Bug #14603

Remove custom apparmor profile for tor

Added by groente 2017-09-05 09:53:52 . Updated 2018-01-06 21:31:26 .

Status:
Resolved
Priority:
Normal
Assignee:
groente
Category:
Infrastructure
Target version:
Start date:
2017-09-05
Due date:
% Done:

100%

Feature Branch:
Type of work:
Sysadmin
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

We currently maintain a custom apparmor profile for tor, let’s see if we can get rid of that and use debian defaults instead.


Subtasks


Related issues

Related to Tails - Feature #13581: Update AppArmor profile for tor/obfs4proxy Resolved 2017-08-04
Blocks Tails - Feature #13242: Core work: Sysadmin (Maintain our already existing services) Confirmed 2017-06-29

History

#1 Updated by intrigeri 2017-09-05 10:27:17

  • related to Feature #13581: Update AppArmor profile for tor/obfs4proxy added

#2 Updated by groente 2017-09-07 13:38:29

  • blocks Feature #13242: Core work: Sysadmin (Maintain our already existing services) added

#3 Updated by groente 2017-09-07 13:40:45

  • Status changed from New to Confirmed

#4 Updated by anonym 2017-11-15 11:30:57

  • Target version changed from Tails_3.3 to Tails_3.5

#5 Updated by groente 2018-01-06 15:39:56

  • Assignee changed from groente to intrigeri
  • QA Check set to Info Needed

completely removing the modules/site_tor directory from puppet-lizard-manifests and pinning the tor package to backports should do the trick here, no?

#6 Updated by intrigeri 2018-01-06 16:23:47

  • Assignee changed from intrigeri to groente

> completely removing the modules/site_tor directory from puppet-lizard-manifests and pinning the tor package to backports should do the trick here, no?

Sorry, I lack the background info here and retrieving it all myself into my hot cache would basically take me 99% of the time I would need if I was tackling this ticket myself, which would be a problem. So I’ll need you to help me help you :)

I see that our custom abstractions/tor is functionally equivalent to what I have on my sid with tor 0.3.2.8-rc-1.

We already install tor from deb.torproject.org, at least on bridge.lizard where this stuff matters. Why would we need the version from backports?

Hint: apt-cache madison tor, rmadison tor, apt-cache policy tor :)

#7 Updated by groente 2018-01-06 16:44:33

  • Assignee changed from groente to intrigeri

aah, i checked the debian packages of tor and the relevant changes were in stretch-backports, but not in stretch. the package from torproject looks good, though, so no need for backports.

with that in mind, just removing the site_tor directory should suffice, no?

#8 Updated by intrigeri 2018-01-06 21:04:44

  • Assignee changed from intrigeri to groente

> with that in mind, just removing the site_tor directory should suffice, no?

I guess so. Then reload the profile apparmor_parser -r /etc/apparmor.d/system_tor and restart the tor@default.service to apply and make sure it still works.

#9 Updated by groente 2018-01-06 21:31:26

  • Status changed from Confirmed to Resolved
  • % Done changed from 0 to 100

it still works.