Include AppArmor Abstractions

[teward]

Fixes #588.

The apparmor rules that are introduced break a few things by not including required abstractions.

• There are DBUS denies for opening dialog boxes and file open boxes, which need DBUS abstractions to access the user sessions. Fixed by including abstractions/dbus-session (which also implicitly imports abstractions/dbus-session-strict for SystemD user sessions) in the apparmor rules, if the abstractions exist.
• There are X abstractions which are useful and needed for X display integration. So if those abstractions exist, include them. HOWEVER, there's a problem in Ubuntu where these abstractions are not properly handling the X Display Sockets in /tmp/.X11-unix/* so we need to permit those with a specific override. See the comment block in the profile for details.

[intrigeri]

This is included by abstractions/gnome already, so I don't understand why we need this. Could you please clarify?

[teward]

@intrigeri Not every system has GNOME on it. Lubuntu for instance doesn't, and even though the 'gnome' abstractions exist as part of the package apparmor in Ubuntu, the GNOME abstractions don't work and/or are not properly included in a case where GNOME is not running. It became necessary specifically for LXQt and Lubuntu to include that abstractions inclusion for X as well to make sure it behaves.

The DBUS inclusion is needed independently, though, for some dialog box bits to function.

[intrigeri]

Thomas Ward (2021-08-12):

intrigeri Not every system has GNOME on it. Lubuntu for instance doesn't, and even though the 'gnome' abstractions exist as part of the package `apparmor` in Ubuntu, the GNOME abstractions don't work and/or are not properly included in a case where GNOME is not running.

This is very surprising to me: compiling and loading a specific AppArmor policy into the kernel should be entirely independent of what software is installed, or running, on the system. The behavior you're describing suggests there's a bug somewhere, e.g. in the AppArmor userspace parser.

It became necessary specifically for LXQt and Lubuntu to include that abstractions inclusion for X as well to make sure it behaves.

Please clarify why this became necessary, that is which exact AppArmor denials happen when the `X` abstraction is included transitively via the `gnome` abstraction, but don't happen when the `X` abstraction is included directly. Please make sure the `torbrowser.Browser.firefox` profile is reloaded in the kernel, and Tor Browser is fully restarted, between each test. And if you can reproduce this, please share the output of `apparmor_parser --preprocess /etc/apparmor.d/torbrowser.Browser.firefox`, with and without the explicit inclusion the `X` abstraction.

[teward]

Please clarify why this became necessary, that is which exact AppArmor denials happen when the X abstraction is included transitively via the gnome abstraction, but don't happen when the X abstraction is included directly.

This became necessary because while the X inclusion is included in the GNOME abstractions, when you are on an LXQt system or such that does not have GNOME, the X abstractions are not included. Therefore, in that environment, when it relies on the X abstractions that were pulled in via the GNOME abstractions. Line 8 for example is #include <abstractions/gnome> which has in THAT abstraction an inclusion on the X abstractions. But if abstractions/gnome doesn't exist (and it doesn't when GNOME is not installed), you lose the X abstractions that're implicitly included by the GNOME abstractions.

[intrigeri]

But if `abstractions/gnome` doesn't exist (and it doesn't when GNOME is not installed)

I'm very surprised to read this. On which distributions is it the case? The distributions I'm aware of unconditionally ship `abstractions/gnome` with their AppArmor package, regardless of whether GNOME is installed or not.

[teward]

But if abstractions/gnome doesn't exist (and it doesn't when GNOME
is not installed)

I'm very surprised to read this. On which distributions is it
the case?

The distributions I'm aware of unconditionally ship
abstractions/gnome with their AppArmor package, regardless of
whether GNOME is installed or not.

FYSA this issue has been moved to the Tor Gitlab.

As of my last testing, Lubuntu which is a flavor of Ubuntu has a highly divergent packageset from standard Ubuntu and ships no GNOME library components whatsoever, which is why it doesnt get included in the defaults. This was noticed in the last release of Lubuntu and the LTS in 2022 as well. To my knowledge this has not changed in Ubuntu and therefore the GNOME abstractions are still not available to AppArmor on Lubuntu. Other flavors of Ubuntu may be affected, but Lubuntu so far has been the only 'oddball'.

Regardless, it makes sense to include the X abstractions anyways rather than rely on the assumption that "every distro will have the GNOME abstractions as a default inclusion" so as to address any case where this assumption is false.

[teward]

I'm moving tracking of this issue to https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/-/merge_requests/16 - since this is now on the Upstream environment of Gitlab. @intrigeri you've been assigned as reviewer on that issue by boklm so I'm closing this here as there's an equivalent PR up on Gitlab.