[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Obfsproxy apparmor profile etc.

OK, I updated the obfsproxy apparmor profile so it works for both standalone and managed obfs3. Needed to add a line to /etc/apparmor.d/local/system_tor too. Profiles below and included in the attachment along with an init.d definition.

/etc/apparmor.d/usr.bin.obfsproxy
-------------------
#include <tunables/global>

# vim:syntax=apparmor


/usr/bin/obfsproxy {
  #include <abstractions/base>
  #include <abstractions/python>

  network inet stream,

  /dev/random r,
  /dev/urandom r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /usr/** r,
  /usr/bin/obfsproxy rix,
  /var/log/tor/obfsproxy rw,
  signal (receive) set=("term") peer=system_tor,

}
-------------------


/etc/apparmor.d/local/system_tor
-------------------
# Site-specific additions and overrides for system_tor.
# For more details, please see /etc/apparmor.d/local/README.

  signal (send) set=("term") peer=/usr/bin/obfsproxy,
-------------------


/etc/tor/torrc [just the relevant lines, using iptables to redirect from advertised obfs3port to actual] 
-------------------
ServerTransportPlugin obfs3 proxy a.b.c.d:[advertisedobfs3port]
ExtORPort auto
-------------------


/etc/apparmor.d/usr.bin.obfsproxy
-------------------
#include <tunables/global>

# vim:syntax=apparmor


/usr/bin/obfsproxy {
  #include <abstractions/base>
  #include <abstractions/python>

  network inet stream,

  /dev/random r,
  /dev/urandom r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /usr/** r,
  /usr/bin/obfsproxy rix,
  /var/log/tor/obfsproxy rw,
  signal (receive) set=("term") peer=system_tor,

}
-------------------


/etc/apparmor.d/local/system_tor
-------------------
# Site-specific additions and overrides for system_tor.
# For more details, please see /etc/apparmor.d/local/README.

  signal (send) set=("term") peer=/usr/bin/obfsproxy,
-------------------


/etc/init.d/obfsproxy
-------------------
#!/bin/bash

PIDFILE="/var/run/obfsproxy.pid"
DEST="127.0.0.1:[ORPort]"
SERVER="a.b.c.d:[obfs3port]"
DAEMON="/usr/bin/obfsproxy -- --profile=/usr/bin/obfsproxy -- /usr/bin/obfsproxy --log-file=/var/log/tor/obfsproxy --log-min-severity=info obfs3 --dest $DEST server $SERVER"

### BEGIN INIT INFO
# Provides: Obfsproxy
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Obfsproxy
### END INIT INFO

case "$1" in
start)
echo "Starting Obfsproxy"

/sbin/start-stop-daemon --make-pidfile --background --oknodo --start --pidfile $PIDFILE --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON
;;
stop)
echo "Stopping Obfsproxy"

/sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose
;;
restart|reload)
/sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose
sleep 1
/sbin/start-stop-daemon --make-pidfile --background --oknodo --start --pidfile $PIDFILE --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON
;;
*)
echo "Usage: /etc/init.d/obfsproxy {start|stop|restart|reload}"
exit 1
;;
esac

exit 0
-------------------

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays