Skip to content

Onion Circuits cannot be started in Tails 3.6~rc1

I’ve noticed while testing 3.6~rc1 that onioncircuit failed to show its window when clicking on its icon. Failure in the logs shows problems with the apparmor profile and Tails python library:

audit[14270]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/onioncircuits" name="/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info" pid=14270 \
comm="onioncircuits" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: kauditd_printk_skb: 6 callbacks suppressed
kernel: audit: type=1400 audit(1520076835.695:35): apparmor="DENIED" operation="open" profile="/usr/bin/onioncircuits" \
name="/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info" pid=14270 comm="onioncircuits" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
onioncircuits.desktop[14270]: Traceback (most recent call last):
onioncircuits.desktop[14270]:   File "/usr/bin/onioncircuits", line 25, in <module>
onioncircuits.desktop[14270]:     import pycountry
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pycountry/__init__.py", line 12, in <module>
onioncircuits.desktop[14270]:     from pkg_resources import resource_filename
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3019, in <module>
onioncircuits.desktop[14270]:     @_call_aside
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3003, in _call_aside
onioncircuits.desktop[14270]:     f(*args, **kwargs)
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3032, in _initialize_master_working_set
onioncircuits.desktop[14270]:     working_set = WorkingSet._build_master()
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 646, in _build_master
onioncircuits.desktop[14270]:     ws = cls()
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 639, in __init__
onioncircuits.desktop[14270]:     self.add_entry(entry)
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 695, in add_entry
onioncircuits.desktop[14270]:     for dist in find_distributions(entry, True):
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2019, in find_on_path
onioncircuits.desktop[14270]:     path_item, entry, metadata, precedence=DEVELOP_DIST
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2432, in from_location
onioncircuits.desktop[14270]:     py_version=py_version, platform=platform, **kw
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2772, in _reload_version
onioncircuits.desktop[14270]:     md_version = _version_from_file(self._get_metadata(self.PKG_INFO))
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2397, in _version_from_file
onioncircuits.desktop[14270]:     line = next(iter(version_lines), '')
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2565, in _get_metadata
onioncircuits.desktop[14270]:     for line in self.get_metadata_lines(name):
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1872, in get_metadata_lines
onioncircuits.desktop[14270]:     return yield_lines(self.get_metadata(name))
onioncircuits.desktop[14270]:   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1858, in get_metadata
onioncircuits.desktop[14270]:     with io.open(self.path, encoding='utf-8', errors="replace") as f:
onioncircuits.desktop[14270]: PermissionError: [Errno 13] Permission denied: '/usr/local/lib/python3.5/dist-packages/Tailslib-0.1.egg-info

The python apparmor abstraction should take care of that, but it does not seem to handle *.egg-info files.

Adding this line (or similar, this one is an adaption of one of the python abstraction) to the onioncircuit profile fixes the problem:

  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-9]}/dist-packages/*.egg-info r,

But I’m not sure of the syntax nor if that’s the best way to fix this issue.

Parent Task: #11198

Related issues

Original created by @bertagaz on 15370 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information