AppArmor chokes on this because permissions for ~/.local ~/.cache ~/.config prevents ricochet from correctly setting up the config, directories and local user environment when launched for the first time. The effect is that ricochet starts, appears to be working at first sight but actually is unable to maintain state (a unique ricochet id across application restarts).
Here is a working /etc/apparmor.d/usr.bin.ricochet config:
# Last Modified: Mon Jul 17 00:25:38 2017
#include <tunables/global>
# AppArmor Ricochet profile for Debian GNU/Linux
# This profile is Free Software and released under the same license as Ricochet
# itself.
#
# Copyleft 2015 Jacob Appelbaum <jacob@appelbaum.net>
#
/usr/bin/ricochet {
#include <abstractions/audio>
#include <abstractions/kde>
#include <abstractions/nameservice>
#include <abstractions/fonts>
#include <abstractions/openssl>
/usr/lib/** mr,
# Allow TCP connections
network inet stream,
network inet6 stream,
# Allow Ricochet to exec pulseaudio
# This makes me very sad...
# as it seems that you can't isolate playing and recording :(
/usr/bin/pulseaudio rix,
# Allow Ricochet to exec tor
/usr/bin/tor rix,
# Tor in turn needs various things
/usr/share/tor/geoip r,
/usr/share/tor/geoip6 r,
/proc/sys/kernel/random/uuid r,
/sys/devices/system/cpu/ r,
# Allow Ricochet to read tor daemons auth cookie
/run/tor/control.authcookie r,
# Allow Ricochet to read itself
/usr/bin/ricochet r,
/proc/[0-9]*/cmdline r,
/proc/[0-9]*/environ r,
# Allow Ricochet to generate audio
owner /{dev,run}/shm/pulse-shm* m,
# Allow Ricochet to draw the UX
/dev/dri/ r,
/sys/devices/pci[0-9]*/**/config r,
/sys/devices/pci[0-9]*/**/uevent r,
/run/udev/data/* r,
# Allow Ricochet to load GTK themes
/usr/share/themes/* r,
/usr/share/themes/**/* r,
owner @{HOME}/.gtkrc-2.0 r,
# Allow Ricochet to look up all your machine's PII
# Why does it need this stuff? BAD NEWS BEARS
/etc/machine-id r,
/var/lib/dbus/machine-id r,
# changes required to make this work on Debian sid on Sun Jan 13 18:24:17 CET 2019
# your device id might most likely not match your machine so adapt it for yourself
# after checking the logs:
/sys/devices/pci0000:00/0000:00:02.0/** r,
/proc/sys/kernel/random/boot_id r,
/usr/share/hwdata/* r,
owner @{HOME}/.local/share/Ricochet/ rwl,
owner @{HOME}/.local/share/Ricochet/** mrwkl,
owner @{HOME}/.cache/Ricochet/ rw,
owner @{HOME}/.cache/Ricochet/** rwkl,
owner @{HOME}/.config/gtk-3.0/* r,
}
Note that this will still result in errors from fontconfig (which should be solved with including abstractions/fonts and I've not been able to track this down yet - though it doesn't seem to do any harm)
I'm aware that this should be reported to the debian maintainers however I've noticed some issues with apparmor mentioned here so I thought I'll also report this here.
Hi,
I've installed the latest package from debian sid:
AppArmor chokes on this because permissions for ~/.local ~/.cache ~/.config prevents ricochet from correctly setting up the config, directories and local user environment when launched for the first time. The effect is that ricochet starts, appears to be working at first sight but actually is unable to maintain state (a unique ricochet id across application restarts).
Here is a working
/etc/apparmor.d/usr.bin.ricochetconfig:Note that this will still result in errors from fontconfig (which should be solved with including abstractions/fonts and I've not been able to track this down yet - though it doesn't seem to do any harm)
I'm aware that this should be reported to the debian maintainers however I've noticed some issues with apparmor mentioned here so I thought I'll also report this here.
thanks for this piece awesome software!!