ID: 314PHID: PHID-TASK-fvfmye3n6dawxamtxqzsAuthor: PatrickStatus at Migration Time: resolvedPriority at Migration Time: Normal
user@host:~$ sudo apt-get install apparmor-profiles apparmor-profile-pidgin
Both, apparmor-profiles-extra and apparmor-profile-pidgin ship the pidgin profile. That conflicts.
Especially problematic, because apparmor-profiles-whonix depends on apparmor-profile-pidgin.
Is the pidgin profile from apparmor-profiles-extra okay? Do we recommend to install it?
What do we do with the apparmor-profile-pidgin package? Deprecate it? Or solve that conflict by using config-package-dev displace (I can add this if useful)? (fixed )
! In T314#5003, @troubadour wrote:apparmor-profiles and apparmor-profiles-extra. They are not loaded because of conflicting x modifiers. The problem does not show in the host. Looking onto it.
2015-05-18 20:03:11 UTC
The pidgin profile from apparmor-profiles-extra is not okay in Whonix. SeeWhonix Forum
On top of the kde messages, they include some Ubuntu abstractions that create some parsing errors in Whonix, preventing the profile to load.Whonix Forum
Retested the profile from apparmor-profiles-extra in Whonix 11, same issues,
There was another issue, when after an update, a bunch of denied messages popped, and we replaced the adapted Debian profile with the original from Whonix.Whonix Forum
Retested the adapted Debian profile in Whonix 11, okay except for one new kde message that shows in the host too. Not big problem. This is the one you merged in Merge remote-tracking branch 'troubadoour/master' · troubadoour/apparmor-profile-pidgin@0b33fe3 · GitHub
If we want to install apparmor-profiles-extra, we should probably use your magic (config-package-dev displace to replace the original profile with our modified one).
2015-05-20 13:55:58 UTC
2015-05-23 01:22:18 UTC
2015-05-24 15:16:07 UTC
Fixed in Whonix 11.0.0.2.0-developers-only.
Running sudo apt-get install apparmor-profiles-whonxi apparmor-profiles apparmor-profiles-extra succeeded. (Currently from developers repository that was upgraded as per 11.0.0.2.0-developers-only.)
2015-05-27 20:59:05 UTC
2015-05-27 22:36:25 UTC
2015-06-03 13:37:25 UTC
sudo aa-enforce /etc/apparmor.d/usr.bin.chromium-browser
Setting /etc/apparmor.d/usr.bin.chromium-browser to enforce mode.
Traceback (most recent call last):
File "/usr/sbin/aa-enforce", line 30, in <module>
tool.cmd_enforce()
File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 166, in cmd_enforce
raise apparmor.AppArmorException(cmd_info[1])
apparmor.common.AppArmorException: 'profile has merged rule with conflicting x modifiers\nERROR processing regexs for profile sanitized_helper, failed to load\n'
Setting /etc/apparmor.d/usr.bin.evince to enforce mode.
Traceback (most recent call last):
File "/usr/sbin/aa-enforce", line 30, in <module>
tool.cmd_enforce()
File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 166, in cmd_enforce
raise apparmor.AppArmorException(cmd_info[1])
apparmor.common.AppArmorException: 'profile has merged rule with conflicting x modifiers\nERROR processing regexs for profile sanitized_helper, failed to load\n'
The issue must be somewhere within these lines:apparmor-profile-dist/etc/apparmor.d/abstractions/base.anondist at 814ec01c4189ea0e897ba066ee3f914aa530f2ae · Kicksecure/apparmor-profile-dist · GitHub
(Because when commenting those out, the profile can be loaded.)
2015-06-09 02:35:38 UTC
I missed that post. Thanks for the finding.
Another one. config-package-dev displace installs the .orig file in /etc/apparmor.d. So after installing apparmor-profiles-extra, the original Pidgin profile is parsed by AppArmor, and we end up with the same situation.
2015-06-09 10:59:37 UTC
What error do you get? The install error?
Unpacking apparmor-profiles-extra (1.4) ...
dpkg: error processing archive /var/cache/apt/archives/apparmor-profiles-extra_1.4_all.deb (--unpack):
trying to overwrite '/etc/apparmor.d/usr.bin.pidgin', which is also in package apparmor-profile-pidgin 3:1.2-1
Errors were encountered while processing:
/var/cache/apt/archives/apparmor-profiles-extra_1.4_all.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
That’s maybe because apparmor-profile pidgin isn’t updated in the Whonix jessie / developers repository. Still working on that (T342, T325).
Otherwise if somehow the .orig file is parsed, maybe instead of config-package-dev displace, I should have used config-package-dev hide. Then that file is moved out of the way.
Actually a different issue:https://phabricator.whonix.org/T314#5122
I think this happens because /etc/apparmor.d/usr.bin.chromium-browser tries to grant rights to files located in /usr/share/ somewhere, while apparmor-profile-anondist /etc/apparmor.d/abstractions/base.anondist granted different rights.
2015-06-09 20:31:23 UTC
It was not the install error, but the original file was parsed, provoking the conflicting x modifiers error.
The problem, along with the offending profiles (chromium-browser, evince) is solved in list all executables in /usr/lib/anon-shared-helper-scripts/ · troubadoour/apparmor-profile-anondist@fbf9542 · GitHub
For executables, we have to give permissions to files individually, wildcards are not allowed, apparently. What is strange is that the Whonix profiles do not complain. Anyhow, I have been on and off on this for quite some time, and did not look at the obvious: base.anondist.
We can either remove the file displacement, or better I think, remove the Pidgin profile completely from Whonix, and users can install the one from apparmor-profiles-extra. They are similar, I was just removing some Ubuntu abstractions.
2015-06-09 20:44:33 UTC
! In T314#5374, @troubadour wrote:conflicting x modifiers error.
I see. So I suppose if one deleted the .orig file, the issue would be gone?
The problem, along with the offending profiles (chromium-browser, evince) is solved in list all executables in /usr/lib/anon-shared-helper-scripts/ · troubadoour/apparmor-profile-anondist@fbf9542 · GitHub
Nice! Merged!
We can either remove the file displacement, or better I think, remove the Pidgin profile completely from Whonix, and users can install the one from apparmor-profiles-extra. They are similar, I was just removing some Ubuntu abstractions.
Yeah. If the upstream profile works with Whonix, by all means, let’s remove it.
If you want, I’ll empty the package. Remove the apparmor profile and add a config-package-dev undisplace to restore original state. (And keep the empty package, perhaps it will be reintroduced in not so far future.)
2015-06-11 19:29:44 UTC
2015-06-15 05:00:15 UTC
2016-01-21 20:48:49 UTC
2016-04-28 01:55:23 UTC
ls -la /etc/apparmor.d/usr.bin.pidgin*
-rw-r--r-- 1 root root 2155 Oct 19 2014 /etc/apparmor.d/usr.bin.pidgin.dpkg-new
Requires manual reinstallation of apparmor-profiles-extra.
sudo apt-get install --reinstall apparmor-profiles-extra