Modifying /etc/apparmor.d/local/system_tor by postinst script makes this package unfit for inclusion into Debian

[adrelanos]

Not sure if you care about this one... Depends on #956.

351 makes this package unfit for inclusion into Debian as per Debian policy.

Source: https://www.debian.org/doc/debian-policy/ch-files.html#s-config-files

must not be modified by the maintainer scripts during installation (or at any other time)

Maybe we can contact the Debian developers and tell them that a clean mechanism for such cases is apparently missing.

(For Whonix we worked around this issue with a slightly cleaner method, I think. https://github.com/Whonix/apparmor-profile-anondist - But that solution would likely not be accepted by Debian either.)

[evilaliv3]

@mmaker can you please take care of investigating also this hint by @adrelanos?

[fpietrosanti]

remind to label it properly

[fpietrosanti]

Labeled D1.5 for OTF's release

[mmaker]

11:27:31 <maker>          hello nice people. I have a debian package which, in order to work, needs to change the configuration file of one of its dependencies. Specifically, in my scenario, I have to change the apparmor profile of a
                          dependency.
11:27:55 <maker>          In https://www.debian.org/doc/debian-policy/ch-files.html#s-config-files I read " must not be modified by the maintainer scripts during installation (or at any other time)."
11:28:33 <maker>          so, I'm wondering, what can I do to change the configuration without breaking the debian policy?
11:30:52 <helmut>         maker: these are hard cases. it means that you need to collaborate with the maintainer of your dependency to create an api to change the config. that api must live in the dependency.
11:31:26 <henk>           maker: Why do you think you have to change the profile?
11:33:27 <maker>          henk: really? I am changing an apparmor profile, there shouldn't be an unirform way to perform this?
11:34:12 <maker>          henk: I must say to apparmor to allow tor for reading /writing from my hidden-service directory
11:34:21 <maker>          *from/to
11:34:31 <wRAR>           if there is a way, it is apparmor-specific
11:36:16 <maker>          wRAR: well, my question is if there's any way not to break debian policy in this case.
11:36:21 <maker>          :/
11:36:37 <wRAR>           yes, use that method if it exists
11:36:46 <helmut>         maker: yes, collaborating with your dependency.
11:37:07 <maker>          helmut: I'll try to work this out, thanks.
11:37:48 <helmut>         maker: you usally file a wishlist bug saying what you need, why you need and that you are interested in working this out
11:38:11 <bremner>        sometimes the dependency has a directory to drop config snippets into.
11:38:21 <bremner>        speaking generally.

so, I think we should just file a bug to tor, and try to get them provide us a directory for throwing apparmor configurations.

[evilaliv3]

wait maker, this wont be needed anymore in few time.

in fact tor is going to include a patch that enable configuring tor hidden services and read their information by means of the tor control port. by working on that integration of txtorcon probably we will find a solution that wont require any of the changes currently discussed in this ticket.

@fpietrosanti probably has already ideas about this.

[fpietrosanti]

It will take time (maybe end of year) till 0.2.7 release of Tor (now it's code-freeze for Tor 0.2.6 upcoming release) to have the feature from txtorcon https://github.com/meejah/txtorcon/issues/13 that will use https://trac.torproject.org/projects/tor/ticket/5976

[fpietrosanti]

In the meantime it could be, maybe, easier to load Tor HS of globaleaks into /var/lib/tor/hidden_service/globaleaks in order to avoid tweaking the apparmor profile of Tor.

[evilaliv3]

yep probably this is a better solution than asking to tor to add a special roule for us. we will continue to have the need to access this file but doing a chmod will be probably more accepted.

@mmaker what do you think?

[fpietrosanti]

mkdir -p /var/lib/tor/hidden_service/globaleaks chown globaleaks:globaleaks /var/lib/tor/hidden_service/globaleaks chmod 700 /var/lib/tor/hidden_service/globaleaks

But it would require migration from current package/setup that's quite sensible and it would require adjustment of globaleaks apparmor profile to read it.

[evilaliv3]

sure in that case we sould need a migration script. for the moment lets @maker and @adrelanos if the solution is acceptable.

[adrelanos]

If it's fine with Debian policy, it's also fine with me. Was the main reason why I reported this one.

/etc/apparmor.d/system_tor already contains:

  owner /var/lib/tor/** rwk,

So why not use /var/lib/tor/globaleaks?

[evilaliv3]

@fpietrosanti what do you think if we put this change in the next big release? (the end2end one) ?

[fpietrosanti]

y, btw luckily this code will be removed once Tor 0.2.7 is released w/support for loading TorHS from Tor Control Port that TxTorCon already implement. That way we'll be able to keep the TorHS descriptor stored in the sqlit database and fed dynamically to Tor process via TorCP, completely removing any TorHS-related filesystem interaction

[hellais]

Note: It will take a while for 0.2.7 to be included inside of debian wheezy or jessie (just recently feature freezed)

[adrelanos]

Any update?

Note: It will take a while for 0.2.7 to be included inside of debian wheezy or jessie (just recently feature freezed)

This is now done in stretch which soon will be Debian stable.

[evilaliv3]

sure @adrelanos; we are planning the integration of txtorcon + tor launched by globaleaks as a subprocess with it and the key stored and loaded onto the database.

all has been already tested, just require time for integration and testing! :)

any update from your side?

[adrelanos]

Great!

any update from your side?

Not sure what you might be interested in? :)

The development version of Whonix, Whonix 14 is capable to run Tor ephemeral hidden services using applications such as onionshare, ricochet and ZeroNet. The former two get installed by default (available from packages.debian.org). ZeroNet is unfortunately not available from packages.debian.org. Very most likely unMessage and GlobaLeaks can be made to work in Whonix as well once testable.

[evilaliv3]

thanks, this are really good results.

looking at our roadmap and current rithm i think that we could arrive to make it by ~ may.

it will be probably problematic by that time get on packages.debian specifically in relation to the client (npm) dependencies. what do you suggest to do to be able to get on whonix? what is the path followed for ZeroNet?

[adrelanos]

Another interesting update on the Whonix side is a one click installer for Whonix in testing.*

https://www.whonix.org/blog/whonix-windows-installer

---

Users will be able to manually install ZeroNet in Whonix 14. Cumbersome, but works.

https://www.whonix.org/wiki/ZeroNet

Due to limited funding and manpower we'll probably not be able to pre-install any more applications not available from packages.debian.org so we can just wait for ZeroNet to be entering packages.debian.org. On one hand this could take years or never happen. On the other hand, ZeroNet gets more and more popular, so chances are not that bad.

• https://github.com/HelloZeroNet/ZeroNet/issues/241
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850474

---

(* Not one, but super simple, just keep pressing the next button and that's it.)

[fpietrosanti]

@adrelanos the Windows installer it's absolutely fantastic! Reaching a point where GlobaLeaks (now fully deb packaged on Ubuntu 16.04) is available on Whoonix and we can provide a visual guide to install GlobaLeaks on Windows in a Whoonix Sandboxed environment entirely visually would be super-cool .

I added a Whoonix label on GlobaLeaks's github, tagging the tickets related to this. Are you coming to Internet Freedom Festival in Valencia next week?

[adrelanos]

Are you coming to Internet Freedom Festival in Valencia next week?

No.

@adrelanos the Windows installer it's absolutely fantastic!

Glad you like it! :)

[evilaliv3]

The upcoming GlobaLeaks release (2.70.0) will include configuration of hidden services via TorControl Port using txtorcon and ephemeral services.

Due to this this ticket has become so outdated!

@adrelanos stay tuned!