Opened 3 years ago

Last modified 2 years ago

#2319 new defect

AppArmor: Fix all complaints, set to enforce

Reported by: zzz Owned by: zzz
Priority: minor Milestone: undecided
Component: package/debian Version: 0.9.36
Keywords: Cc: Masayuki Hatta
Parent Tickets: Sensitive: no


As brought up by 'cx5' in IRC:
Our apparmor profiles (in debian/apparmor, system_i2p and usr.bin.i2prouter) are in "complain" mode, not "enforce" mode. Quick check of dmesg shows dozens of complaints (which are labeled "ALLOWED") and possibly hundreds more suppressed? Nobody is testing or maintaining the profiles. If we did switch to enforce, we'd need more testing of packages before the release.

previous apparmor tix: #1092 #1581 #1986 #2306

hints from cx5:
sudo apt install apparmor-utils
sudo aa-enforce usr.bin.router
sudo aa-complain usr.bin.router

He sees errors from i2prouter in cat of ~/.i2p/ and ~/.i2p/i2p.status and ~/.i2p/, reasons unknown.


Change History (7)

comment:1 Changed 3 years ago by zzz

Cc: Masayuki Hatta added
Milestone: 0.9.380.9.39

Fixes in 059fdd6371ede3b8247d091fb73eef16e3eb572b to be 0.9.37-18-rc
Not brave enough to change to enforce mode for 38, will try that for 39.

Testers do the following before starting i2p:
sudo aa-enforce /usr/bin/i2prouter

Then start i2p and watch dmesg -e -w for errors.

A couple left I can't fix:
audit: type=1400 audit(1547668663.342:1578): apparmor="DENIED" operation="mknod" profile="/usr/bin/i2prouter" name="/tmp/jetty-" pid=19089 comm="java" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
audit: type=1400 audit(1547668665.270:1579): apparmor="DENIED" operation="capable" profile="/usr/bin/i2proutersanitized_helper" pid=19222 comm="firefox" capability=21 capname="sys_admin"

But this was testing with deb 0.9.35, I think I fixed the jetty temp dir since then? Need to retest with 37 and 38.

comment:3 Changed 2 years ago by zzz

fix for oracle JRE from comment 2 in 772474069d7267d981012dc8a28a523d7291bc50 0.9.38-4

comment:4 Changed 2 years ago by zzz

Milestone: 0.9.390.9.40

user val on IRC reports that apparmor not configured as a dependency, at least on stretch … will have to fix that

comment:5 Changed 2 years ago by zzz

Separate from the debian apparmor file, there's another one in apps/apparmor for user use that's installed in scripts/. This one is unmaintained. See build.xml preppkg-base. We need to look at it and keep it in sync with the debian one and maybe move the copy line in build.xml. It's not in the updater. At a minimum, move from apps/apparmor to installer/resources.

comment:6 Changed 2 years ago by zzz

Milestone: 0.9.400.9.41

Decided to drop the unmaintained example. We support apparmor for debian package installs only.
In f167f896308eba05fabd3de919856a2c46c6b1b0 to be 0.9.39-9.
No word from mhatta on debian testing, so pushing this out yet again.

comment:7 Changed 2 years ago by zzz

Milestone: 0.9.41undecided

removing milestone until mhatta appears and commits

Note: See TracTickets for help on using tickets.