Opened 6 months ago

Last modified 5 days ago

#2319 new defect

AppArmor: Fix all complaints, set to enforce

Reported by: zzz Owned by: zzz
Priority: minor Milestone: 0.9.40
Component: package/debian Version: 0.9.36
Keywords: Cc: mhatta
Parent Tickets:


As brought up by 'cx5' in IRC:
Our apparmor profiles (in debian/apparmor, system_i2p and usr.bin.i2prouter) are in "complain" mode, not "enforce" mode. Quick check of dmesg shows dozens of complaints (which are labeled "ALLOWED") and possibly hundreds more suppressed? Nobody is testing or maintaining the profiles. If we did switch to enforce, we'd need more testing of packages before the release.

previous apparmor tix: #1092 #1581 #1986 #2306

hints from cx5:
sudo apt install apparmor-utils
sudo aa-enforce usr.bin.router
sudo aa-complain usr.bin.router

He sees errors from i2prouter in cat of ~/.i2p/ and ~/.i2p/i2p.status and ~/.i2p/, reasons unknown.

Subtickets (add)

Change History (5)

comment:1 Changed 2 months ago by zzz

  • Cc mhatta added
  • Milestone changed from 0.9.38 to 0.9.39

Fixes in 059fdd6371ede3b8247d091fb73eef16e3eb572b to be 0.9.37-18-rc
Not brave enough to change to enforce mode for 38, will try that for 39.

Testers do the following before starting i2p:
sudo aa-enforce /usr/bin/i2prouter

Then start i2p and watch dmesg -e -w for errors.

A couple left I can't fix:
audit: type=1400 audit(1547668663.342:1578): apparmor="DENIED" operation="mknod" profile="/usr/bin/i2prouter" name="/tmp/jetty-" pid=19089 comm="java" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
audit: type=1400 audit(1547668665.270:1579): apparmor="DENIED" operation="capable" profile="/usr/bin/i2proutersanitized_helper" pid=19222 comm="firefox" capability=21 capname="sys_admin"

But this was testing with deb 0.9.35, I think I fixed the jetty temp dir since then? Need to retest with 37 and 38.

comment:3 Changed 7 weeks ago by zzz

fix for oracle JRE from comment 2 in 772474069d7267d981012dc8a28a523d7291bc50 0.9.38-4

comment:4 Changed 7 days ago by zzz

  • Milestone changed from 0.9.39 to 0.9.40

user val on IRC reports that apparmor not configured as a dependency, at least on stretch ... will have to fix that

comment:5 Changed 5 days ago by zzz

Separate from the debian apparmor file, there's another one in apps/apparmor for user use that's installed in scripts/. This one is unmaintained. See build.xml preppkg-base. We need to look at it and keep it in sync with the debian one and maybe move the copy line in build.xml. It's not in the updater. At a minimum, move from apps/apparmor to installer/resources.

Note: See TracTickets for help on using tickets.