Restore AppArmor confinement of Tor on Jessie
feature/jessie now has Tor 0.2.7 packages that ship with systemd unit files (which is good as it allows us to resolve #5750). The problem is that they don't turn on the AppArmor profile which is a regression vs. Wheezy-based Tails.
Restore AppArmor confinement of Tor by renaming the AppArmor profile.
Jessie's systemd has no AppArmor support, so Tor 0.2.7.x backport for Jessie's
systemd unit files don't load the profile. We've ensure that on Stretch
everything will work just as we need, but for Jessie we need this kludge:
simply rename the system_tor profile so that it's used automatically, without
having to explicitly assign it to the service.
#2 Updated by intrigeri about 4 years ago
Implementation ideas salvaged from #5750:
- renaming the
usr.sbin.tor: should work, highly Tails-specific but so trivial that it's no big deal -- and we can get rid of this hack in Tails/Stretch
- wrapping the tor daemon's startup with aa-exec
- a more recent systemd than Jessie's one, hopefully from jessie-backports, compiled with AppArmor support (which is the case since 218-4 in Debian experimental)
- rebuilding Jessie's systemd with AppArmor support (I've been using that for months)