Feature #11930

Review AppArmor profiles for OnionShare

Added by Anonymous 2016-11-16 12:54:12 . Updated 2017-01-25 10:33:45 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2016-11-16
Due date:
% Done:

100%

Feature Branch:
feature/7870-include_onionshare
Type of work:
Security Audit
Blueprint:

Starter:
Affected tool:
OnionShare
Deliverable for:

Description

We intend to upstream our apparmor profiles for Onionshare. It would be nice to have a second, more security related, review of them.


Subtasks


Related issues

Related to Tails - Bug #12143: AppArmor blocks OnionShare from accessing folders below /home/amnesia Resolved 2017-01-14
Blocks Tails - Feature #11929: Upstream AppArmor profiles for Onionshare Resolved 2016-11-16

History

#1 Updated by Anonymous 2016-11-16 12:54:52

  • Assignee set to jvoisin

Hi jvoisin,

would you be able to look at this? I’ll provide you with a link and testing ISO soon.

#2 Updated by Anonymous 2016-11-16 12:56:30

#3 Updated by Anonymous 2016-11-16 12:56:38

#5 Updated by Anonymous 2016-11-17 10:48:19

  • Feature Branch set to tails:tails/feature/7870-include_onionshare

And the code: https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/etc/apparmor.d?h=feature/7870-include_onionshare

#6 Updated by Anonymous 2016-11-17 13:37:25

Reported by jvoisin:

  • /usr/share/icons/Adwaita/index.theme -> no need to rwk*, just reading should be enough.
  • Shouldn’t `deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r, deny /var/lib/dbus/machine-id.* rw,` go into an abstraction? -> maybe not, because that’s only used by the gui.

#7 Updated by Anonymous 2016-11-17 13:38:04

https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/etc/apparmor.d/abstractions/onionshare?h=feature/7870-include_onionshare -> there are python related instruction which it might be worth investigating, why aren’t they part of the python abstraction?

#8 Updated by jvoisin 2016-11-25 21:46:33

  • Assignee deleted (jvoisin)

You summarised pretty well my feedback. I’ll only add that there are some code duplication floating around that could/should be factorized, but nothing critical. Good job.

#9 Updated by intrigeri 2016-12-07 09:04:07

  • Subject changed from Review apparmor profiles for Onionshare to Review AppArmor profiles for OnionShare

#10 Updated by intrigeri 2016-12-07 09:17:02

  • Feature Branch changed from tails:tails/feature/7870-include_onionshare to feature/7870-include_onionshare

(That’s implicit.)

#11 Updated by intrigeri 2016-12-07 09:17:31

This is not a blocker for Feature #7870.

#12 Updated by intrigeri 2016-12-07 09:17:56

  • blocks Feature #11929: Upstream AppArmor profiles for Onionshare added

#13 Updated by intrigeri 2016-12-07 09:21:09

  • Affected tool set to OnionShare

#14 Updated by intrigeri 2016-12-07 09:21:54

  • Tracker changed from Bug to Feature
  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#15 Updated by Anonymous 2017-01-17 15:26:23

  • related to Bug #12143: AppArmor blocks OnionShare from accessing folders below /home/amnesia added

#16 Updated by Anonymous 2017-01-25 10:32:32

u wrote:
> Reported by jvoisin:
>
> * /usr/share/icons/Adwaita/index.theme -> no need to rwk*, just reading should be enough.

this was removed anyway in the latest version of the profile

> * Shouldn’t `deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r, deny /var/lib/dbus/machine-id.* rw,` go into an abstraction? -> maybe not, because that’s only used by the gui.

the first line was removed.

and the second line is only used by the gui indeed.

#17 Updated by Anonymous 2017-01-25 10:33:45

  • Status changed from In Progress to Resolved
  • Assignee deleted ()
  • % Done changed from 10 to 100

I think we’ve addressed all the issues that were raised by jvoisin, and we’ve thouroughly tested the profiles in the meantime. They are now shipped in Tails 2.10 and still need to be added to the official Debian package.
Closing this as resolved.