AppArmors's scope. (There is no AppArmor profile for mount, if that even would make sense.)

@marmarek
Copy link
Member

I don't know AppArmor at all, but above (together with an idea about
qubes-core-agent) looks good.

BTW some applications had a problem with /home->/rw/home symlink, AFAIR
because realpath $HOME != $HOME. Because of that /home is now
bind-mounted from /rw/home. Do you think we should do the same with
/usr/local? This is the first issue ever caused by that /usr/local
symlink, so maybe not.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

@adrelanos
Copy link
Member Author

Do you think we should do the same with /usr/local?

Yes. For better consistency.

I am not sure I yet have experienced /rw/home related AppArmor symlink issues, but all symlinks should have corresponding alias' configured. I'll include alias /home -> /rw/home/, in my pull request.

Are there any other (bind-) mounted locations or a list of those which probably also should be included?

@marmarek
Copy link
Member

On Wed, Aug 26, 2015 at 09:10:39AM -0700, Patrick Schleizer wrote:

Do you think we should do the same with /usr/local?

Yes. For better consistency.

Ok. But since mounting /rw get more and more complex, I think we should
do this only after #979.

I am not sure I yet have experienced /rw/home related AppArmor symlink issues, but all symlinks should have corresponding alias' configured. I'll include alias /home -> /rw/home/, in my pull request.

I think this is unnecessary, as /home is bind-mounted now.

Are there any other (bind-) mounted locations or a list of those which probably also should be included?

Actually I think bind mounted locations shouldn't be a problem for
AppArmor. Symlinks are.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

@marmarek marmarek mentioned this issue Aug 26, 2015
Closed
@adrelanos
Copy link
Member Author

Since,

what do you think about not implementing / closing this ticket?

@marmarek marmarek added this to the Release 3.1 milestone Sep 2, 2015
@marmarek marmarek removed this from the Release 3.1 milestone Sep 2, 2015
@marmarek
Copy link
Member

marmarek commented Sep 2, 2015

Good idea, one ticket less :)

@marmarek marmarek closed this as completed Sep 2, 2015
@adrelanos adrelanos mentioned this issue Mar 20, 2017
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: core C: templates
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nrgaway @marmarek @adrelanos