Fails to start with gdk-pixbuf compiled to use glycin

Last week, gdk-pixbuf was updated in Debian sid (unstable). It's now compiled with support for glycin, which uses bwrap if available. With that version, Tor Browser fails to start when confined with our AppArmor profile.

Some of the denials are trivially fixed with:

  /usr/share/glycin-loaders/2+/conf.d/ r,
  /usr/share/glycin-loaders/2+/conf.d/*.conf r,

But the crux of the matter is that Glycin uses bwrap:

kernel: audit: type=1400 audit(1771244204.725:3481): apparmor="DENIED" operation="exec" class="file" profile="torbrowser_firefox" name="/usr/bin/bwrap" pid=1166927 comm="blocking-2" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
kernel: audit: type=1400 audit(1771244204.741:3482): apparmor="DENIED" operation="exec" class="file" profile="torbrowser_firefox" name="/usr/bin/bwrap" pid=1166929 comm="gly-hdl-loader" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

According to the upstream README:

Glycin supports a sandbox mechanism inside and outside of Flatpaks. Outside of Flatpaks, the following mechanisms are used: The image loader binary is spawned via bwrap. The bubblewrap configuration only allows for minimal interaction with the host system. Only necessary parts of the filesystem are mounted and only with read access. There is no direct network access. Environment variables are not passed to the sandbox. Before forking the process the memory usage is limited via calling setrlimit and syscalls are limited to an allow-list via seccomp filters.

Inside of Flatpaks the flatpak-spawn --sandbox command is used. This restricts the access to the filesystem in a similar way as the direct bwrap call. The memory usage is limited by wrapping the loader call into a prlimit command. No additional seccomp filters are applied to the existing Flatpak seccomp rules.

I think the best way to solve this would be to allow the Tor Browser profile to execute bwrap under a subprofile, as described by Simon McVittie in https://apparmor.narkive.com/MqKSn3mT/what-to-do-about-bubblewrap-started-from-apps-confined-with#post7.

For more context, see the "[apparmor] What to do about bubblewrap started from apps confined with AppArmor?" thread that I started in 2017.

Edited by intrigeri