AppArmor profiles, 2018-01 edition #310
Conversation
…tion. We already allow the main browser profile to do that but with e10s plugin-container now needs it as well.
…m signals. With e10s Firefox does not need to ptrace itself anymore but instead it needs to ptrace and kill its child plugin-container processes.
…ent Firefox process.
We already allow Firefox to send term signals to plugin-container;
this is the receiving counterpart.
This requires giving the Firefox profile a proper name (torbrowser_firefox)
because this:
signal (receive) set=("term") peer=/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox
… does not work.
Note to package maintainers
===========================
(This should probably be copied to the release notes.)
Due to the profile renaming, upgrading the
/etc/apparmor.d/torbrowser.Browser.firefox file requires special care. The best
option is probably to strongly recommend users to reboot their system after
this upgrade.
Other options I can think of have unacceptable consequences:
- if we unload the old profile from the kernel, we will leave any already
running Tor Browser's Firefox executable unconfined, which is an unacceptable
violation of the user's security expectations;
- if we don't unload the old profile from the kernel, surprising behaviour will
happen such as:
- any already running Tor Browser's Firefox executable will be left confined
under the old profile which won't play well with new rules that have
peer=torbrowser_firefox;
- unpredictable behavior when a new Tor Browser is started, because two
profiles matching the Tor Browser's Firefox executable are loaded.
So far we allowed it to do everything in there except a link operation, so let's be consistent.
…es to read. Same rationale as commit 68f502c.
We don't currently allow access to the audio subsystem; let's not let AppArmor spam the logs about it.
This will allow us to handle upgrades more nicely in the future, e.g. when the executable path changes. Besides, this makes the output of aa-status and logs much easier to grasp. Note to packagers: exactly as for the similar change applied to the Tor Browser's Firefox profile, please consider recommending users to reboot their system after the upgrade that applies this change.
This fixes support for obfs4 and obfs3. meek and fte require vastly more extended permissions and thus dedicated child profiles.
This matches how recent dh-apparmor behaves.
|
just making a note/reminder, I can help test this branch this weekend. @micahflee |
|
@intrigeri Thanks for the work on this! Should this be tested? |
|
@intrigeri Thanks for the work on this! Should this be tested?
Yes, please :)
|
|
@intrigeri I tried the bridge feature, and yes, obfs4 and obfs3 are working after applying your patches. Thank you! But meek and fte still got the kernel audit error as below. |
|
Roger Shimizu:
But meek and fte still got the kernel audit error as below.
Could you kindly help to fix these?
I think meek and fte will need much more work so let's file
a dedicated issue and discuss it there, OK?
|
|
@intrigeri sure.
I confirm obfs4 and obfs3 work well after this patchset. |
|
@intrigeri as we discussed, I've just added you as a collaborator and code owner of While it's great to have extra code reviews and testing of the AppArmor profiles, I'm happy with you merging them directly into develop if you think they are ready. |
|
Micah Lee:
@intrigeri as we discussed, I've just added you as a collaborator and code owner of `/apparmor/`: 0e9db70
While it's great to have extra code reviews and testing of the AppArmor profiles, I'm happy with you merging them directly into develop if you think they are ready.
Excellent, thank you!
|
|
@intrigeri
I'm not sure how to add the patch after your commits in this PR. |
|
Hi @rogers0!
Roger Shimizu:
since the last commit you pushed in this PR
- 91652b6
We have to amend setup.py a bit.
I have created the patch, enclosed in the commit below:
- https://anonscm.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git/commit/?h=rosh/apparmor&id=ae0070a
I'm afraid I don't understand. My PR empties these files, it does not remove them, and the idea is to keep installing them through `setup.py`. Could you please send me details about the FTBFS? I suspect it's caused by some limitation of the packaging tools we use to maintain `debian/patches/` and won't happen once my PR is part of a new upstream release, but that's just a guess.
|
|
I'm getting ready to make the 0.3.0 release and I'd love to include these updated AppArmor profiles in it. The @rogers0 @intrigeri would you mind checking to make sure this PR works with what's in |
|
@intrigeri @micahflee thanks! I'll let you know when I finish. |
@rogers0 actually when that failure happens the source file does not exist so |
|
@rogers0 @intrigeri would you mind checking to make sure this PR works with what's in `develop`
@micahflee, tested, it works fine for me.
and let me know, and then I can merge this into `develop`
Please go ahead (or ask me to merge it myself: apparently I can since
this PR only modifies paths to which I now have commit access to :)
|
|
Thanks for the merge @intrigeri :) |
… to silence logs. We already allow the main browser profile to do that but with e10s plugin-container now needs it as well. This backports part of commit cdb290f from torproject#310.
This branch includes:
Applying this upgrade to a running system requires special care, see the notes to packagers in the commit messages, that should IMO be copied to the release notes.