Bug #10528: Restore AppArmor confinement of Tor on Jessie

Bug #10528

Restore AppArmor confinement of Tor on Jessie

Added by intrigeri 2015-11-10 02:38:02 . Updated 2015-11-10 03:49:26 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Tails_2.0

Start date:

2015-11-10

Due date:

% Done:

100%

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

269

Description

feature/jessie now has Tor 0.2.7 packages that ship with systemd unit files (which is good as it allows us to resolve ~~Feature #5750~~). The problem is that they don’t turn on the AppArmor profile which is a regression vs. Wheezy-based Tails.

Subtasks

Related issues

Related to Tails - ~~Feature #5750~~: Supervise critical services

Resolved

History

#1 Updated by intrigeri 2015-11-10 02:38:14

blocks #8668 added

#2 Updated by intrigeri 2015-11-10 02:39:12

Implementation ideas salvaged from ~~Feature #5750~~:

renaming the system_tor profile to usr.sbin.tor: should work, highly Tails-specific but so trivial that it’s no big deal — and we can get rid of this hack in Tails/Stretch
wrapping the tor daemon’s startup with aa-exec
a more recent systemd than Jessie’s one, hopefully from jessie-backports, compiled with AppArmor support (which is the case since 218-4 in Debian experimental)
rebuilding Jessie’s systemd with AppArmor support (I’ve been using that for months)

#3 Updated by intrigeri 2015-11-10 02:45:22

related to ~~Feature #5750~~: Supervise critical services added

#4 Updated by intrigeri 2015-11-10 03:00:41

Status changed from Confirmed to In Progress
% Done changed from 0 to 10

Got a fix locally, testing.

#5 Updated by intrigeri 2015-11-10 03:48:44

Status changed from In Progress to Resolved
% Done changed from 10 to 100

Applied in changeset commit:fa5e9988d3ea1a99fa1671567b49fb71abe9704c.

#6 Updated by intrigeri 2015-11-10 03:49:26

Assignee deleted (~~intrigeri~~)