Debian-facile

Bienvenue sur Debian-Facile, site d'aide pour les nouveaux utilisateurs de Debian.

Vous n'êtes pas identifié(e).

#1 16-07-2016 23:17:51

ragirs
Membre
Distrib. : Jessie - stable
(G)UI : Gnome 3.14
Inscription : 01-05-2015

Plus d'accès à tor suite à l'installation de AppArmor

Salut à tous,

J'ai installé Apparmor, puis je l'ai activé, comme le montre la commande :

aa-status


apparmor module is loaded.
65 profiles are loaded.
29 profiles are in enforce mode.
   /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox
   /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/bin/freshclam
   /usr/bin/irssi
   /usr/bin/pidgin
   /usr/bin/pidgin//launchpad_integration
   /usr/bin/pidgin//sanitized_helper
   /usr/bin/totem
   /usr/bin/totem-audio-preview
   /usr/bin/totem-video-thumbnailer
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/apt-cacher-ng
   /usr/sbin/clamd
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
   gst_plugin_scanner
   system_tor
36 profiles are in complain mode.
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/bin/torbrowser-launcher
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/sbin/smbldap-useradd
   /usr/sbin/smbldap-useradd///etc/init.d/nscd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping
7 processes have profiles defined.
5 processes are in enforce mode.
   /usr/bin/freshclam (690)
   /usr/sbin/clamd (743)
   /usr/sbin/cups-browsed (740)
   /usr/sbin/cupsd (739)
   system_tor (1091)
2 processes are in complain mode.
   /usr/sbin/avahi-daemon (701)
   /usr/sbin/avahi-daemon (731)
 



Ensuite si je lance le Tor Browser, le message suivant apparaît :

Tor s'est terminé durant le démarrage. Cela peut être dû à une erreur dans votre fichier torrc, un bug dans Tor ou un autre programme sur votre système, ou un matériel défaillant. Tant que le problème sous-jacent n'est pas réglé et Tor redémarré, TorBrowser ne démarrera pas.



je décide donc de passer tous les fichiers où apparaît le mot "tor" en mode complain par la commande

aa-complain [nom du fichier]



ce que j'arrive à faire :

aa-status


apparmor module is loaded.
65 profiles are loaded.
26 profiles are in enforce mode.
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/bin/freshclam
   /usr/bin/irssi
   /usr/bin/pidgin
   /usr/bin/pidgin//launchpad_integration
   /usr/bin/pidgin//sanitized_helper
   /usr/bin/totem
   /usr/bin/totem-audio-preview
   /usr/bin/totem-video-thumbnailer
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/apt-cacher-ng
   /usr/sbin/clamd
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
   gst_plugin_scanner
39 profiles are in complain mode.
   /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox
   /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/bin/torbrowser-launcher
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/sbin/smbldap-useradd
   /usr/sbin/smbldap-useradd///etc/init.d/nscd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping
   system_tor
7 processes have profiles defined.
4 processes are in enforce mode.
   /usr/bin/freshclam (690)
   /usr/sbin/clamd (743)
   /usr/sbin/cups-browsed (740)
   /usr/sbin/cupsd (739)
3 processes are in complain mode.
   /usr/sbin/avahi-daemon (701)
   /usr/sbin/avahi-daemon (731)
   system_tor (1091)
0 processes are unconfined but have a profile defined.
 



les deux fichiers

/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox
   /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor

étant fournis avec le Tor Browser Launcher, les voici APR7S les avoir passé en mode complain :

le fichier torbrowser.Browser.firefox :

# Last modified
#include <tunables/global>

/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox flags=(complain) {
  #include <abstractions/gnome>

  # Uncomment the following line if you don't want the Tor Browser
  # to have direct access to your sound hardware. Note that this is not
  # enough to have working sound support in Tor Browser.
  # #include <abstractions/audio>

  # Uncomment the following lines if you want to give the Tor Browser read-write
  # access to most of your personal files.
  # #include <abstractions/user-download>
  # @{HOME}/ r,

  #dbus,
  network tcp,

  deny /etc/host.conf r,
  deny /etc/hosts r,
  deny /etc/nsswitch.conf r,
  deny /etc/resolv.conf r,
  deny /etc/passwd r,
  deny /etc/group r,
  deny /etc/mailcap r,

  deny /etc/machine-id r,
  deny /var/lib/dbus/machine-id r,

  @{PROC}/[0-9]*/mountinfo r,
  @{PROC}/[0-9]*/stat r,
  @{PROC}/[0-9]*/task/*/stat r,
  @{PROC}/sys/kernel/random/uuid r,

  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/ r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/* r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/.** rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/.** rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/ r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/*.so mr,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/components/*.so mr,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/browser/components/*.so mr,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox rix,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profiles.ini r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/ r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/** rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor Px,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/libstdc++.so.6 m,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Desktop/ rw,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Desktop/** rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Downloads/ rw,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Downloads/** rwk,

  /etc/mailcap r,
  /etc/mime.types r,

  /usr/share/ r,
  /usr/share/mime/ r,
  /usr/share/themes/ r,
  /usr/share/applications/** rk,
  /usr/share/gnome/applications/ r,
  /usr/share/gnome/applications/kde4/ r,
  /usr/share/poppler/cMap/ r,

  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/present r,

  # Should use abstractions/gstreamer instead once merged upstream
  /etc/udev/udev.conf r,
  /run/udev/data/+pci:* r,
  /sys/devices/pci[0-9]*/**/uevent r,
  owner /{dev,run}/shm/shmfd-* rw,

  # KDE 4
  owner @{HOME}/.kde/share/config/* r,

  # Xfce4
  /etc/xfce4/defaults.list r,
  /usr/share/xfce4/applications/ r,
}



et torbrowser.Tor.tor :

#include <tunables/global>

/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor flags=(complain) {
  #include <abstractions/base>

  network tcp,
  network udp,

  /etc/host.conf r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/resolv.conf r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor mr,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/* rw,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/lock rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Lib/*.so mr,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Lib/*.so.* mr,
  @{PROC}/meminfo r,
  @{PROC}/sys/kernel/random/uuid r,
  /sys/devices/system/cpu/ r,

  # OnionShare compatibility
  /tmp/onionshare_*/ rw,
  /tmp/onionshare_*/* rw,
}



Comment procéder pour accéder de nouveau à Tor ? Supprimer les profiles ? Les modifier, mais comment ?

merci d'avance !


Ce qui suscita notre révolte, notre horreur, se trouve à nouveau là, réparti, intact et subordonné, prêt à l’attaque, à la mort. Seule la forme de la riposte restera à découvrir ainsi que les motifs lumineux qui la vêtiront de couleurs impulsives. René Char
Réseau Salariat

Hors ligne

#2 18-07-2016 21:10:28

ragirs
Membre
Distrib. : Jessie - stable
(G)UI : Gnome 3.14
Inscription : 01-05-2015

Re : Plus d'accès à tor suite à l'installation de AppArmor

J'ai cherché un peu, et voici ce qui était inscrit dans

/var/log/kern.log

lorsque je lançait le Tor Browser :

Jul 17 11:03:35 ragirs kernel: [ 4346.380862] audit_printk_skb: 6 callbacks suppressed

Jul 17 11:03:35 ragirs kernel: [ 4346.380870] audit: type=1400 audit(1468746215.630:83): apparmor="ALLOWED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/torbrowser_launcher/__init__.pyc" pid=4454 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Jul 17 11:03:35 ragirs kernel: [ 4346.633817] audit: type=1400 audit(1468746215.882:84): apparmor="ALLOWED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/torbrowser_launcher/common.pyc" pid=4454 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Jul 17 11:03:38 ragirs kernel: [ 4349.387350] audit: type=1400 audit(1468746218.638:85): apparmor="ALLOWED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/torbrowser_launcher/settings.pyc" pid=4454 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Jul 17 11:03:38 ragirs kernel: [ 4349.398920] audit: type=1400 audit(1468746218.650:86): apparmor="ALLOWED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/torbrowser_launcher/launcher.pyc" pid=4454 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Jul 17 11:03:42 ragirs kernel: [ 4353.491662] audit: type=1400 audit(1468746222.742:87): apparmor="ALLOWED" operation="file_mmap" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/home/ragirs/.local/share/torbrowser/tbb/x86_64/tor-browser_fr/Browser/TorBrowser/Tor/libgmp.so.10" pid=4477 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000

Jul 17 11:03:45 ragirs kernel: [ 4356.613826] audit: type=1400 audit(1468746225.866:88): apparmor="ALLOWED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" pid=4477 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Jul 17 11:03:45 ragirs kernel: [ 4356.613883] audit: type=1400 audit(1468746225.866:89): apparmor="ALLOWED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/sys/devices/system/cpu/cpu0/cache/index2/size" pid=4477 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Jul 17 11:03:50 ragirs kernel: [ 4361.357604] audit: type=1400 audit(1468746230.614:90): apparmor="ALLOWED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/etc/pulse/client.conf" pid=4477 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Jul 17 11:03:50 ragirs kernel: [ 4361.413468] audit: type=1400 audit(1468746230.670:91): apparmor="ALLOWED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/dev/shm/" pid=4477 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Jul 17 11:03:50 ragirs kernel: [ 4361.413558] audit: type=1400 audit(1468746230.670:92): apparmor="ALLOWED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/dev/shm/pulse-shm-3081977972" pid=4477 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Jul 17 11:03:50 ragirs kernel: [ 4361.413622] audit: type=1400 audit(1468746230.670:93): apparmor="ALLOWED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/dev/shm/pulse-shm-2702374413" pid=4477 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Jul 17 11:03:50 ragirs kernel: [ 4361.413863] audit: type=1400 audit(1468746230.670:94): apparmor="ALLOWED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/dev/shm/pulse-shm-1178697840" pid=4477 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Jul 17 11:03:50 ragirs kernel: [ 4361.413886] audit: type=1400 audit(1468746230.670:95): apparmor="ALLOWED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/dev/shm/pulse-shm-3623722319" pid=4477 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Jul 17 11:03:50 ragirs kernel: [ 4361.413906] audit: type=1400 audit(1468746230.670:96): apparmor="ALLOWED" operation="open" profile="/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox" name="/dev/shm/pulse-shm-2802667331" pid=4477 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

 



Ce qui est bizarre, c'est que les deux profiles incriminés sont en mode "complain", et donc ils laissent passer les requêtes en théorie (ce que semble confirmer les ALLOWED de mes logs... Mais le TBB refusait toujours de démarrer.

Alors j'ai fait

aa-disable

pour les deux profiles concernés, et désormais je peux lancer le TBB. Mais je ne comprend pas pourquoi le mode complain le bloquait...


Ce qui suscita notre révolte, notre horreur, se trouve à nouveau là, réparti, intact et subordonné, prêt à l’attaque, à la mort. Seule la forme de la riposte restera à découvrir ainsi que les motifs lumineux qui la vêtiront de couleurs impulsives. René Char
Réseau Salariat

Hors ligne

Pied de page des forums