/usr/bin/env: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied

[zmanian]

Ubuntu 14.04 Trusty

Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.1.9
https://github.com/micahflee/torbrowser-launcher
Initializing Tor Browser Launcher
Importing keys
gpg: key 63FEE659: "Erinn Clark erinn@torproject.org" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: key 93298290: "Tor Browser Developers (signing key) torbrowser@torproject.org" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Starting launcher dialog
LATEST VERSION 4.5
Checked for update within 24 hours, skipping
Latest version of TBB is installed, launching
/usr/bin/env: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied

[NSAKEY]

Setting the torbrowser.start-tor-browser AppArmor profile to complain mode is a quick band-aid fix to the problem. Here's the output from /var/log/kern.log:

Apr 28 14:29:13 listening-post kernel: [2128966.978926] audit_printk_skb: 24 callbacks suppressed
Apr 28 14:29:13 listening-post kernel: [2128966.978929] audit: type=1400 audit(1430249353.380:26514): apparmor="DENIED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/pygtk.pyc" pid=24366 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Apr 28 14:29:13 listening-post kernel: [2128966.979651] audit: type=1400 audit(1430249353.380:26515): apparmor="DENIED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/gtk-2.0/gtk/init.pyc" pid=24366 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Apr 28 14:29:13 listening-post kernel: [2128966.980357] audit: type=1400 audit(1430249353.380:26516): apparmor="DENIED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/gobject/init.pyc" pid=24366 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Apr 28 14:29:13 listening-post kernel: [2128966.980524] audit: type=1400 audit(1430249353.380:26517): apparmor="DENIED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/glib/init.pyc" pid=24366 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Apr 28 14:29:13 listening-post kernel: [2128966.983126] audit: type=1400 audit(1430249353.384:26518): apparmor="DENIED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/glib/option.pyc" pid=24366 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Apr 28 14:29:13 listening-post kernel: [2128966.984312] audit: type=1400 audit(1430249353.384:26519): apparmor="DENIED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/gobject/constants.pyc" pid=24366 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Apr 28 14:29:13 listening-post kernel: [2128966.986395] audit: type=1400 audit(1430249353.388:26520): apparmor="DENIED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/gobject/propertyhelper.pyc" pid=24366 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Apr 28 14:29:13 listening-post kernel: [2128966.993975] audit: type=1400 audit(1430249353.396:26521): apparmor="DENIED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/gtk-2.0/gio/init.pyc" pid=24366 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Apr 28 14:29:13 listening-post kernel: [2128967.009827] audit: type=1400 audit(1430249353.412:26522): apparmor="DENIED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/gtk-2.0/gtk/_lazyutils.pyc" pid=24366 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Apr 28 14:29:13 listening-post kernel: [2128967.010660] audit: type=1400 audit(1430249353.412:26523): apparmor="DENIED" operation="mknod" profile="/usr/bin/torbrowser-launcher" name="/usr/lib/python2.7/dist-packages/gtk-2.0/gtk/deprecation.pyc" pid=24366 comm="torbrowser-laun" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

[cboltz]

The log messages are only about writing *.pyc files - either silence them with a deny rule or fix the packaging to get them pre-compiled.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783922 contains the more interesting log message:

kernel: audit: type=1400 audit(1430470986.687:11317): apparmor="DENIED"
operation="file_mprotect"
profile="/home/_/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser__/{Browser/,}start-tor-browser"
name="/usr/bin/env" pid=2014 comm="start-tor-brows" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0

That means you'll need to add "m" permissions for /usr/bin/env in the start-tor-browser profile.

[micahflee]

I've had lots of issues with the AppArmor profiles in Ubuntu, so I have been not enabling them by default in the Ubuntu release. Did you manually enable them? I'll still look into this regardless.

[zmanian]

This is starting to make sense. I bet the app armor profile were installed in a older version and then they weren't deleted on upgrade and uninstall/reinstall cycle also didn't remove them.

Seems like the thing to is manual removal. I was confused because I see the app armor profiles on the machine that I've been running since the first release but not on machines I installed more recently.

[micahflee]

Yup, that's probably it. Here's the code that removes apparmor from the Ubuntu release: https://github.com/micahflee/torbrowser-launcher/blob/master/setup.py#L51

# disable shipping apparmor profiles until they work in ubuntu (#128)
if distro != 'Ubuntu':
    if not hasattr(sys, 'real_prefix'):
        # we're not in a virtualenv, so we can probably write to /etc
        datafiles += [('/etc/apparmor.d/', [
            'apparmor/torbrowser.Browser.firefox',
            'apparmor/torbrowser.start-tor-browser',
            'apparmor/torbrowser.Tor.tor',
            'apparmor/usr.bin.torbrowser-launcher'])]

Do you want to manually delete those files from your own /etc/apparmor.d and see if that fixes it?

[cboltz]

I commented on this bug only based on the log and my AppArmor knownledge ;-) (and re-reading the log entry and the profile, you might also need "r" permissions - or simply "rix")

And instead of removing the AppArmor profiles, setting them into complain (learning) mode with aa-complain or by adding "flags=(complain)" is a better idea because this gives you log entries that help to update the profile ;-)

[micahflee]

Ha. Well, awhile ago I spent a decent amount of time making the very carefully-crafted Debian AppArmor profiles work in Ubuntu and ended up giving up. Mostly because I don't have vast AppArmor knowledge, or the time to spend on it, so I decided to just make AA profiles a Debian-only feature.

If someone else wants to fix the AA profiles to work in Ubuntu but not make them less secure in the process, then pull requests are more than welcome :).

Since this is an AA issue in Ubuntu, I'm gonna go ahead and close.