Upwork crashes in enforce mode

[akontsevich]

Upwork 5.0.0.319 crashes with usr.bin.upwork profile in enforce mode. Could You fix please? Thanks!

[mk-fg]

Works for me, you probably use different paths or something.
I'd suggest checking dmesg for what it gets denied for more info.

But in any case, probably won't fix it here, as it's just a repo with stuff that I use myself, not something that's supposed to work for anyone else, as also mentioned in the README:
https://github.com/mk-fg/apparmor-profiles#important-note

[akontsevich]

@mk-fg, sorry did not read the readme :) You the only person who has upwork profile for apparmor. Could You be more specific please, give short instruction: whats need to be done to check and fix You profile?

[mk-fg]

You the only person who has upwork profile for apparmor.

Upwork app is based on node-webkit or electron (not sure how to tell these apart at a glance), so you can probably use pretty much the same rules as with any other app based on these things.

Could You be more specific please, give short instruction: whats need to be done to check and fix You profile?

Not sure about "short", but assuming some familiarity with what apparmor does and its rules syntax [1]:

• (Re-)Load upwork profile via apparmor_parser, confirm that it's loaded and you have some kind of logging for audit subsystem:

  # apparmor_parser -r /etc/apparmor.d/usr.bin.upwork
  # dmesg | grep apparmor
  [24564.183733] audit: type=1400 audit(1516547364.507:327): \
    apparmor="STATUS" operation="profile_replace" \
    name="/usr/share/upwork/upwork" pid=6899 comm="apparmor_parser"
  

  If you can't find that apparmor="STATUS" msg anywhere, make sure audit subsystem is enabled in kernel and/or different logs that might scrape stuff from there (e.g. auditd can log these, removing them from dmesg).

• Run upwork app, wait until it crashes or starts.

• Check the logs (e.g. dmesg | grep apparmor) for lines like this one:

  [   66.995621] audit: type=1400 audit(1516522867.775:60): \
    apparmor="DENIED" operation="mknod" profile="/usr/bin/pulseaudio" \
    name="/etc/core/sys/secure/pulse.cookie" pid=2137 \
    comm="pulseaudio" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
  

  It should tell you exactly what upwork tried to do that is not defined in profile or any of the abstractions that it includes, which is probably accessing something in /home or loading its component libs from some other path than ones in "abstractions/node-webkit" or "usr.bin.upwork" files.

  (in msg above, pulseaudio pid tried to open that file in /etc with O_CREAT, i.e. "create" it)

• Adjust paths in "usr.bin.upwork" or abstractions/ file(s) and re-run apparmor_parser -r /etc/apparmor.d/usr.bin.upwork (note: it probably loads abstractions/* files from /etc/apparmor.d, not paths relative to initial one specified).

  Important: make sure you get new apparmor="STATUS" operation="profile_replace" msg, indicating that updated profile was indeed loaded without any errors (apparmor_parser should print these).

• Re-run upwork app - it should either start or complain about something else - fix/reload again.

[1] Looks like apparmor.net is down (gone?), but reference for these can be found here:
https://web.archive.org/web/20171215145836/http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference

Alternatively, you can switch profile into "complain" mode (see docs and/or link above on how to do that) and have all DENIED messages when starting upwork app logged up-front, fix all of them at once, if there's more than one issue.

That's generally how I write these profiles - just run the app with empty-ish profile, see which paths it tries to access, add allow/deny entries or abstractions for these.

Iirc there're also tools that make it even easier and build profile from such DENIED lines automatically after running the app, but I've never use any of them, so can't suggest anything, seem to be easy enough as it is.

P.S. Можно наверно на русском, если так проще :)

[mk-fg]

Upwork 5.0.0.319 crashes with usr.bin.upwork profile in enforce mode

Looks like I'm still using Upwork 4.2.153.0 btw.
Will probably have to update profile along with the Upwork app at some point, guess they changed bunch of stuff in 5.x.
(might also mean that I'm wrong about node-webkit/electron above, as that's only the case in my version, previous ones were Qt-based iirc, and maybe new ones migrated away from nw/electron to something else too)

EDIT: "previous ones" as in "back when it was called oDesk Teams" (or something like that)

[akontsevich]

Thanks. Will look at Your instructions a little bit later. For now links to newest Upwork App version if You need it:

• Ubuntu/Debian: https://updates-desktopapp.upwork.com/binaries/v5_0_0_319_1tpgy75u2udxwlao/upwork_5.0.0.319_amd64.deb

• Fedora/openSUSE: https://updates-desktopapp.upwork.com/binaries/v5_0_0_319_1tpgy75u2udxwlao/upwork-5.0.0.319-1fc24.x86_64.rpm

P.S. Можно наверно на русском, если так проще :)

Можно, но верояно пригодится не только мне. :)