Bug#867342: tor: /usr/bin/obfs4proxy fails to load under default combination of apparmor execution permission PUx and systemd NoNewPrivileges=Yes hardening

Thu, 03 Aug 2017 06:40:34 -0700 

Control: tag -1 + patch

> Care to submit a patch (with a suitable header/description) against
> the packaging?

I wanted to clean up my AppArmor plate a bit, so here we go.

Peter, I would like to fix this bug and #862993 in Stretch as well.
Happy to discuss myself with the stable release managers if the
corresponding diffs would be acceptable, whenever it helps.

Cheers,
-- 
intrigeri


>From 1111f965fe92f38a2a2754b71b985ae1840b1425 Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@boum.org>
Date: Thu, 3 Aug 2017 13:21:54 +0000
Subject: [PATCH 1/2] AppArmor: use Pix instead of PUx for obfs4proxy (Closes:
 #867342).

For some reason, either "u" or "U" breaks obfs4proxy startup if systemd's
NoNewPrivileges is enabled. Anyway, "i" gives us a better defined confinement
than "u".
---
 debian/tor.apparmor-profile.abstraction | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/tor.apparmor-profile.abstraction b/debian/tor.apparmor-profile.abstraction
index 3324096cc..3d78c310c 100644
--- a/debian/tor.apparmor-profile.abstraction
+++ b/debian/tor.apparmor-profile.abstraction
@@ -24,4 +24,4 @@
   /usr/share/tor/** r,
 
   /usr/bin/obfsproxy PUx,
-  /usr/bin/obfs4proxy PUx,
+  /usr/bin/obfs4proxy Pix,
-- 
2.13.3


>From 88427ccad56c60b7ae36b5ed6898706c107c5f41 Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@boum.org>
Date: Thu, 3 Aug 2017 13:30:09 +0000
Subject: [PATCH 2/2] AppArmor: grant read access to
 /proc/sys/net/core/somaxconn, needed by obfs4proxy.

We did not need this previously (when obfs4proxy could start at all) as we were
running it unconfined, which is not the case anymore.
---
 debian/tor.apparmor-profile.abstraction | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/tor.apparmor-profile.abstraction b/debian/tor.apparmor-profile.abstraction
index 3d78c310c..645dc1f19 100644
--- a/debian/tor.apparmor-profile.abstraction
+++ b/debian/tor.apparmor-profile.abstraction
@@ -16,6 +16,9 @@
   /usr/bin/tor r,
   /usr/sbin/tor r,
 
+  # Needed by obfs4proxy
+  /proc/sys/net/core/somaxconn r,
+
   /proc/sys/kernel/random/uuid r,
   /sys/devices/system/cpu/ r,
   /sys/devices/system/cpu/** r,
-- 
2.13.3

Reply via email to