Hi Peter, Thanks for your review. See my replies bellow.
Peter Palfrader wrote (21 May 2012 19:44:34 GMT) : > - What about any UDP traffic that tor might cause (resolving > hostnames)? Good catch, some usecases require a few outgoing DNS requests. Allowed UDP traffic too, then. Please find updated Git patch attached. (Note that network rules are not enforced in current testing/sid kernel, due to the lack of the AppArmor 2.4 compatibility patch, so I could test this part in the wild.) > - Does it not need to read from various nodes in /dev, like the randoms? > Is that included by default? It's dealt with by abstractions/base. > - Why does it not have complete control over its > /var/run/tor directory? In my tests, the limited permissions granted by the proposed profile were sufficient, so why allow the Tor daemon to do more. If the current rules about /run/tor reveal themselves to be insufficient, or become too complex to be easy to maintain, I guess we may have to give up and grant it control over the whole directory. For the sake of simplicity and future-proof'ing, I could be convinced to change this right away, given the security benefits are arguably tiny. > Why is it different from /var/lib/tor? I initially tried to write more detailed rules about /var/lib/tor/, but given the large number of files that live there, and given new files appearing in there on a regular basis (e.g. micro-descriptors), I gave up to keep the profile easy to maintain. One fundamental difference between /run/tor and /var/lib/tor, I believe, is that the former is mainly, if not only, in control of the Debian packaging, while the later is mainly in control of the upstream code. > - Why do we restrict access in var/log/tor to files called log*? Because it was enough to get a nicely working Tor in my tests with the default configuration, and would gently accomodate administrator setting custom Log directives, as long as the target files match this pattern. The idea is to write a set of rules that are as restrictive as possible, but loose enough for the software to work properly. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
>From 9f76d6be8db6910d169343fea000e1e0220b5b0a Mon Sep 17 00:00:00 2001 From: intrigeri <[email protected]> Date: Mon, 16 Apr 2012 10:40:47 +0200 Subject: [PATCH] Add AppArmor profile. --- debian/apparmor-profile | 35 +++++++++++++++++++++++++++++++++++ debian/control | 4 ++-- debian/rules | 4 ++++ debian/tor.dirs | 1 + 4 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 debian/apparmor-profile diff --git a/debian/apparmor-profile b/debian/apparmor-profile new file mode 100644 index 0000000..517e525 --- /dev/null +++ b/debian/apparmor-profile @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +#include <tunables/global> + +/usr/sbin/tor { + #include <abstractions/base> + #include <abstractions/nameservice> + + network tcp, + network udp, + + capability chown, + capability dac_override, + capability fowner, + capability fsetid, + capability setgid, + capability setuid, + + /proc/sys/kernel/random/uuid r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/** r, + + /etc/tor/* r, + /usr/share/tor/** r, + + owner /var/lib/tor/** rwk, + owner /var/log/tor/log* w, + + /{,var/}run/tor/control w, + /{,var/}run/tor/tor.pid w, + /{,var/}run/tor/control.authcookie w, + /{,var/}run/tor/control.authcookie.tmp rw, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.tor> +} diff --git a/debian/control b/debian/control index 4acf32a..e6e58ab 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: tor Section: net Priority: optional Maintainer: Peter Palfrader <[email protected]> -Build-Depends: debhelper (>= 5), libssl-dev, dpatch, zlib1g-dev, libevent-dev (>= 1.1), binutils (>= 2.14.90.0.7), hardening-includes, asciidoc (>= 8.2), docbook-xml, docbook-xsl, xmlto +Build-Depends: debhelper (>= 5), libssl-dev, dpatch, zlib1g-dev, libevent-dev (>= 1.1), binutils (>= 2.14.90.0.7), hardening-includes, asciidoc (>= 8.2), docbook-xml, docbook-xsl, xmlto, dh-apparmor Standards-Version: 3.8.1 Homepage: https://www.torproject.org/ Vcs-Git: git://git.torproject.org/debian/tor.git @@ -13,7 +13,7 @@ Architecture: any Depends: ${shlibs:Depends}, adduser, ${misc:Depends} Conflicts: libssl0.9.8 (<< 0.9.8g-9) Recommends: logrotate, tor-geoipdb, torsocks -Suggests: mixmaster, xul-ext-torbutton, socat, tor-arm, polipo (>= 1) | privoxy +Suggests: mixmaster, xul-ext-torbutton, socat, tor-arm, polipo (>= 1) | privoxy, apparmor Description: anonymizing overlay network for TCP Tor is a connection-based low-latency anonymous communication system which addresses many flaws in the original onion routing design. diff --git a/debian/rules b/debian/rules index b8cf5c0..53ead19 100755 --- a/debian/rules +++ b/debian/rules @@ -151,6 +151,10 @@ install: build install -m 644 contrib/tor-tsocks.conf $(CURDIR)/debian/tor/etc/tor install -m 644 debian/tor-service-defaults-torrc $(CURDIR)/debian/tor/usr/share/tor + install -m 644 debian/apparmor-profile $(CURDIR)/debian/tor/etc/apparmor.d/usr.sbin.tor + if type dh_apparmor >/dev/null 2>&1; \ + then dh_apparmor --profile-name=usr.sbin.tor -ptor; fi + dh_link usr/share/man/man8/tor.8 usr/share/man/man5/torrc.5 rm -f $(CURDIR)/debian/tor/usr/bin/tor-control.py diff --git a/debian/tor.dirs b/debian/tor.dirs index 3c28695..f4f6db7 100644 --- a/debian/tor.dirs +++ b/debian/tor.dirs @@ -1,3 +1,4 @@ +etc/apparmor.d etc/tor var/lib/tor var/log/tor -- 1.7.10
