Commit d09dbefd authored by intrigeri's avatar intrigeri
Browse files

AppArmor: bring back aliases for the read-write branch of the root filesystem,...

AppArmor: bring back aliases for the read-write branch of the root filesystem, adjust the test suite accordingly

Since 3cdeadfe, the upper-dir (read-write
branch) of the overlayfs we mount on / is now exposed again, so to ensure
it does not provide alternative paths that would allow apps to access
files that AppArmor is supposed to block, we need to bring back the aliases
we previously had for aufs, modulo the read-write branch is now
/lib/live/mount/overlay/rw instead of /lib/live/mount/overlay.
parent cf03a367
alias / -> /lib/live/mount/overlay/rw/,
alias / -> /lib/live/mount/rootfs/*.squashfs/,
alias / -> /rw/,
@{HOMEDIRS}+=/lib/live/mount/overlay/rw/home/
@{HOMEDIRS}+=/rw/home/
......@@ -25,24 +25,24 @@ Feature: Using Evince
Given I have started Tails from DVD without network and logged in
And I copy "/usr/share/cups/data/default-testpage.pdf" to "/home/amnesia/.gnupg" as user "amnesia"
Then the file "/home/amnesia/.gnupg/default-testpage.pdf" exists
And the file "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf" exists after at most 10 seconds
And the file "/live/overlay/home/amnesia/.gnupg/default-testpage.pdf" exists after at most 10 seconds
And the file "/lib/live/mount/overlay/rw/home/amnesia/.gnupg/default-testpage.pdf" exists after at most 10 seconds
And the file "/live/overlay/rw/home/amnesia/.gnupg/default-testpage.pdf" exists after at most 10 seconds
Given I start monitoring the AppArmor log of "/usr/bin/evince"
When I try to open "/home/amnesia/.gnupg/default-testpage.pdf" with Evince
Then I see "EvinceUnableToOpen.png" after at most 10 seconds
And AppArmor has denied "/usr/bin/evince" from opening "/home/amnesia/.gnupg/default-testpage.pdf"
When I close Evince
Given I restart monitoring the AppArmor log of "/usr/bin/evince"
When I try to open "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf" with Evince
When I try to open "/lib/live/mount/overlay/rw/home/amnesia/.gnupg/default-testpage.pdf" with Evince
Then I see "EvinceUnableToOpen.png" after at most 10 seconds
And AppArmor has denied "/usr/bin/evince" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf"
And AppArmor has denied "/usr/bin/evince" from opening "/lib/live/mount/overlay/rw/home/amnesia/.gnupg/default-testpage.pdf"
When I close Evince
Given I restart monitoring the AppArmor log of "/usr/bin/evince"
When I try to open "/live/overlay/home/amnesia/.gnupg/default-testpage.pdf" with Evince
When I try to open "/live/overlay/rw/home/amnesia/.gnupg/default-testpage.pdf" with Evince
Then I see "EvinceUnableToOpen.png" after at most 10 seconds
# Due to our AppArmor aliases, /live/overlay will be treated
# as /lib/live/mount/overlay.
And AppArmor has denied "/usr/bin/evince" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf"
And AppArmor has denied "/usr/bin/evince" from opening "/lib/live/mount/overlay/rw/home/amnesia/.gnupg/default-testpage.pdf"
#10994
@fragile
......
......@@ -87,10 +87,10 @@ Feature: Chatting anonymously using Pidgin
Then I cannot add a certificate from the "/home/amnesia/.gnupg" directory to Pidgin
When I close Pidgin's certificate import failure dialog
And I close Pidgin's certificate manager
Then I cannot add a certificate from the "/lib/live/mount/overlay/home/amnesia/.gnupg" directory to Pidgin
Then I cannot add a certificate from the "/lib/live/mount/overlay/rw/home/amnesia/.gnupg" directory to Pidgin
When I close Pidgin's certificate import failure dialog
And I close Pidgin's certificate manager
Then I cannot add a certificate from the "/live/overlay/home/amnesia/.gnupg" directory to Pidgin
Then I cannot add a certificate from the "/live/overlay/rw/home/amnesia/.gnupg" directory to Pidgin
@check_tor_leaks
Scenario: Using a persistent Pidgin configuration
......
......@@ -55,8 +55,8 @@ Feature: Browsing the web using the Tor Browser
And I copy "/usr/share/synaptic/html/index.html" to "/home/amnesia/.gnupg/synaptic.html" as user "amnesia"
And I copy "/usr/share/synaptic/html/index.html" to "/tmp/synaptic.html" as user "amnesia"
Then the file "/home/amnesia/.gnupg/synaptic.html" exists
And the file "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html" exists
And the file "/live/overlay/home/amnesia/.gnupg/synaptic.html" exists
And the file "/lib/live/mount/overlay/rw/home/amnesia/.gnupg/synaptic.html" exists
And the file "/live/overlay/rw/home/amnesia/.gnupg/synaptic.html" exists
And the file "/tmp/synaptic.html" exists
Given I start monitoring the AppArmor log of "torbrowser_firefox"
When I start the Tor Browser
......@@ -69,15 +69,15 @@ Feature: Browsing the web using the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
And AppArmor has denied "torbrowser_firefox" from opening "/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "torbrowser_firefox"
When I open the address "file:///lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html" in the Tor Browser
When I open the address "file:///lib/live/mount/overlay/rw/home/amnesia/.gnupg/synaptic.html" in the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
And AppArmor has denied "torbrowser_firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
And AppArmor has denied "torbrowser_firefox" from opening "/lib/live/mount/overlay/rw/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "torbrowser_firefox"
When I open the address "file:///live/overlay/home/amnesia/.gnupg/synaptic.html" in the Tor Browser
When I open the address "file:///live/overlay/rw/home/amnesia/.gnupg/synaptic.html" in the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
# Due to our AppArmor aliases, /live/overlay will be treated
# as /lib/live/mount/overlay.
And AppArmor has denied "torbrowser_firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
And AppArmor has denied "torbrowser_firefox" from opening "/lib/live/mount/overlay/rw/home/amnesia/.gnupg/synaptic.html"
# We do not get any AppArmor log for when access to files in /tmp is denied
# since we explictly override (commit 51c0060) the rules (from the user-tmp
# abstration) that would otherwise allow it, and we do so with "deny", which
......
......@@ -25,19 +25,19 @@ Feature: Using Totem
Then I see "TotemUnableToOpen.png" after at most 10 seconds
And AppArmor has denied "/usr/bin/totem" from opening "/home/amnesia/.gnupg/video.mp4"
Given I close Totem
And the file "/lib/live/mount/overlay/home/amnesia/.gnupg/video.mp4" exists
And the file "/lib/live/mount/overlay/rw/home/amnesia/.gnupg/video.mp4" exists
And I restart monitoring the AppArmor log of "/usr/bin/totem"
When I try to open "/lib/live/mount/overlay/home/amnesia/.gnupg/video.mp4" with Totem
When I try to open "/lib/live/mount/overlay/rw/home/amnesia/.gnupg/video.mp4" with Totem
Then I see "TotemUnableToOpen.png" after at most 10 seconds
And AppArmor has denied "/usr/bin/totem" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/video.mp4"
And AppArmor has denied "/usr/bin/totem" from opening "/lib/live/mount/overlay/rw/home/amnesia/.gnupg/video.mp4"
Given I close Totem
And the file "/live/overlay/home/amnesia/.gnupg/video.mp4" exists
And the file "/live/overlay/rw/home/amnesia/.gnupg/video.mp4" exists
And I restart monitoring the AppArmor log of "/usr/bin/totem"
When I try to open "/live/overlay/home/amnesia/.gnupg/video.mp4" with Totem
When I try to open "/live/overlay/rw/home/amnesia/.gnupg/video.mp4" with Totem
Then I see "TotemUnableToOpen.png" after at most 10 seconds
# Due to our AppArmor aliases, /live/overlay will be treated
# as /lib/live/mount/overlay.
And AppArmor has denied "/usr/bin/totem" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/video.mp4"
And AppArmor has denied "/usr/bin/totem" from opening "/lib/live/mount/overlay/rw/home/amnesia/.gnupg/video.mp4"
Given I close Totem
And I copy "/home/amnesia/video.mp4" to "/home/amnesia/.purple/otr.private_key" as user "amnesia"
And the file "/home/amnesia/.purple/otr.private_key" exists
......
......@@ -65,7 +65,7 @@ First, we are using a couple of
[aliases](http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Alias_and_rewrite_rules)
so that rules applying to "normal" paths (e.g.
`/home/amnesia/.gnupg/`) also apply to Debian Live -specific paths,
such as `/lib/live/mount/overlay/home/amnesia/.gnupg/`. And, to avoid
such as `/lib/live/mount/overlay/rw/home/amnesia/.gnupg/`. And, to avoid
subsequent problems with overlapping rules, and to mitigate the
increased policy compilation time (see details below), we also patch
some some very broad rules to make them _not_ apply to `/lib/live/*`.
......
......@@ -573,15 +573,15 @@ SquashFS file order
perl -ni -E 'chomp; say unless m{(?:
[.]pyc\s+\d+\z
| \Alib/live/mount/medium/live/(?:filesystem[.]squashfs|initrd[.]img)\s
| \Alib/live/mount/overlay/etc/fstab\s
| \Alib/live/mount/overlay/etc/console-setup/cached_\S+[.](?:gz|sh)\s
| \Alib/live/mount/overlay/etc/machine-id\s
| \Alib/live/mount/overlay/etc/network/interfaces\s
| \Alib/live/mount/overlay/var/log/wtmp\s
| \A(?:lib/live/mount/overlay/)?etc/apparmor[.]d/cache/[.]features\s
| \A(?:lib/live/mount/overlay/)?etc/(?:group|gshadow|passwd|shadow)-\s
| \A(?:lib/live/mount/overlay/)?etc/resolv-over-clearnet[.]conf\s
| \A(?:lib/live/mount/overlay/)?etc/skel/[.]config/autostart/end-profile[.]desktop\s
| \Alib/live/mount/overlay/rw/etc/fstab\s
| \Alib/live/mount/overlay/rw/etc/console-setup/cached_\S+[.](?:gz|sh)\s
| \Alib/live/mount/overlay/rw/etc/machine-id\s
| \Alib/live/mount/overlay/rw/etc/network/interfaces\s
| \Alib/live/mount/overlay/rw/var/log/wtmp\s
| \A(?:lib/live/mount/overlay/rw/)?etc/apparmor[.]d/cache/[.]features\s
| \A(?:lib/live/mount/overlay/rw/)?etc/(?:group|gshadow|passwd|shadow)-\s
| \A(?:lib/live/mount/overlay/rw/)?etc/resolv-over-clearnet[.]conf\s
| \A(?:lib/live/mount/overlay/rw/)?etc/skel/[.]config/autostart/end-profile[.]desktop\s
| \Arun/
| \Avar/lib/AccountsService/users/Debian-gdm\s
| \Avar/lib/gdm3/[#]\d+\s
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment