Control: tag -1 + patch > Care to submit a patch (with a suitable header/description) against > the packaging?
I wanted to clean up my AppArmor plate a bit, so here we go. Peter, I would like to fix this bug and #862993 in Stretch as well. Happy to discuss myself with the stable release managers if the corresponding diffs would be acceptable, whenever it helps. Cheers, -- intrigeri
>From 1111f965fe92f38a2a2754b71b985ae1840b1425 Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@boum.org> Date: Thu, 3 Aug 2017 13:21:54 +0000 Subject: [PATCH 1/2] AppArmor: use Pix instead of PUx for obfs4proxy (Closes: #867342). For some reason, either "u" or "U" breaks obfs4proxy startup if systemd's NoNewPrivileges is enabled. Anyway, "i" gives us a better defined confinement than "u". --- debian/tor.apparmor-profile.abstraction | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/tor.apparmor-profile.abstraction b/debian/tor.apparmor-profile.abstraction index 3324096cc..3d78c310c 100644 --- a/debian/tor.apparmor-profile.abstraction +++ b/debian/tor.apparmor-profile.abstraction @@ -24,4 +24,4 @@ /usr/share/tor/** r, /usr/bin/obfsproxy PUx, - /usr/bin/obfs4proxy PUx, + /usr/bin/obfs4proxy Pix, -- 2.13.3
>From 88427ccad56c60b7ae36b5ed6898706c107c5f41 Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@boum.org> Date: Thu, 3 Aug 2017 13:30:09 +0000 Subject: [PATCH 2/2] AppArmor: grant read access to /proc/sys/net/core/somaxconn, needed by obfs4proxy. We did not need this previously (when obfs4proxy could start at all) as we were running it unconfined, which is not the case anymore. --- debian/tor.apparmor-profile.abstraction | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/tor.apparmor-profile.abstraction b/debian/tor.apparmor-profile.abstraction index 3d78c310c..645dc1f19 100644 --- a/debian/tor.apparmor-profile.abstraction +++ b/debian/tor.apparmor-profile.abstraction @@ -16,6 +16,9 @@ /usr/bin/tor r, /usr/sbin/tor r, + # Needed by obfs4proxy + /proc/sys/net/core/somaxconn r, + /proc/sys/kernel/random/uuid r, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r, -- 2.13.3