[tor-bugs] #9460 [Tor bundles/installation]: Tor AppArmor profile prevents obfsproxy from starting
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Aug 23 15:33:45 UTC 2013
#9460: Tor AppArmor profile prevents obfsproxy from starting
--------------------------------------+-------------------------------------
Reporter: proper | Owner: weasel
Type: defect | Status: needs_review
Priority: major | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent: #5791
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Changes (by proper):
* status: new => needs_review
Comment:
Replying to [comment:3 weasel]:
> I don't think Tor should have these privileges. Putting the obfsproxy
profiles
> into tor just seems like a bad idea that won't scale.
Ok.
> I suspect the better way would be to allow starting obfsproxy in an
unconfined
> manner, if that's possible.
It's possible. In that case, look for.
{{{
/{,var/}run/tor/control.authcookie.tmp rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/system_tor>
}}}
Needs just one more line in between.
{{{
/{,var/}run/tor/control.authcookie.tmp rw,
/usr/bin/obfsproxy Ux,
# Site-specific additions and overrides. See local/README for details.
#include <local/system_tor>
}}}
Quoted from http://wiki.apparmor.net/index.php/QuickProfileLanguage:
* x - execute
* ux - Execute unconfined (preserve environment) -- WARNING: should only
be used in very special cases
* Ux - Execute unconfined (scrub the environment)
So that should do the trick. (Tested, works for me.)
Replying to [comment:4 intrigeri]:
> I agree with weasel that Tor should not have all privs obfsproxy needs:
else we're slowly defeating the whole idea of per-program confinement.
Agreed.
> It looks like either the Tor profile should start obfsproxy in an
unconfined manner,
Ok. The change above should do it.
> or (better) the obfsproxy package should ship with its own AppArmor
profile.
I might create one, but please don't wait for me. If someone else has a
smaller todo list and is faster, I am happy about that.
> proper: by the way, it was almost pure chance that I was just pointed to
this bug report. If weasel prefers such issues being reported here instead
of on the Debian BTS, fine with me, but then you might want to point me at
/ Cc: me AppArmor-related issues.
Will do next time.
Replying to [comment:5 weasel]:
> The Debian BTS is the canonical and preferred means to report bugs
against the debian packages. Not everybody realizes that.
Well, I created one @ trac.torproject.org as well since #5791 isn't Debian
specific. So I am unsure how both projects could benefit best from such
discussions and proposed changes.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9460#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list