Bug #10925

I2P is not confined by AppArmor anymore

Added by intrigeri 2016-01-13 14:14:01 . Updated 2016-08-16 13:34:29 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2016-01-13
Due date:
% Done:

100%

Feature Branch:
bugfix/10925-I2P-AppArmor
Type of work:
Code
Blueprint:

Starter:
Affected tool:
I2P
Deliverable for:

Description

On Tails/Jessie, I2P is managed by a native systemd unit, that tries to confine I2P with AppArmor using AppArmorProfile=system_i2p. This is correct, except that AppArmor support was enabled in Debian’s systemd 218-4, so on Jessie this is a no-op, and as a result I2P is not confined at all.

For Tor, we’re affected as well and we do config/chroot_local-patches/apparmor-adjust-tor-profile.diff. Given the use of /usr/sbin/wrapper I don’t think this is applicable as-is for I2P, so I think that on Jessie, we need ExecStart to run a shell wrapper that uses aa-exec.


Subtasks


History

#1 Updated by intrigeri 2016-01-13 14:18:17

kytv, do you think you can have a tentative fix ready by the end of the week, so that we have time to bring it into a mergeable state in time for 2.0?

Meta: a quick “No” would be a valid answer, and a much more helpful one than silence — it would allow someone else to work on a resolution for 2.0 (be it by fixing the problem, or by adding a warning to the 2.0 release notes, or something).

#2 Updated by intrigeri 2016-01-18 13:09:54

  • Assignee changed from kytv to intrigeri

intrigeri wrote:
> kytv, do you think you can have a tentative fix ready by the end of the week, so that we have time to bring it into a mergeable state in time for 2.0?
>
> Meta: a quick “No” would be a valid answer, and a much more helpful one than silence — it would allow someone else to work on a resolution for 2.0 (be it by fixing the problem, or by adding a warning to the 2.0 release notes, or something).

Well, I’ll see what I can do for 2.0, then.

#3 Updated by intrigeri 2016-01-18 13:36:27

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/10925-I2P-AppArmor

I’ll do it using aa-exec in a drop-in override file. The thing is, the aa-exec way is probably not suitable for the I2P packaging since it would break on systems that haven’t AppArmor, so I guess that we’ll keep it as a Tails-specific change for our 2.x series. The only disadvantage being that Debian/Ubuntu users who have a systemd older than 218-4 still have the regression, compared to the initscript, but frankly this is none of my business and I’ll focus on fixing the Tails side of things only.

#4 Updated by intrigeri 2016-01-18 14:42:20

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

#5 Updated by anonym 2016-01-21 21:09:02

  • Status changed from In Progress to Fix committed
  • % Done changed from 50 to 100

Applied in changeset commit:a25a7daa900b71b3f3777acb9628573aa13cd1d6.

#6 Updated by anonym 2016-01-21 21:09:39

  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

#7 Updated by anonym 2016-01-27 13:31:33

  • Status changed from Fix committed to Resolved

#8 Updated by anonym 2016-08-16 13:34:29

  • Priority changed from Elevated to Normal