Commit 57c05619 authored by intrigeri's avatar intrigeri
Browse files

Merge branch 'feature/15472-torbrowser-apparmor-updates' into devel (Fix-committed: #15472)

parents eebe438c 6a21e653
......@@ -59,10 +59,6 @@ Package: systemd systemd-sysv systemd-container systemd-journal-remote systemd-c
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Package: onionshare
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: openpgp-applet
Pin: release o=Debian,n=sid
Pin-Priority: 999
......
......@@ -41,7 +41,7 @@ install_torbrowser_AppArmor_profiles() {
tmpdir="$(mktemp -d)"
(
cd "$tmpdir"
apt-get source torbrowser-launcher/stretch-backports
apt-get source torbrowser-launcher/sid
install -m 0644 \
torbrowser-launcher-*/apparmor/torbrowser.Browser.* \
/etc/apparmor.d/
......
---
- exe-paths:
- apparmor-profiles:
- '/usr/bin/onioncircuits'
users:
- 'amnesia'
......
---
- exe-paths:
- apparmor-profiles:
- '/usr/bin/onionshare'
- '/usr/bin/onionshare-gui'
users:
......
---
- exe-paths:
- '/usr/local/lib/tor-browser/firefox'
- apparmor-profiles:
- 'torbrowser_firefox'
users:
- 'amnesia'
commands:
......
---
- exe-paths:
- apparmor-profiles:
- '/usr/local/lib/tor-browser/firefox-unconfined'
users:
- 'tor-launcher'
......
......@@ -12,8 +12,10 @@
# dictionary looking something like this:
#
# - name: blabla
# exe-paths:
# - path_to_executable
# apparmor-profiles:
# - path_to_executable_if_that_is_the_name_of_the_apparmor_profile
# # or
# - explicit_apparmor_profile_name
# ...
# users:
# - user
......@@ -47,10 +49,10 @@
# least one of the elements match the client. For local (loopback)
# clients the following qualifiers are relevant:
#
# * `exe-paths`: a list of strings, each describing the path to
# the binary or script of the client with `*` matching
# anything. While this matcher always works for binaries, it only
# works for scripts with an enabled AppArmor profile (not
# * `apparmor-profiles`: a list of strings, each being the name
# of the AppArmor profile applied to the binary or script of the client,
# with `*` matching anything. While this matcher always works for binaries,
# it only works for scripts with an enabled AppArmor profile (not
# necessarily enforced, complain mode is good enough).
#
# * `users`: a list of strings, each describing the user of the
......@@ -163,7 +165,7 @@ def pid_of_laddr(address):
return None
def exe_path_of_pid(pid):
def apparmor_profile_of_pid(pid):
# Here we leverage AppArmor's in-kernel solution for determining
# the exact executable invoked. Looking at /proc/pid/exe when an
# interpreted script is running will just point to the
......@@ -172,12 +174,12 @@ def exe_path_of_pid(pid):
# using one of its profiles. However, we fallback to /proc/pid/exe
# in case there is no AppArmor profile, so the only unsupported
# mode here is unconfined scripts.
enabled_aa_profile_re = r'^(/.+) \((?:complain|enforce)\)$'
enabled_aa_profile_re = r'^(.+) \((?:complain|enforce)\)$'
with open('/proc/{}/attr/current'.format(str(pid)), "rb") as fh:
aa_profile_status = str(fh.read().strip(), 'UTF-8')
exe_path_match = re.match(enabled_aa_profile_re, aa_profile_status)
if exe_path_match:
return exe_path_match.group(1)
apparmor_profile_match = re.match(enabled_aa_profile_re, aa_profile_status)
if apparmor_profile_match:
return apparmor_profile_match.group(1)
else:
return psutil.Process(pid).exe()
......@@ -580,11 +582,11 @@ class FilteredControlPortProxyHandler(socketserver.StreamRequestHandler):
# client being killed before we find the PID.
if not self.client_pid:
return
client_exe_path = exe_path_of_pid(self.client_pid)
client_apparmor_profile = apparmor_profile_of_pid(self.client_pid)
client_user = psutil.Process(self.client_pid).username()
matchers = [
('exe-paths', client_exe_path),
('users', client_user),
('apparmor-profiles', client_apparmor_profile),
('users', client_user),
]
else:
self.client_pid = None
......@@ -593,9 +595,9 @@ class FilteredControlPortProxyHandler(socketserver.StreamRequestHandler):
]
self.match_and_parse_filter(matchers)
if local_connection:
self.client_desc = '{exe} (pid: {pid}, user: {user}, ' \
self.client_desc = '{aa_profile} (pid: {pid}, user: {user}, ' \
'port: {port}, filter: {filter_name})'.format(
exe=client_exe_path,
aa_profile=client_apparmor_profile,
pid=self.client_pid,
user=client_user,
port=self.client_address[1],
......
diff --git a/etc/apparmor.d/torbrowser.Browser.firefox b/etc/apparmor.d/torbrowser.Browser.firefox
index d0aded9..3be3872 100644
--- a/etc/apparmor.d/torbrowser.Browser.firefox
+++ b/etc/apparmor.d/torbrowser.Browser.firefox
@@ -1,8 +1,9 @@
@@ -1,10 +1,11 @@
#include <tunables/global>
#include <tunables/torbrowser>
-/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
+/usr/local/lib/tor-browser/firefox {
-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox
+@{torbrowser_firefox_executable} = /usr/local/lib/tor-browser/firefox
profile torbrowser_firefox @{torbrowser_firefox_executable} {
#include <abstractions/gnome>
+ #include <abstractions/ibus>
# Uncomment the following lines if you want to give the Tor Browser read-write
# access to most of your personal files.
@@ -22,13 +23,16 @@
@@ -25,13 +26,16 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny /etc/passwd r,
deny /etc/group r,
deny /etc/mailcap r,
......@@ -30,7 +34,7 @@
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
@@ -36,28 +40,32 @@
@@ -39,30 +43,32 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r,
......@@ -44,6 +48,8 @@
- owner @{torbrowser_home_dir}.bak/ rwk,
- owner @{torbrowser_home_dir}.bak/** rwk,
- owner @{torbrowser_home_dir}/*.so mr,
- owner @{torbrowser_home_dir}/.cache/fontconfig/ rwk,
- owner @{torbrowser_home_dir}/.cache/fontconfig/** rwkl,
- owner @{torbrowser_home_dir}/components/*.so mr,
- owner @{torbrowser_home_dir}/browser/components/*.so mr,
- owner @{torbrowser_home_dir}/firefox rix,
......@@ -85,7 +91,7 @@
/etc/mailcap r,
/etc/mime.types r,
@@ -80,12 +88,6 @@
@@ -85,12 +91,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/sys/devices/system/node/node[0-9]*/meminfo r,
deny /sys/devices/virtual/block/*/uevent r,
......@@ -98,7 +104,7 @@
# Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
owner /{dev,run}/shm/org.chromium.* rw,
@@ -99,6 +101,32 @@
@@ -104,6 +104,32 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny @{HOME}/.cache/fontconfig/** rw,
deny @{HOME}/.config/gtk-2.0/ rw,
deny @{HOME}/.config/gtk-2.0/** rw,
......@@ -131,7 +137,7 @@
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
@@ -110,5 +138,11 @@
@@ -119,5 +145,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
......@@ -143,25 +149,24 @@
+ deny owner /tmp/** rwklx,
+ deny /tmp/ rwklx,
}
+
diff --git a/etc/apparmor.d/torbrowser.Browser.plugin-container b/etc/apparmor.d/torbrowser.Browser.plugin-container
index fe95fdb..7ebf9d6 100644
--- a/etc/apparmor.d/torbrowser.Browser.plugin-container
+++ b/etc/apparmor.d/torbrowser.Browser.plugin-container
@@ -8,10 +8,10 @@ profile torbrowser_plugin_container {
# to have direct access to your sound hardware. You will also
# need to remove the "deny" word in the machine-id lines further
# bellow.
@@ -10,9 +10,9 @@ profile torbrowser_plugin_container {
# - the "deny" word in the machine-id lines
# - the rules that deny reading /etc/pulse/client.conf
# and executing /usr/bin/pulseaudio
- # #include <abstractions/audio>
- # /etc/asound.conf r,
- # owner @{PROC}/@{pid}/fd/ r,
- # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
+ #include <abstractions/audio>
+ /etc/asound.conf r,
+ owner @{PROC}/@{pid}/fd/ r,
+ owner @{HOME}/.tor-browser/profile.default/tmp/mozilla-temp-* rw,
deny /etc/host.conf r,
deny /etc/hosts r,
@@ -21,8 +21,10 @@ profile torbrowser_plugin_container {
signal (receive) set=("term") peer=torbrowser_firefox,
@@ -24,8 +24,8 @@ profile torbrowser_plugin_container {
deny /etc/group r,
deny /etc/mailcap r,
......@@ -169,12 +174,10 @@
- deny /var/lib/dbus/machine-id r,
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
+
+ /usr/share/applications/gnome-mimeapps.list r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
@@ -30,28 +32,27 @@ profile torbrowser_plugin_container {
/etc/mime.types r,
/usr/share/applications/gnome-mimeapps.list r,
@@ -39,28 +39,27 @@ profile torbrowser_plugin_container {
owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r,
......@@ -224,12 +227,16 @@
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/present r,
@@ -77,6 +78,12 @@ profile torbrowser_plugin_container {
@@ -86,10 +85,16 @@ profile torbrowser_plugin_container {
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
+ deny @{HOME}/.cache/fontconfig/ w,
# Silence denial logs about PulseAudio
deny /etc/pulse/client.conf r,
deny /usr/bin/pulseaudio x,
- #include <local/torbrowser.Browser.plugin-container>
+ # Deny access to global tmp directories, that's granted by the user-tmp
+ # abstraction, which is sourced by the gnome abstraction, that we include.
......@@ -238,6 +245,8 @@
+ deny owner /tmp/** rwklx,
+ deny /tmp/ rwklx,
}
diff --git a/etc/apparmor.d/tunables/torbrowser b/etc/apparmor.d/tunables/torbrowser
index 9b31139..f77e082 100644
--- a/etc/apparmor.d/tunables/torbrowser
+++ b/etc/apparmor.d/tunables/torbrowser
@@ -1,2 +1 @@
......
......@@ -70,26 +70,26 @@ Feature: Browsing the web using the Tor Browser
And the file "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html" exists
And the file "/live/overlay/home/amnesia/.gnupg/synaptic.html" exists
And the file "/tmp/synaptic.html" exists
Given I start monitoring the AppArmor log of "/usr/local/lib/tor-browser/firefox"
Given I start monitoring the AppArmor log of "torbrowser_firefox"
When I start the Tor Browser
And the Tor Browser loads the startup page
And I open the address "file:///home/amnesia/Tor Browser/synaptic.html" in the Tor Browser
Then I see "TorBrowserSynapticManual.png" after at most 5 seconds
And AppArmor has not denied "/usr/local/lib/tor-browser/firefox" from opening "/home/amnesia/Tor Browser/synaptic.html"
Given I restart monitoring the AppArmor log of "/usr/local/lib/tor-browser/firefox"
And AppArmor has not denied "torbrowser_firefox" from opening "/home/amnesia/Tor Browser/synaptic.html"
Given I restart monitoring the AppArmor log of "torbrowser_firefox"
When I open the address "file:///home/amnesia/.gnupg/synaptic.html" in the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
And AppArmor has denied "/usr/local/lib/tor-browser/firefox" from opening "/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "/usr/local/lib/tor-browser/firefox"
And AppArmor has denied "torbrowser_firefox" from opening "/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "torbrowser_firefox"
When I open the address "file:///lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html" in the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
And AppArmor has denied "/usr/local/lib/tor-browser/firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "/usr/local/lib/tor-browser/firefox"
And AppArmor has denied "torbrowser_firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "torbrowser_firefox"
When I open the address "file:///live/overlay/home/amnesia/.gnupg/synaptic.html" in the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
# Due to our AppArmor aliases, /live/overlay will be treated
# as /lib/live/mount/overlay.
And AppArmor has denied "/usr/local/lib/tor-browser/firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
And AppArmor has denied "torbrowser_firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
# We do not get any AppArmor log for when access to files in /tmp is denied
# since we explictly override (commit 51c0060) the rules (from the user-tmp
# abstration) that would otherwise allow it, and we do so with "deny", which
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment