Opened 6 months ago
Last modified 5 days ago
#2319 new defect
AppArmor: Fix all complaints, set to enforce
| Reported by: | zzz | Owned by: | zzz |
|---|---|---|---|
| Priority: | minor | Milestone: | 0.9.40 |
| Component: | package/debian | Version: | 0.9.36 |
| Keywords: | Cc: | mhatta | |
| Parent Tickets: |
Description
As brought up by 'cx5' in IRC:
Our apparmor profiles (in debian/apparmor, system_i2p and usr.bin.i2prouter) are in "complain" mode, not "enforce" mode. Quick check of dmesg shows dozens of complaints (which are labeled "ALLOWED") and possibly hundreds more suppressed? Nobody is testing or maintaining the profiles. If we did switch to enforce, we'd need more testing of packages before the release.
previous apparmor tix: #1092 #1581 #1986 #2306
hints from cx5:
sudo apt install apparmor-utils
sudo aa-enforce usr.bin.router
sudo aa-complain usr.bin.router
He sees errors from i2prouter in cat of ~/.i2p/i2p.java.status and ~/.i2p/i2p.status and ~/.i2p/i2p.pid, reasons unknown.
Subtickets (add)
Change History (5)
comment:1 Changed 2 months ago by zzz
- Cc mhatta added
- Milestone changed from 0.9.38 to 0.9.39
comment:2 Changed 8 weeks ago by zzz
Another problem:
comment:3 Changed 7 weeks ago by zzz
fix for oracle JRE from comment 2 in 772474069d7267d981012dc8a28a523d7291bc50 0.9.38-4
comment:4 Changed 7 days ago by zzz
- Milestone changed from 0.9.39 to 0.9.40
user val on IRC reports that apparmor not configured as a dependency, at least on stretch ... will have to fix that
comment:5 Changed 5 days ago by zzz
Separate from the debian apparmor file, there's another one in apps/apparmor for user use that's installed in scripts/. This one is unmaintained. See build.xml preppkg-base. We need to look at it and keep it in sync with the debian one and maybe move the copy line in build.xml. It's not in the updater. At a minimum, move from apps/apparmor to installer/resources.
Fixes in 059fdd6371ede3b8247d091fb73eef16e3eb572b to be 0.9.37-18-rc
Not brave enough to change to enforce mode for 38, will try that for 39.
Testers do the following before starting i2p:
sudo aa-enforce /usr/bin/i2prouter
Then start i2p and watch dmesg -e -w for errors.
A couple left I can't fix:
audit: type=1400 audit(1547668663.342:1578): apparmor="DENIED" operation="mknod" profile="/usr/bin/i2prouter" name="/tmp/jetty-127.0.0.2-7699-imagegen.war-_imagegen-any-8278627140258927347.dir" pid=19089 comm="java" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
audit: type=1400 audit(1547668665.270:1579): apparmor="DENIED" operation="capable" profile="/usr/bin/i2proutersanitized_helper" pid=19222 comm="firefox" capability=21 capname="sys_admin"
But this was testing with deb 0.9.35, I think I fixed the jetty temp dir since then? Need to retest with 37 and 38.