Bug #10925
I2P is not confined by AppArmor anymore
100%
Description
On Tails/Jessie, I2P is managed by a native systemd unit, that tries to confine I2P with AppArmor using AppArmorProfile=system_i2p
. This is correct, except that AppArmor support was enabled in Debian’s systemd 218-4, so on Jessie this is a no-op, and as a result I2P is not confined at all.
For Tor, we’re affected as well and we do config/chroot_local-patches/apparmor-adjust-tor-profile.diff
. Given the use of /usr/sbin/wrapper
I don’t think this is applicable as-is for I2P, so I think that on Jessie, we need ExecStart
to run a shell wrapper that uses aa-exec
.
Subtasks
History
#1 Updated by intrigeri 2016-01-13 14:18:17
kytv, do you think you can have a tentative fix ready by the end of the week, so that we have time to bring it into a mergeable state in time for 2.0?
Meta: a quick “No” would be a valid answer, and a much more helpful one than silence — it would allow someone else to work on a resolution for 2.0 (be it by fixing the problem, or by adding a warning to the 2.0 release notes, or something).
#2 Updated by intrigeri 2016-01-18 13:09:54
- Assignee changed from kytv to intrigeri
intrigeri wrote:
> kytv, do you think you can have a tentative fix ready by the end of the week, so that we have time to bring it into a mergeable state in time for 2.0?
>
> Meta: a quick “No” would be a valid answer, and a much more helpful one than silence — it would allow someone else to work on a resolution for 2.0 (be it by fixing the problem, or by adding a warning to the 2.0 release notes, or something).
Well, I’ll see what I can do for 2.0, then.
#3 Updated by intrigeri 2016-01-18 13:36:27
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
- Feature Branch set to bugfix/10925-I2P-AppArmor
I’ll do it using aa-exec
in a drop-in override file. The thing is, the aa-exec
way is probably not suitable for the I2P packaging since it would break on systems that haven’t AppArmor, so I guess that we’ll keep it as a Tails-specific change for our 2.x series. The only disadvantage being that Debian/Ubuntu users who have a systemd older than 218-4 still have the regression, compared to the initscript, but frankly this is none of my business and I’ll focus on fixing the Tails side of things only.
#4 Updated by intrigeri 2016-01-18 14:42:20
- Assignee changed from intrigeri to anonym
- % Done changed from 10 to 50
- QA Check set to Ready for QA
#5 Updated by anonym 2016-01-21 21:09:02
- Status changed from In Progress to Fix committed
- % Done changed from 50 to 100
Applied in changeset commit:a25a7daa900b71b3f3777acb9628573aa13cd1d6.
#6 Updated by anonym 2016-01-21 21:09:39
- Assignee deleted (
anonym) - QA Check changed from Ready for QA to Pass
#7 Updated by anonym 2016-01-27 13:31:33
- Status changed from Fix committed to Resolved
#8 Updated by anonym 2016-08-16 13:34:29
- Priority changed from Elevated to Normal