[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #16782 [Tor]: systemd unit file is not compatible with the AppArmorProfile= directive

Subject: Re: [tor-bugs] #16782 [Tor]: systemd unit file is not compatible with the AppArmorProfile= directive
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 14 Aug 2015 12:01:26 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 14 Aug 2015 08:01:37 -0400
In-reply-to: <049.43c61e4262eb4652eb249982e025893a@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <049.43c61e4262eb4652eb249982e025893a@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#16782: systemd unit file is not compatible with the AppArmorProfile= directive
---------------------------+-------------------------------
     Reporter:  intrigeri  |      Owner:
         Type:  defect     |     Status:  new
     Priority:  normal     |  Milestone:
    Component:  Tor        |    Version:
   Resolution:             |   Keywords:  systemd, apparmor
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+-------------------------------

Comment (by intrigeri):

 Replying to [comment:1 nickm]:
 > I'd be happy to have our systemd profile work with AppArmor.

 :)

 > Quick question though: does it really need write access to *all* of
 proc?  (Or is the subset of proc that it needs so complex that really we
 can't limit it?)

 My understanding of the code (keep in mind that I'm no C programmer) is
 that to set the AppArmor profile (with {{{aa_change_onexec}}}), systemd
 only needs write access to {{{/proc/PID/attr/current}}}. But systemd's
 namespacing (including {{{ReadWriteDirectories}}} and friends) is applied
 earlier, that is at a time when we don't know the PID yet. So, sadly I
 don't see how we could give write access to only a subset of proc here.

 To sum up:

 * For AppArmor users, the proposed change will be an improvement (they'll
 get slightly weaker protection from systemd, but finer grained confinement
 from AppArmor which largely compensates the former).
 * For non-AppArmor users, the proposed change indeed increases the attack
 surface a bit. I lack the low-level skills to quantify this, though: given
 the system-wide tor daemon is typically run as a dedicated user, in
 practice having write access to {{{/proc}}} means having write access only
 to files in {{{/proc/PID/}}} that are owner-writable (modulo kernel bugs).
 I don't know how much this opens the attack surface in practice.

 I'll let better skilled people than me evaluate if the former is worth the
 latter.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16782#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #16782 [Tor]: systemd unit file is not compatible with the AppArmorProfile= directive
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #16746 [metrics-lib]: Use a better tool than just Ant and Debian's package manager to manage dependencies
Next by Author: Re: [tor-bugs] #16767 [metrics-lib]: Javadoc doesn't include any of the documentation.
Previous by thread: Re: [tor-bugs] #16782 [Tor]: systemd unit file is not compatible with the AppArmorProfile= directive
Next by thread: Re: [tor-bugs] #16782 [Tor]: systemd unit file is not compatible with the AppArmorProfile= directive
Index(es):
- Author
- Thread