Feature #11930
Review AppArmor profiles for OnionShare
100%
Description
We intend to upstream our apparmor profiles for Onionshare. It would be nice to have a second, more security related, review of them.
Subtasks
Related issues
Related to Tails - |
Resolved | 2017-01-14 | |
Blocks Tails - |
Resolved | 2016-11-16 |
History
#1 Updated by Anonymous 2016-11-16 12:54:52
- Assignee set to jvoisin
Hi jvoisin,
would you be able to look at this? I’ll provide you with a link and testing ISO soon.
#2 Updated by Anonymous 2016-11-16 12:56:30
- Parent task deleted (
)Feature #11929
#3 Updated by Anonymous 2016-11-16 12:56:38
- Parent task set to
Feature #7870
#5 Updated by Anonymous 2016-11-17 10:48:19
- Feature Branch set to tails:tails/feature/7870-include_onionshare
And the code: https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/etc/apparmor.d?h=feature/7870-include_onionshare
#6 Updated by Anonymous 2016-11-17 13:37:25
Reported by jvoisin:
- /usr/share/icons/Adwaita/index.theme -> no need to rwk*, just reading should be enough.
- Shouldn’t `deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r, deny /var/lib/dbus/machine-id.* rw,` go into an abstraction? -> maybe not, because that’s only used by the gui.
#7 Updated by Anonymous 2016-11-17 13:38:04
https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/etc/apparmor.d/abstractions/onionshare?h=feature/7870-include_onionshare -> there are python related instruction which it might be worth investigating, why aren’t they part of the python abstraction?
#8 Updated by jvoisin 2016-11-25 21:46:33
- Assignee deleted (
jvoisin)
You summarised pretty well my feedback. I’ll only add that there are some code duplication floating around that could/should be factorized, but nothing critical. Good job.
#9 Updated by intrigeri 2016-12-07 09:04:07
- Subject changed from Review apparmor profiles for Onionshare to Review AppArmor profiles for OnionShare
#10 Updated by intrigeri 2016-12-07 09:17:02
- Feature Branch changed from tails:tails/feature/7870-include_onionshare to feature/7870-include_onionshare
(That’s implicit.)
#11 Updated by intrigeri 2016-12-07 09:17:31
- Parent task deleted (
)Feature #7870
This is not a blocker for Feature #7870.
#12 Updated by intrigeri 2016-12-07 09:17:56
- blocks
Feature #11929: Upstream AppArmor profiles for Onionshare added
#13 Updated by intrigeri 2016-12-07 09:21:09
- Affected tool set to OnionShare
#14 Updated by intrigeri 2016-12-07 09:21:54
- Tracker changed from Bug to Feature
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
#15 Updated by Anonymous 2017-01-17 15:26:23
- related to
Bug #12143: AppArmor blocks OnionShare from accessing folders below /home/amnesia added
#16 Updated by Anonymous 2017-01-25 10:32:32
u wrote:
> Reported by jvoisin:
>
> * /usr/share/icons/Adwaita/index.theme -> no need to rwk*, just reading should be enough.
this was removed anyway in the latest version of the profile
> * Shouldn’t `deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r, deny /var/lib/dbus/machine-id.* rw,` go into an abstraction? -> maybe not, because that’s only used by the gui.
the first line was removed.
and the second line is only used by the gui indeed.
#17 Updated by Anonymous 2017-01-25 10:33:45
- Status changed from In Progress to Resolved
- Assignee deleted (
) - % Done changed from 10 to 100
I think we’ve addressed all the issues that were raised by jvoisin, and we’ve thouroughly tested the profiles in the meantime. They are now shipped in Tails 2.10 and still need to be added to the official Debian package.
Closing this as resolved.