Commit 6e48b6d6 authored by intrigeri's avatar intrigeri
Browse files

Use aliases so that our AppArmor policy applies to /lib/live/mount/overlay/...

Use aliases so that our AppArmor policy applies to /lib/live/mount/overlay/ and /lib/live/mount/rootfs/filesystem.squashfs/ as well as to it applies to /.

That's something I wanted to avoid initially, for various reasons that are
explained already in [[contribute/design/application_isolation]]. However, now
that /lib/live/mount/overlay/ is accessible, I see no better way to protect
files accessed via this path as well as the same files accessed by
"normal" paths.

These changes are likely to increase policy compilation time a bit, benchmarking
will tell. If that's too severe a problem, we have a few potential ways out,
that are already documented in the "Increased policy compilation time" section
of the aforementioned piece of design doc.
parent d3e79b87
--- a/etc/apparmor.d.orig/abstractions/base 2013-07-10 22:05:57.000000000 +0000
+++ b/etc/apparmor.d/abstractions/base 2015-06-03 18:11:08.402380000 +0000
@@ -53,10 +53,11 @@
/opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
# we might as well allow everything to use common libraries
- /lib{,32,64}/** r,
+ /lib{32,64}/** r,
+ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
/lib{,32,64}/lib*.so* mr,
/lib{,32,64}/**/lib*.so* mr,
- /lib/@{multiarch}/** r,
+ /lib/@{multiarch}/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
/lib/@{multiarch}/lib*.so* mr,
/lib/@{multiarch}/**/lib*.so* mr,
/usr/lib{,32,64}/** r,
diff -Naur '--exclude=cache' /etc/apparmor.d.orig/abstractions/ubuntu-helpers /etc/apparmor.d/abstractions/ubuntu-helpers
--- a/etc/apparmor.d.orig/abstractions/ubuntu-helpers 2013-07-10 22:05:57.000000000 +0000
+++ b/etc/apparmor.d/abstractions/ubuntu-helpers 2015-06-03 18:16:42.022380000 +0000
@@ -66,7 +66,8 @@
# Full access
/ r,
/** rwkl,
- /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
+ /{,usr/,usr/local/}lib{32,64}/{,**/}*.so{,.*} m,
+ /{,usr/,usr/local/}lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}{,**/}*.so{,.*} m,
# Dangerous files
audit deny owner /**/* m, # compiled libraries
diff -Naur '--exclude=cache' /etc/apparmor.d.orig/tunables/alias /etc/apparmor.d/tunables/alias
--- a/etc/apparmor.d.orig/tunables/alias 2013-07-10 22:05:57.000000000 +0000
+++ b/etc/apparmor.d/tunables/alias 2015-06-03 18:12:46.426380000 +0000
@@ -14,3 +14,7 @@
# Or if mysql databases are stored in /home:
# alias /var/lib/mysql/ -> /home/mysql/,
+alias / -> /lib/live/mount/overlay/,
+alias / -> /lib/live/mount/rootfs/filesystem.squashfs/,
......@@ -58,7 +58,20 @@ between an access to the upper layer, and an access to the loop-backed
underlying layer.
So, we have to adjust profiles a bit to make them support the paths
that are actually seen by AppArmor in the context of Tails:
that are actually seen by AppArmor in the context of Tails.
First, we are using a couple of
so that rules applying to "normal" paths (e.g.
`/home/amnesia/.gnupg/`) also apply to Debian Live -specific paths,
such as `/lib/live/mount/overlay/home/amnesia/.gnupg/`. And, to avoid
subsequent problems with overlapping rules, and to mitigate the
increased policy compilation time (see details below), we also patch
some some very broad rules to make them _not_ apply to `/lib/live/*`.
All these changes live in
[[!tails_gitweb config/chroot_local-patches/apparmor-aliases.diff]].
Second, few more targeted adjustments are also applied:
* [[!tails_gitweb config/chroot_local-includes/etc/apparmor.d/tunables/home.d/tails]]
* [[!tails_gitweb config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff]]
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment