Project

General

Profile

Feature #11930

Review AppArmor profiles for OnionShare

Added by u about 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
11/16/2016
Due date:
% Done:

100%

Feature Branch:
feature/7870-include_onionshare
Type of work:
Security Audit
Blueprint:
Starter:
Affected tool:
OnionShare

Description

We intend to upstream our apparmor profiles for Onionshare. It would be nice to have a second, more security related, review of them.


Related issues

Related to Tails - Bug #12143: AppArmor blocks OnionShare from accessing folders below /home/amnesia Resolved 01/14/2017
Blocks Tails - Feature #11929: Upstream AppArmor profiles for Onionshare Resolved 11/16/2016

History

#1 Updated by u about 3 years ago

  • Assignee set to jvoisin

Hi jvoisin,

would you be able to look at this? I'll provide you with a link and testing ISO soon.

#2 Updated by u about 3 years ago

  • Parent task deleted (#11929)

#3 Updated by u about 3 years ago

  • Parent task set to #7870

#5 Updated by u about 3 years ago

  • Feature Branch set to tails:tails/feature/7870-include_onionshare

#6 Updated by u about 3 years ago

Reported by jvoisin:

  • /usr/share/icons/Adwaita/index.theme -> no need to rwk*, just reading should be enough.
  • Shouldn't `deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r, deny /var/lib/dbus/machine-id.* rw,` go into an abstraction? -> maybe not, because that's only used by the gui.

#7 Updated by u about 3 years ago

https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/etc/apparmor.d/abstractions/onionshare?h=feature/7870-include_onionshare -> there are python related instruction which it might be worth investigating, why aren't they part of the python abstraction?

#8 Updated by jvoisin almost 3 years ago

  • Assignee changed from jvoisin to u

You summarised pretty well my feedback. I'll only add that there are some code duplication floating around that could/should be factorized, but nothing critical. Good job.

#9 Updated by intrigeri almost 3 years ago

  • Subject changed from Review apparmor profiles for Onionshare to Review AppArmor profiles for OnionShare

#10 Updated by intrigeri almost 3 years ago

  • Feature Branch changed from tails:tails/feature/7870-include_onionshare to feature/7870-include_onionshare

(That's implicit.)

#11 Updated by intrigeri almost 3 years ago

  • Parent task deleted (#7870)

This is not a blocker for #7870.

#12 Updated by intrigeri almost 3 years ago

  • Blocks Feature #11929: Upstream AppArmor profiles for Onionshare added

#13 Updated by intrigeri almost 3 years ago

  • Affected tool set to OnionShare

#14 Updated by intrigeri almost 3 years ago

  • Tracker changed from Bug to Feature
  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#15 Updated by u almost 3 years ago

  • Related to Bug #12143: AppArmor blocks OnionShare from accessing folders below /home/amnesia added

#16 Updated by u almost 3 years ago

u wrote:

Reported by jvoisin:

  • /usr/share/icons/Adwaita/index.theme -> no need to rwk*, just reading should be enough.

this was removed anyway in the latest version of the profile

  • Shouldn't `deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r, deny /var/lib/dbus/machine-id.* rw,` go into an abstraction? -> maybe not, because that's only used by the gui.

the first line was removed.

and the second line is only used by the gui indeed.

#17 Updated by u almost 3 years ago

  • Status changed from In Progress to Resolved
  • Assignee deleted (u)
  • % Done changed from 10 to 100

I think we've addressed all the issues that were raised by jvoisin, and we've thouroughly tested the profiles in the meantime. They are now shipped in Tails 2.10 and still need to be added to the official Debian package.
Closing this as resolved.

Also available in: Atom PDF