1. 13 Oct, 2016 1 commit
  2. 12 Oct, 2016 1 commit
  3. 06 Oct, 2016 1 commit
    • anonym's avatar
      tor-controlport-filter: also match filter based on the client's user. · 6f264bb4
      anonym authored
      Sometimes the executable path just isn't enough. For instance, for the
      tor-launcher filter the executable is the unconfined firefox executable,
      also used by our chroot browsers. So let's be a bit more restrictive.
      
      While we're at it, make it possible for a single client to match
      multiple filters -- otherwise the rules for which single filter will be
      selected in case multiple matches will just complicate things. So, if we
      want, we can now refactor common parts of filters. :)
      6f264bb4
  4. 04 Oct, 2016 1 commit
    • anonym's avatar
      Leverage AppArmor's in-kernel solution for determining executable paths. · ec31cf6f
      anonym authored
      Using /proc/pid/cmdline is not secure since it can be trivially set
      with, for instance:
      
          exec -a "pwned" sh -c 'cat /proc/$$/cmdline'
      
      The /proc/pid/exe symlink is not good enough for scripts (since it will
      point to the interpreter, not the script) so let's instead use
      AppArmor's in-kernel solution for determining executable paths. We
      fallback to /proc/pid/exe for unconfined processes, which leaves us with
      only unconfined scripts not being supported by tor-controlport-filter.
      However, profiles in complain mode is still good enough, so a trivial
      stub profile in complain mode is enough, which is exactly what we do for
      onionshare and onioncircuits.
      ec31cf6f
  5. 26 Sep, 2016 1 commit