Cannot Upload Files with Tor Browser - AppArmor Issue

Ionixx · January 22, 2024, 4:46pm

Hello,

I have just installed Qubes 4.2 on two different computers (NUC 5 and NUC 10, both with I5 CPU) and it basically works.

Nevertheless, I have encountered a major problem:

If I want to attach files (no matter if jpg, doc, pdf etc.) to a mail in Qubes-Whonix in a corresponding APP-VM and a normal e-mail program (upload from the Thunar file manager), an error message appears after some time that the file cannot be attached to the mail. With another mail program, attaching the file deletes the entire text including metadata.

I have tested it on several freshly created Whonix instances or clones and it is always the same error.

It is not due to different formats or settings in the mail programs such as PlainText or html. I can send a simple mail without an attachment.

I don’t know whether the problem is with Qubes 4.2, Whonix-17, Tor or Debian-12. That’s why I’m posting in both forums.

Has anyone had similar experiences or an idea where the error could lie?

Many thanks for your opinions!

extraextra · January 22, 2024, 5:22pm

AppArmor issue?

Try move the file to the Download folder in the home folder before attempting to attach.

Ionixx · January 22, 2024, 8:15pm

I´ve done but it´s the same result; i cannot attach the files.

extraextra · January 22, 2024, 10:09pm

Exact error message?

Ionixx · January 23, 2024, 9:49am

Yes: “An unknown error has occurred. File cannot be attached.”.

Ionixx · January 23, 2024, 11:15am

I have done some tests and think I have found the solution. If anyone would like to forward this to the developers of apparmor - please do.

I initially switched off all profiles in apparmor in Whonix-workstation-17. The error was fixed and file attachments were possible.

Then I set everything to enforce mode and only in the VM based on the whonix-workstation-17 with the mail program did I switch the profiles to “complain”, where I suspected the highest probability of the error:

“home.tor-browser.firefox” and “system_tor”

This produced no result, the error was still there.

Then I did the same in whonix-workstation-17 and the error was fixed by running the following command in /etc/apparmor.d:

sudo aa-complain home.tor-browser.firefox

Then file attachments work.

Patrick · January 23, 2024, 11:55am

Your mail program, presumably Thunderbird was unbroken by command sudo aa-complain home.tor-browser.firefox?

Ionixx · January 23, 2024, 8:55pm

I have not yet tested it in Thunderbird, but via a mail program that I used in the Tor browser. There were no problems. But I can test it with Thunderbird and then report back.

extraextra · January 23, 2024, 9:06pm

That was confusing. There is no mail program inside Tor Browser. That’s just a website.

Use folder /home/user/Downloads to store files before upload.

Try apparmor-info to check for AppArmor issues.

halo9en · January 24, 2024, 6:34am

I am experiencing this same problem in Tor Browser (13.0.9). Updated by the internal updater and not tb-updater.

Snippets from apparmor-info:

AVC apparmor=“DENIED” operation=“open” profile=“/**/*-browser/Browser/firefox” name=“/home/user/Downloads/avatar.jpg” comm=“firefox.real” requested_mask=“r” denied_mask=“r”

This problem occurs in Tor Browser (shown) when attempting to upload (or as @Ionixx reports attempting to attach in webmail) any images.

Patrick · January 24, 2024, 9:08am

Is this file owned by any user other than user user? Check:

stat -c '%U' /home/user/Downloads/avatar.jpg

If it shows anything other than user this could be the cause. Or use ls.

ls -la ~/Downloads

In that case (useful anyhow), try Permissions Fix.

This might happen because of the owner keyword in the AppArmor profile.

related source code file:
/etc/apparmor.d/home.tor-browser.firefox

[1] The same user under which the browser is running.

halo9en · January 24, 2024, 2:17pm

$ stat -c ‘%U’ /home/user/Downloads/avatar.jpg
user

The directory & all of its files are owned by user.

apparmor · January 24, 2024, 4:36pm

home.tor-browser.firefox#L124 (cannot post links)

audit deny owner @{HOME}/*/* r,

Deny rules have precedence over allow rules and so this rule will override the rules above. The order of rules do not matter.

To reproduce, simply create a file ~/Downloads/test and ~/test2. Open Tor Browser and drag both files to it. With the current rule set, both files will be denied. If you remove the marked deny rule, the test file will be allowed and test2 still denied as expected (the default is to deny). I think both of the deny rules at the end can be deleted.

halo9en · January 24, 2024, 9:34pm

Thank you. This seems perfectly correct. However, I’d like to wait for @Patrick to confirm before I proceed with modifying this apparmor profile.

Patrick · January 25, 2024, 1:19pm

Try. As per: The User Co-developer Concept

Ionixx · January 25, 2024, 7:20pm

Extraextra: Perhaps I have expressed myself in a misleading way. I meant: I ran a mail provider in the browser window.

thetuber · January 28, 2024, 6:56pm

Put the files that you want to upload in a subdirectory of /home/user/.tb/tor-browser/ (but not in that subroot itself). In my case, I created /home/user/.tb/tor-browser/Browser/Downloads/Pictures The rule that governs is:

  owner /**/*-browser/** mrwlkix,

I think the idea is the browser should only have access to a sub-root of its installation, and nothing else. So I would be leery of modifying the apparmor profile to allow extra permissions.

Patrick · February 16, 2024, 1:40pm

Uploads will hopefully be fixed by this.

Inspired by apparmor.d project.

Ionixx · February 16, 2024, 3:31pm

That sounds good. Thank you for information!

nurmagoz · February 18, 2024, 7:28pm

Tested, now its fixed.