Opened 11 months ago
Last modified 3 months ago
#2319 new defect
AppArmor: Fix all complaints, set to enforce
| Reported by: | zzz | Owned by: | zzz |
|---|---|---|---|
| Priority: | minor | Milestone: | undecided |
| Component: | package/debian | Version: | 0.9.36 |
| Keywords: | Cc: | Masayuki Hatta | |
| Parent Tickets: | Sensitive: | no |
Description
As brought up by 'cx5' in IRC:
Our apparmor profiles (in debian/apparmor, system_i2p and usr.bin.i2prouter) are in "complain" mode, not "enforce" mode. Quick check of dmesg shows dozens of complaints (which are labeled "ALLOWED") and possibly hundreds more suppressed? Nobody is testing or maintaining the profiles. If we did switch to enforce, we'd need more testing of packages before the release.
previous apparmor tix: #1092 #1581 #1986 #2306
hints from cx5:
sudo apt install apparmor-utils
sudo aa-enforce usr.bin.router
sudo aa-complain usr.bin.router
He sees errors from i2prouter in cat of ~/.i2p/i2p.java.status and ~/.i2p/i2p.status and ~/.i2p/i2p.pid, reasons unknown.
Subtickets
Change History (7)
comment:1 Changed 7 months ago by
| Cc: | Masayuki Hatta added |
|---|---|
| Milestone: | 0.9.38 → 0.9.39 |
comment:3 Changed 7 months ago by
fix for oracle JRE from comment 2 in 772474069d7267d981012dc8a28a523d7291bc50 0.9.38-4
comment:4 Changed 5 months ago by
| Milestone: | 0.9.39 → 0.9.40 |
|---|
user val on IRC reports that apparmor not configured as a dependency, at least on stretch … will have to fix that
comment:5 Changed 5 months ago by
Separate from the debian apparmor file, there's another one in apps/apparmor for user use that's installed in scripts/. This one is unmaintained. See build.xml preppkg-base. We need to look at it and keep it in sync with the debian one and maybe move the copy line in build.xml. It's not in the updater. At a minimum, move from apps/apparmor to installer/resources.
comment:6 Changed 4 months ago by
| Milestone: | 0.9.40 → 0.9.41 |
|---|
Decided to drop the unmaintained example. We support apparmor for debian package installs only.
In f167f896308eba05fabd3de919856a2c46c6b1b0 to be 0.9.39-9.
No word from mhatta on debian testing, so pushing this out yet again.
comment:7 Changed 3 months ago by
| Milestone: | 0.9.41 → undecided |
|---|
removing milestone until mhatta appears and commits
Fixes in 059fdd6371ede3b8247d091fb73eef16e3eb572b to be 0.9.37-18-rc
Not brave enough to change to enforce mode for 38, will try that for 39.
Testers do the following before starting i2p:
sudo aa-enforce /usr/bin/i2prouter
Then start i2p and watch dmesg -e -w for errors.
A couple left I can't fix:
audit: type=1400 audit(1547668663.342:1578): apparmor="DENIED" operation="mknod" profile="/usr/bin/i2prouter" name="/tmp/jetty-127.0.0.2-7699-imagegen.war-_imagegen-any-8278627140258927347.dir" pid=19089 comm="java" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
audit: type=1400 audit(1547668665.270:1579): apparmor="DENIED" operation="capable" profile="/usr/bin/i2proutersanitized_helper" pid=19222 comm="firefox" capability=21 capname="sys_admin"
But this was testing with deb 0.9.35, I think I fixed the jetty temp dir since then? Need to retest with 37 and 38.