Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppArmor prevents directory creation, causing sync failure #776

Closed
eloquence opened this issue Feb 5, 2020 · 1 comment · Fixed by #777
Closed

AppArmor prevents directory creation, causing sync failure #776

eloquence opened this issue Feb 5, 2020 · 1 comment · Fixed by #777
Labels
bug Something isn't working release blocker

Comments

@eloquence
Copy link
Member

eloquence commented Feb 5, 2020
edited
Loading

On a fresh (post-make clean) build with the latest nightly in Qubes, the first sync with the server results in messages never being downloaded. This appears to be due to AppArmor policy violations -- I see "mkdir" operations denied in /var/log/syslog and PermissionErrors in the client logs in sd-app. Likely fallout from #737 which changed the source dir structure.
@eloquence eloquence added bug Something isn't working needs/reproducing labels Feb 5, 2020
@kushaldas
Copy link
Contributor

I can reproduce the error on my system. securedrop-client 0.0.13-dev-2020-2-5-060448 build

2020-02-05 15:35:38,419 - securedrop_client.queue:222(resume_queues) INFO: Resuming queues
2020-02-05 15:35:40,380 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:35:40,380 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:35:42,387 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:35:42,388 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:35:44,391 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:35:44,391 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:35:46,406 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:35:46,406 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:35:47,921 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:35:47,921 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:35:49,459 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:35:49,459 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:35:51,347 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:35:51,347 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:36:12,221 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c708> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/deictic_crisis'
2020-02-05 15:36:12,221 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:36:39,064 - securedrop_client.storage:94(get_remote_data) INFO: Fetched 3 remote sources.
2020-02-05 15:36:39,065 - securedrop_client.storage:96(get_remote_data) INFO: Fetched 4 remote submissions.
2020-02-05 15:36:39,065 - securedrop_client.storage:97(get_remote_data) INFO: Fetched 4 remote replies.
2020-02-05 15:36:39,271 - securedrop_client.queue:222(resume_queues) INFO: Resuming queues
2020-02-05 15:36:39,271 - securedrop_client.queue:222(resume_queues) INFO: Resuming queues
2020-02-05 15:36:41,422 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:36:41,422 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:36:43,423 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:36:43,423 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:36:45,263 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:36:45,263 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:36:47,420 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:36:47,420 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:36:49,477 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:36:49,477 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:36:51,334 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:36:51,335 - securedrop_client.queue:149(process) ERROR: Skipping job
2020-02-05 15:36:53,491 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
2020-02-05 15:36:53,491 - securedrop_client.queue:149(process) ERROR: Skipping job

and the error messages from the syslog

Feb  5 15:43:46 localhost 2020-02-05 15:43:46,953 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'
Feb  5 15:43:46 localhost 2020-02-05 15:43:46,953 - securedrop_client.queue:149(process) ERROR: Skipping job
Feb  5 15:43:46 localhost kernel: [ 5166.272288] audit: type=1400 audit(1580897626.948:164): apparmor="DENIED" operation="mkdir" profile="/usr/bin/securedrop-client" name="/home/user/.securedrop_client/data/confrontational_alert/" pid=841 comm="QThread" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Feb  5 15:43:48 localhost systemd[1]: rw-home-user-QubesIncoming-sd\x2dproxy.mount: Succeeded.
Feb  5 15:43:48 localhost systemd[1]: home-user-QubesIncoming-sd\x2dproxy.mount: Succeeded.
Feb  5 15:43:48 localhost systemd[558]: rw-home-user-QubesIncoming-sd\x2dproxy.mount: Succeeded.
Feb  5 15:43:48 localhost systemd[558]: home-user-QubesIncoming-sd\x2dproxy.mount: Succeeded.
Feb  5 15:43:48 localhost kernel: [ 5167.855359] audit: type=1400 audit(1580897628.532:165): apparmor="DENIED" operation="mkdir" profile="/usr/bin/securedrop-client" name="/home/user/.securedrop_client/data/confrontational_alert/" pid=841 comm="QThread" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Feb  5 15:43:48 localhost 2020-02-05 15:43:48,537 - securedrop_client.queue:148(process) ERROR: Job <securedrop_client.queue.RunnableQueue object at 0x72fd0dc0c678> raised an exception: PermissionError: [Errno 13] Permission denied: '/home/user/.securedrop_client/data/confrontational_alert'

kushaldas added a commit that referenced this issue Feb 5, 2020
@kushaldas
Fixes #776 fixes mkdir permission in apparmor
2d372f7 
Now the client can create directories under
/home/user/.securedrop-client/data/
for different sources.
@kushaldas kushaldas mentioned this issue Feb 5, 2020
Merged
8 tasks
redshiftzero added a commit that referenced this issue Feb 6, 2020
@redshiftzero
Merge pull request #777 from freedomofpress/dear_apparmor_allow_mkdir
7bbb265 
Fixes #776 fixes mkdir permission in apparmor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working release blocker
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #776 fixes mkdir permission in apparmor freedomofpress/securedrop-client
2 participants
@eloquence @kushaldas