Bug #10528

Restore AppArmor confinement of Tor on Jessie

Added by intrigeri 2015-11-10 02:38:02 . Updated 2015-11-10 03:49:26 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2015-11-10
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:
269

Description

feature/jessie now has Tor 0.2.7 packages that ship with systemd unit files (which is good as it allows us to resolve Feature #5750). The problem is that they don’t turn on the AppArmor profile which is a regression vs. Wheezy-based Tails.


Subtasks


Related issues

Related to Tails - Feature #5750: Supervise critical services Resolved

History

#1 Updated by intrigeri 2015-11-10 02:38:14

  • blocks #8668 added

#2 Updated by intrigeri 2015-11-10 02:39:12

Implementation ideas salvaged from Feature #5750:

  • renaming the system_tor profile to usr.sbin.tor: should work, highly Tails-specific but so trivial that it’s no big deal — and we can get rid of this hack in Tails/Stretch
  • wrapping the tor daemon’s startup with aa-exec
  • a more recent systemd than Jessie’s one, hopefully from jessie-backports, compiled with AppArmor support (which is the case since 218-4 in Debian experimental)
  • rebuilding Jessie’s systemd with AppArmor support (I’ve been using that for months)

#3 Updated by intrigeri 2015-11-10 02:45:22

#4 Updated by intrigeri 2015-11-10 03:00:41

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

Got a fix locally, testing.

#5 Updated by intrigeri 2015-11-10 03:48:44

  • Status changed from In Progress to Resolved
  • % Done changed from 10 to 100

Applied in changeset commit:fa5e9988d3ea1a99fa1671567b49fb71abe9704c.

#6 Updated by intrigeri 2015-11-10 03:49:26

  • Assignee deleted (intrigeri)