|
|
[[!tag archived]]
|
|
|
|
|
|
Corresponding ticket: [[!tails_ticket 8007]]
|
|
|
|
|
|
[[!toc levels=2]]
|
|
|
Corresponding ticket: tails/tails#8007
|
|
|
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
|
|
|
Remaining to do
|
|
|
===============
|
|
|
|
|
|
See [[blueprint/harden_AppArmor_profiles]].
|
|
|
See [harden AppArmor profiles](harden_AppArmor_profiles).
|
|
|
|
|
|
Checked already
|
|
|
===============
|
... | ... | @@ -15,7 +17,7 @@ Checked already |
|
|
Could be improved later
|
|
|
-----------------------
|
|
|
|
|
|
See [[blueprint/harden_AppArmor_profiles]].
|
|
|
See [harden AppArmor profiles](harden_AppArmor_profiles).
|
|
|
|
|
|
Currently OK
|
|
|
------------
|
... | ... | @@ -88,9 +90,9 @@ of this audit should land together into Tails 1.5. |
|
|
`tmpfs` mounted there, including an empty one that hides the
|
|
|
other's content (but we should not rely on this for security).
|
|
|
Fixed on the `bugfix/8007-AppArmor-hardening` branch with
|
|
|
[[!tails_gitweb_commit bc491c9]]. Note that there's also
|
|
|
[bc491c9](https://gitlab.tails.boum.org/tails/tails/-/commit/bc491c9). Note that there's also
|
|
|
`/live/overlay` (that's a symlink to `/lib/live/mount/overlay`,
|
|
|
created in [[!tails_gitweb_commit 3233da6]]). Follow-up fixes and
|
|
|
created in [3233da6](https://gitlab.tails.boum.org/tails/tails/-/commit/3233da6)). Follow-up fixes and
|
|
|
corresponding new automatic tests (in `torified_browsing.feature`,
|
|
|
`pidgin.feature`, `evince.feature` and `totem.feature`) were added
|
|
|
on `bugfix/8007-AppArmor-hardening`; the full test suite passes,
|
... | ... | @@ -104,15 +106,15 @@ of this audit should land together into Tails 1.5. |
|
|
files via alternate paths -- everything checked, potential issues were:
|
|
|
- the `base` and `ubuntu-helpers` abstraction have things
|
|
|
like `/lib{,32,64}/** r`: this was patched when introducing
|
|
|
aliases ([[!tails_gitweb_commit 6e48b6d]])
|
|
|
aliases ([6e48b6d](https://gitlab.tails.boum.org/tails/tails/-/commit/6e48b6d))
|
|
|
- the `launchpad-integration` abstraction has things like `/** rwlk`
|
|
|
and `/{,usr/}lib*/{,**/}*.so{,.*} m`; it's harmless since it only
|
|
|
gives such rights to an executable we don't ship, and it's
|
|
|
included by the Pidgin profile only, which for good measure we
|
|
|
disabled with [[!tails_gitweb_commit 551d372]] on
|
|
|
disabled with [551d372](https://gitlab.tails.boum.org/tails/tails/-/commit/551d372) on
|
|
|
`bugfix/8007-AppArmor-hardening`
|
|
|
* the kludges needed to make them work with aufs: everything replaced
|
|
|
with aliases (and other kludges) in [[!tails_gitweb_commit 6e48b6d]]
|
|
|
with aliases (and other kludges) in [6e48b6d](https://gitlab.tails.boum.org/tails/tails/-/commit/6e48b6d)
|
|
|
* wide-open access to `$HOME` except blacklist -- everything checked,
|
|
|
in particular:
|
|
|
- Apart of Evince and Totem profiles (discussed elsewhere), only
|
... | ... | @@ -126,9 +128,10 @@ of this audit should land together into Tails 1.5. |
|
|
unavoidable without adding virtualization to the mix
|
|
|
- gives access to `machine-id`: in the current state of things, that
|
|
|
tells what exact version of Tails is running; depending on how
|
|
|
[[!tails_ticket 7100]] is addressed, this may become worse; such
|
|
|
tails/tails#7100 is addressed, this may become worse; such
|
|
|
access was allowed so that the browser can play sound with
|
|
|
PulseAudio (commit 371ba40 in our torbrowser-launcher Git repo);
|
|
|
if such access is denied, then Tor Browser plays sound directly
|
|
|
with Alsa, which makes UX worse... and breaks our automated tests.
|
|
|
We'll deal with that as part of [[!tails_ticket 7100]]. |
|
|
We'll deal with that as part of tails/tails#7100.
|
|
|
|