Bug#908463: [Pkg-privacy-maintainers] Bug#908463: torbrowser-launcher: Fails to start "Web Content" processes due to outdated AppArmor policy
On 2018-09-10 10:43:32, Antoine Beaupré wrote: > On 2018-09-10 09:59:54, intrig...@debian.org wrote: >> Package: torbrowser-launcher >> Version: 0.2.9-4 >> Severity: serious >> Tags: upstream fixed-upstream >> >> Hi, >> >> I've just pushed to commits to the upstream "develop" branch that fix >> Tor Browser 8 for me. Without these, Tor Browser does start but with >> e10s enabled, no tab will render as Firefox is not allowed to start >> any "Web Content" process. > > I confirm this problem is real. It seems that as soon as anyone tries to > upgrade torbrowser in Debian now it either fails with #908068 (before > launcher upgrade) or this (after launcher upgrade). For what it's worth, I was still getting that error with 0.2.9-5, but a (forced) update to sid's 0.2.9-6 version fixes the issue on buster. Thanks for all involved! A. -- Dr. King’s major assumption was that if you are nonviolent, if you suffer, your opponent will see your suffering and will be moved to change his heart. He only made one fallacious assumption: In order for nonviolence to work, your opponent must have a conscience. The United States has none.- Stokely Carmichael
Bug#908463: [Pkg-privacy-maintainers] Bug#908463: torbrowser-launcher: Fails to start "Web Content" processes due to outdated AppArmor policy
On Sat, Sep 15, 2018 at 2:11 PM, intrigeri wrote: > Roger Shimizu: >> On Mon, Sep 10, 2018 at 11:58 PM, gregor herrmann wrote: >>> On Mon, 10 Sep 2018 10:43:32 -0400, Antoine Beaupré wrote: >>> After upgrading to 0.2.9-4, adequate complains: >>> >>> torbrowser-launcher: obsolete-conffile >>> /etc/apparmor.d/local/torbrowser.Tor.tor >>> torbrowser-launcher: obsolete-conffile >>> /etc/apparmor.d/local/torbrowser.Browser.plugin-container >>> torbrowser-launcher: obsolete-conffile >>> /etc/apparmor.d/local/torbrowser.Browser.firefox > >> Sorry, I don't have these errors when upgrading package. > > To reproduce, I think you need 1. adequate installed; > 2. upgrading from a specific version of the package. I confirmed I already had adequate installed previously. $ dpkg -l adequate Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++--=-=-== ii adequate 0.15.1all Debian package quality testing tool On Sun, Sep 16, 2018 at 2:35 AM, gregor herrmann wrote: >> > After getting rid of them, I have a starting torbrowser again. >> > >> > Looks like some dpkg-maintscript-helper(1) magic is needed here ... >> >> Could you provide an example, or even patch? >> Thanks! > > After looking at the package/repo: > > The files under /etc/apparmor.d/local were created in 0.2.9-1 (with > the upstream import) and were removed in 0.2.9-2, probably with > 0016-Remove-apparmor-local-path-from-setup.py.patch. Or maybe with > debian/patches/0015-AppArmor-remove-boilerplate-from-local-override-file.patch. > Or with both :) > > This is somewhat confusing but 0.2.9-1 seems to be the only release > with > > drwxr-xr-x root/root 0 2018-01-29 15:17 ./etc/apparmor.d/local/ > -rw-r--r-- root/root 134 2018-01-28 19:33 > ./etc/apparmor.d/local/torbrowser.Browser.firefox > -rw-r--r-- root/root 133 2018-01-28 19:33 > ./etc/apparmor.d/local/torbrowser.Browser.plugin-container > -rw-r--r-- root/root 133 2018-01-28 19:33 > ./etc/apparmor.d/local/torbrowser.Tor.tor > > (That also means that adequate must have warned me earlier?) > > Anyway, these conffiles are not shipped any more; either that's a > mistake or they need to be properly removed. I tried to install 0.2.9-1 and upgrade to 0.2.9-4, but still didn't reproduced. I tested it again after enabling adequate by set 'Adequate::Enabled "true";' in /etc/apt/apt.conf.d/20adequate But same result. BTW. Old packages can be found on snapshot.d.o [1]. [1] http://snapshot.debian.org/package/torbrowser-launcher/ # dpkg -i torbrowser-launcher_0.2.9-1_amd64.deb (Reading database ... 272854 files and directories currently installed.) Preparing to unpack torbrowser-launcher_0.2.9-1_amd64.deb ... Unpacking torbrowser-launcher (0.2.9-1) over (0.2.9-1) ... Setting up torbrowser-launcher (0.2.9-1) ... Processing triggers for desktop-file-utils (0.23-1) ... Processing triggers for mime-support (3.60) ... Processing triggers for man-db (2.7.6.1-2) ... # dpkg -i torbrowser-launcher_0.2.9-4_amd64.deb (Reading database ... 272854 files and directories currently installed.) Preparing to unpack torbrowser-launcher_0.2.9-4_amd64.deb ... Unpacking torbrowser-launcher (0.2.9-4) over (0.2.9-1) ... Setting up torbrowser-launcher (0.2.9-4) ... Installing new version of config file /etc/apparmor.d/torbrowser.Browser.firefox ... Installing new version of config file /etc/apparmor.d/torbrowser.Browser.plugin-container ... Installing new version of config file /etc/apparmor.d/torbrowser.Tor.tor ... Processing triggers for desktop-file-utils (0.23-1) ... Processing triggers for mime-support (3.60) ... Processing triggers for man-db (2.7.6.1-2) ... > There is already debian/torbrowser-launcher.maintscript which IMO > needs three new lines: > > rm_conffile /etc/apparmor.d/local/torbrowser.Tor.tor 0.2.9-2~ > torbrowser-launcher > rm_conffile /etc/apparmor.d/local/torbrowser.Browser.plugin-container > 0.2.9-2~ torbrowser-launcher > rm_conffile /etc/apparmor.d/local/torbrowser.Browser.firefox 0.2.9-2~ > torbrowser-launcher > > Or maybe s/0.2.9-2~/0.2.9-5~/ , if I'm reading dpkg-maintscript-helper(1) > correctly. Thanks for the hint! I'll try this snippet. Cheers, -- Roger Shimizu, GMT +9 Tokyo PGP/GPG: 4096R/6C6ACD6417B3ACB1
Bug#908463: [Pkg-privacy-maintainers] Bug#908463: torbrowser-launcher: Fails to start "Web Content" processes due to outdated AppArmor policy
On Sat, 15 Sep 2018 11:01:39 +0900, Roger Shimizu wrote: > > After upgrading to 0.2.9-4, adequate complains: > > > > torbrowser-launcher: obsolete-conffile > > /etc/apparmor.d/local/torbrowser.Tor.tor > > torbrowser-launcher: obsolete-conffile > > /etc/apparmor.d/local/torbrowser.Browser.plugin-container > > torbrowser-launcher: obsolete-conffile > > /etc/apparmor.d/local/torbrowser.Browser.firefox > > Sorry, I don't have these errors when upgrading package. > > > # dpkg -i torbrowser-launcher_0.2.9-4_amd64.deb > (Reading database ... 272719 files and directories currently installed.) > Preparing to unpack torbrowser-launcher_0.2.9-4_amd64.deb ... > Unpacking torbrowser-launcher (0.2.9-4) over (0.2.9-3) ... > Setting up torbrowser-launcher (0.2.9-4) ... > Installing new version of config file > /etc/apparmor.d/torbrowser.Browser.firefox ... > Processing triggers for desktop-file-utils (0.23-1) ... > Processing triggers for mime-support (3.60) ... > Processing triggers for man-db (2.7.6.1-2) ... > > > > After getting rid of them, I have a starting torbrowser again. > > > > Looks like some dpkg-maintscript-helper(1) magic is needed here ... > > Could you provide an example, or even patch? > Thanks! After looking at the package/repo: The files under /etc/apparmor.d/local were created in 0.2.9-1 (with the upstream import) and were removed in 0.2.9-2, probably with 0016-Remove-apparmor-local-path-from-setup.py.patch. Or maybe with debian/patches/0015-AppArmor-remove-boilerplate-from-local-override-file.patch. Or with both :) This is somewhat confusing but 0.2.9-1 seems to be the only release with drwxr-xr-x root/root 0 2018-01-29 15:17 ./etc/apparmor.d/local/ -rw-r--r-- root/root 134 2018-01-28 19:33 ./etc/apparmor.d/local/torbrowser.Browser.firefox -rw-r--r-- root/root 133 2018-01-28 19:33 ./etc/apparmor.d/local/torbrowser.Browser.plugin-container -rw-r--r-- root/root 133 2018-01-28 19:33 ./etc/apparmor.d/local/torbrowser.Tor.tor (That also means that adequate must have warned me earlier?) Anyway, these conffiles are not shipped any more; either that's a mistake or they need to be properly removed. There is already debian/torbrowser-launcher.maintscript which IMO needs three new lines: rm_conffile /etc/apparmor.d/local/torbrowser.Tor.tor 0.2.9-2~ torbrowser-launcher rm_conffile /etc/apparmor.d/local/torbrowser.Browser.plugin-container 0.2.9-2~ torbrowser-launcher rm_conffile /etc/apparmor.d/local/torbrowser.Browser.firefox 0.2.9-2~ torbrowser-launcher Or maybe s/0.2.9-2~/0.2.9-5~/ , if I'm reading dpkg-maintscript-helper(1) correctly. HTH, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `- NP: Peter Jones: Hooked onto your love signature.asc Description: Digital Signature
Bug#908463: [Pkg-privacy-maintainers] Bug#908463: torbrowser-launcher: Fails to start "Web Content" processes due to outdated AppArmor policy
Roger Shimizu: > On Mon, Sep 10, 2018 at 11:58 PM, gregor herrmann wrote: >> On Mon, 10 Sep 2018 10:43:32 -0400, Antoine Beaupré wrote: >> After upgrading to 0.2.9-4, adequate complains: >> >> torbrowser-launcher: obsolete-conffile >> /etc/apparmor.d/local/torbrowser.Tor.tor >> torbrowser-launcher: obsolete-conffile >> /etc/apparmor.d/local/torbrowser.Browser.plugin-container >> torbrowser-launcher: obsolete-conffile >> /etc/apparmor.d/local/torbrowser.Browser.firefox > Sorry, I don't have these errors when upgrading package. To reproduce, I think you need 1. adequate installed; 2. upgrading from a specific version of the package. Cheers, -- intrigeri
Bug#908463: [Pkg-privacy-maintainers] Bug#908463: torbrowser-launcher: Fails to start "Web Content" processes due to outdated AppArmor policy
On Mon, Sep 10, 2018 at 11:58 PM, gregor herrmann wrote: > On Mon, 10 Sep 2018 10:43:32 -0400, Antoine Beaupré wrote: > >> Disabling the apparmor profiles fix this: >> >> aa-complain torbrowser.Tor.tor >> aa-complain torbrowser.Browser.firefox > > After upgrading to 0.2.9-4, adequate complains: > > torbrowser-launcher: obsolete-conffile > /etc/apparmor.d/local/torbrowser.Tor.tor > torbrowser-launcher: obsolete-conffile > /etc/apparmor.d/local/torbrowser.Browser.plugin-container > torbrowser-launcher: obsolete-conffile > /etc/apparmor.d/local/torbrowser.Browser.firefox Sorry, I don't have these errors when upgrading package. # dpkg -i torbrowser-launcher_0.2.9-4_amd64.deb (Reading database ... 272719 files and directories currently installed.) Preparing to unpack torbrowser-launcher_0.2.9-4_amd64.deb ... Unpacking torbrowser-launcher (0.2.9-4) over (0.2.9-3) ... Setting up torbrowser-launcher (0.2.9-4) ... Installing new version of config file /etc/apparmor.d/torbrowser.Browser.firefox ... Processing triggers for desktop-file-utils (0.23-1) ... Processing triggers for mime-support (3.60) ... Processing triggers for man-db (2.7.6.1-2) ... > After getting rid of them, I have a starting torbrowser again. > > Looks like some dpkg-maintscript-helper(1) magic is needed here ... Could you provide an example, or even patch? Thanks! BTW. I have pushed not-released-yet 0.2.9-5 to branch debian/sid on salsa. Maybe you can simply build the package by git-buildpackage, and test the latest appamor profile from intrigeri. Cheers, -- Roger Shimizu, GMT +9 Tokyo PGP/GPG: 4096R/6C6ACD6417B3ACB1
Bug#908463: [Pkg-privacy-maintainers] Bug#908463: torbrowser-launcher: Fails to start "Web Content" processes due to outdated AppArmor policy
On 2018-09-10 11:17:54, Antoine Beaupré wrote: > On 2018-09-10 16:58:06, gregor herrmann wrote: >> On Mon, 10 Sep 2018 10:43:32 -0400, Antoine Beaupré wrote: >> >>> Disabling the apparmor profiles fix this: >>> >>> aa-complain torbrowser.Tor.tor >>> aa-complain torbrowser.Browser.firefox >> >> After upgrading to 0.2.9-4, adequate complains: >> >> torbrowser-launcher: obsolete-conffile >> /etc/apparmor.d/local/torbrowser.Tor.tor >> torbrowser-launcher: obsolete-conffile >> /etc/apparmor.d/local/torbrowser.Browser.plugin-container >> torbrowser-launcher: obsolete-conffile >> /etc/apparmor.d/local/torbrowser.Browser.firefox >> >> After getting rid of them, I have a starting torbrowser again. > > After getting rid of them, apparmor collapses in a pile of error and > fails to start: > > sep 10 11:16:25 curie apparmor[8443]: AppArmor parser error for > /etc/apparmor.d/torbrowser.Browser.firefox in > /etc/apparmor.d/torbrowser.Browser.firefox at line 123: Could not open > 'local/torbrowser.Browser.firefox' > sep 10 11:16:25 curie apparmor[8443]: AppArmor parser error for > /etc/apparmor.d/torbrowser.Browser.plugin-container in > /etc/apparmor.d/torbrowser.Browser.plugin-container at line 94: Could not > open 'local/torbrowser.Browser.plugin-container' > sep 10 11:16:25 curie apparmor[8443]: AppArmor parser error for > /etc/apparmor.d/torbrowser.Tor.tor in /etc/apparmor.d/torbrowser.Tor.tor at > line 41: Could not open 'local/torbrowser.Tor.tor' > > I doubt this is a real solution: those files are just empty here and > should not significantly change the AA policy. Also, I'm getting this while trying to load "plugin-container": root@curie:/etc/apparmor.d# aa-complain torbrowser.Browser.plugin-container Setting /etc/apparmor.d/torbrowser.Browser.plugin-container to complain mode. ERROR: Path doesn't start with / or variable: torbrowser_plugin_container a. -- Blind respect for authority is the greatest enemy of truth. - Albert Einstein
Bug#908463: [Pkg-privacy-maintainers] Bug#908463: torbrowser-launcher: Fails to start "Web Content" processes due to outdated AppArmor policy
On Mon, 10 Sep 2018 11:17:54 -0400, Antoine Beaupré wrote: > > torbrowser-launcher: obsolete-conffile > > /etc/apparmor.d/local/torbrowser.Tor.tor > > torbrowser-launcher: obsolete-conffile > > /etc/apparmor.d/local/torbrowser.Browser.plugin-container > > torbrowser-launcher: obsolete-conffile > > /etc/apparmor.d/local/torbrowser.Browser.firefox > > > > After getting rid of them, I have a starting torbrowser again. > > After getting rid of them, apparmor collapses in a pile of error and > fails to start: I first aa-disable()d them before rm'ing them. > sep 10 11:16:25 curie apparmor[8443]: AppArmor parser error for > /etc/apparmor.d/torbrowser.Browser.firefox in > /etc/apparmor.d/torbrowser.Browser.firefox at line 123: Could not open > 'local/torbrowser.Browser.firefox' > sep 10 11:16:25 curie apparmor[8443]: AppArmor parser error for > /etc/apparmor.d/torbrowser.Browser.plugin-container in > /etc/apparmor.d/torbrowser.Browser.plugin-container at line 94: Could not > open 'local/torbrowser.Browser.plugin-container' > sep 10 11:16:25 curie apparmor[8443]: AppArmor parser error for > /etc/apparmor.d/torbrowser.Tor.tor in /etc/apparmor.d/torbrowser.Tor.tor at > line 41: Could not open 'local/torbrowser.Tor.tor' > > I doubt this is a real solution: those files are just empty here and > should not significantly change the AA policy. Don't know, just sharing my experience and pointing to a packaging glitch. Cheers, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `- NP: Bob Dylan: I Shall Be Free signature.asc Description: Digital Signature
Bug#908463: [Pkg-privacy-maintainers] Bug#908463: torbrowser-launcher: Fails to start "Web Content" processes due to outdated AppArmor policy
On 2018-09-10 16:58:06, gregor herrmann wrote: > On Mon, 10 Sep 2018 10:43:32 -0400, Antoine Beaupré wrote: > >> Disabling the apparmor profiles fix this: >> >> aa-complain torbrowser.Tor.tor >> aa-complain torbrowser.Browser.firefox > > After upgrading to 0.2.9-4, adequate complains: > > torbrowser-launcher: obsolete-conffile > /etc/apparmor.d/local/torbrowser.Tor.tor > torbrowser-launcher: obsolete-conffile > /etc/apparmor.d/local/torbrowser.Browser.plugin-container > torbrowser-launcher: obsolete-conffile > /etc/apparmor.d/local/torbrowser.Browser.firefox > > After getting rid of them, I have a starting torbrowser again. After getting rid of them, apparmor collapses in a pile of error and fails to start: sep 10 11:16:25 curie apparmor[8443]: AppArmor parser error for /etc/apparmor.d/torbrowser.Browser.firefox in /etc/apparmor.d/torbrowser.Browser.firefox at line 123: Could not open 'local/torbrowser.Browser.firefox' sep 10 11:16:25 curie apparmor[8443]: AppArmor parser error for /etc/apparmor.d/torbrowser.Browser.plugin-container in /etc/apparmor.d/torbrowser.Browser.plugin-container at line 94: Could not open 'local/torbrowser.Browser.plugin-container' sep 10 11:16:25 curie apparmor[8443]: AppArmor parser error for /etc/apparmor.d/torbrowser.Tor.tor in /etc/apparmor.d/torbrowser.Tor.tor at line 41: Could not open 'local/torbrowser.Tor.tor' I doubt this is a real solution: those files are just empty here and should not significantly change the AA policy. A. -- >From the age of uniformity, from the age of solitude, from the age of Big Brother, from the age of doublethink - greetings! - Winston Smith, 1984
Bug#908463: [Pkg-privacy-maintainers] Bug#908463: torbrowser-launcher: Fails to start "Web Content" processes due to outdated AppArmor policy
On Mon, 10 Sep 2018 10:43:32 -0400, Antoine Beaupré wrote: > Disabling the apparmor profiles fix this: > > aa-complain torbrowser.Tor.tor > aa-complain torbrowser.Browser.firefox After upgrading to 0.2.9-4, adequate complains: torbrowser-launcher: obsolete-conffile /etc/apparmor.d/local/torbrowser.Tor.tor torbrowser-launcher: obsolete-conffile /etc/apparmor.d/local/torbrowser.Browser.plugin-container torbrowser-launcher: obsolete-conffile /etc/apparmor.d/local/torbrowser.Browser.firefox After getting rid of them, I have a starting torbrowser again. Looks like some dpkg-maintscript-helper(1) magic is needed here ... Cheers, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `- NP: Tony Joe White: Don't Over Do It signature.asc Description: Digital Signature
Bug#908463: [Pkg-privacy-maintainers] Bug#908463: torbrowser-launcher: Fails to start "Web Content" processes due to outdated AppArmor policy
On 2018-09-10 09:59:54, intrig...@debian.org wrote: > Package: torbrowser-launcher > Version: 0.2.9-4 > Severity: serious > Tags: upstream fixed-upstream > > Hi, > > I've just pushed to commits to the upstream "develop" branch that fix > Tor Browser 8 for me. Without these, Tor Browser does start but with > e10s enabled, no tab will render as Firefox is not allowed to start > any "Web Content" process. I confirm this problem is real. It seems that as soon as anyone tries to upgrade torbrowser in Debian now it either fails with #908068 (before launcher upgrade) or this (after launcher upgrade). Here's the full apparmor log I'm getting: sep 10 10:30:50 curie audit[19914]: AVC apparmor="DENIED" operation="exec" profile="torbrowser_firefox" name="/usr/bin/lsb_release" pid=19914 comm="firefox.real" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 sep 10 10:30:51 curie audit[19888]: AVC apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/usr/share/fontconfig/conf.avail/" pid=19888 comm="firefox.real" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 sep 10 10:30:51 curie dbus-daemon[2881]: [session uid=1000 pid=2865] Activating service name='org.a11y.Bus' requested by ':1.238' (uid=1000 pid=19888 comm="./firefox.real --class Tor Browser -profile TorBro") sep 10 10:30:59 curie audit[19975]: AVC apparmor="DENIED" operation="exec" profile="torbrowser_firefox" name="/home/anarcat/.local/share/torbrowser/tbb/x86_64/tor-browser_fr/Browser/firefox.real" pid=19975 comm="Gecko_IOThread" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 sep 10 10:30:59 curie audit[19977]: AVC apparmor="DENIED" operation="exec" profile="torbrowser_firefox" name="/home/anarcat/.local/share/torbrowser/tbb/x86_64/tor-browser_fr/Browser/firefox.real" pid=19977 comm="Gecko_IOThread" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 sep 10 10:30:59 curie audit[19979]: AVC apparmor="DENIED" operation="exec" profile="torbrowser_firefox" name="/home/anarcat/.local/share/torbrowser/tbb/x86_64/tor-browser_fr/Browser/firefox.real" pid=19979 comm="Gecko_IOThread" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 sep 10 10:30:59 curie audit[19981]: AVC apparmor="DENIED" operation="exec" profile="torbrowser_firefox" name="/home/anarcat/.local/share/torbrowser/tbb/x86_64/tor-browser_fr/Browser/firefox.real" pid=19981 comm="Gecko_IOThread" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 sep 10 10:30:59 curie audit[19888]: AVC apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/var/lib/snapd/desktop/applications/" pid=19888 comm="firefox.real" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 sep 10 10:30:59 curie audit[19888]: AVC apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/var/lib/snapd/desktop/applications/mimeinfo.cache" pid=19888 comm="firefox.real" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 sep 10 10:30:59 curie audit[19888]: AVC apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/var/lib/snapd/desktop/applications/" pid=19888 comm="firefox.real" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 sep 10 10:30:59 curie audit[19888]: AVC apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/var/lib/snapd/desktop/applications/mimeinfo.cache" pid=19888 comm="firefox.real" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 sep 10 10:31:00 curie audit[1]: AVC apparmor="DENIED" operation="exec" profile="torbrowser_firefox" name="/home/anarcat/.local/share/torbrowser/tbb/x86_64/tor-browser_fr/Browser/firefox.real" pid=1 comm="Gecko_IOThread" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 sep 10 10:31:00 curie kernel: audit: type=1400 audit(1536589860.289:162): apparmor="DENIED" operation="exec" profile="torbrowser_firefox" name="/home/anarcat/.local/share/torbrowser/tbb/x86_64/tor-browser_fr/Browser/firefox.real" pid=1 comm="Gecko_IOThread" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 Not sure what's going on with the snapd up there - I'm not using the Firefox snap, as far as I know (although I did in the past) so that part of the log is a bit strange. I noticed that my language ("fr") is in the path to `firefox.real` so I figured this could be an issue. But starting with a `C.UTF-8` locale crashes torbrowser completely with a "Tor unexpectedly exited" GUI popup: Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start. I have then tried to reinstall TBL in that locale, without luck - same error. What is strange is that the installer is still trying to write to my locale-specific directory: sep 10 10:37:24 curie audit[19888]: AVC apparmor="DENIED" operation="mkdir" profile="torbrowser_firefox"