Opened 4 months ago

Last modified 7 days ago

#2319 new defect

AppArmor: Fix all complaints, set to enforce

Reported by: zzz Owned by: zzz
Priority: minor Milestone: 0.9.39
Component: package/debian Version: 0.9.36
Keywords: Cc: mhatta
Parent Tickets:


As brought up by 'cx5' in IRC:
Our apparmor profiles (in debian/apparmor, system_i2p and usr.bin.i2prouter) are in "complain" mode, not "enforce" mode. Quick check of dmesg shows dozens of complaints (which are labeled "ALLOWED") and possibly hundreds more suppressed? Nobody is testing or maintaining the profiles. If we did switch to enforce, we'd need more testing of packages before the release.

previous apparmor tix: #1092 #1581 #1986 #2306

hints from cx5:
sudo apt install apparmor-utils
sudo aa-enforce usr.bin.router
sudo aa-complain usr.bin.router

He sees errors from i2prouter in cat of ~/.i2p/ and ~/.i2p/i2p.status and ~/.i2p/, reasons unknown.

Subtickets (add)

Change History (1)

comment:1 Changed 7 days ago by zzz

  • Cc mhatta added
  • Milestone changed from 0.9.38 to 0.9.39

Fixes in 059fdd6371ede3b8247d091fb73eef16e3eb572b to be 0.9.37-18-rc
Not brave enough to change to enforce mode for 38, will try that for 39.

Testers do the following before starting i2p:
sudo aa-enforce /usr/bin/i2prouter

Then start i2p and watch dmesg -e -w for errors.

A couple left I can't fix:
audit: type=1400 audit(1547668663.342:1578): apparmor="DENIED" operation="mknod" profile="/usr/bin/i2prouter" name="/tmp/jetty-" pid=19089 comm="java" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
audit: type=1400 audit(1547668665.270:1579): apparmor="DENIED" operation="capable" profile="/usr/bin/i2proutersanitized_helper" pid=19222 comm="firefox" capability=21 capname="sys_admin"

But this was testing with deb 0.9.35, I think I fixed the jetty temp dir since then? Need to retest with 37 and 38.

Note: See TracTickets for help on using tickets.