Project

General

Profile

Feature #7724

Sandbox I2P

Added by intrigeri about 5 years ago. Updated 7 months ago.

Status:
Confirmed
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
11/17/2015
Due date:
% Done:

50%

Feature Branch:
kytv:feature/7724-sandbox-i2p
Type of work:
Code
Blueprint:
Starter:
Affected tool:
I2P

Description

We want to mitigate the impact of security vulnerabilities that I2P may have. The goals would be:

  • make privilege escalation from the i2psvc user harder
  • make it harder to read identifiers of the local system, user, etc.

Most likely, we'll want to use AppArmor to do so. Now, it may be hard to confine a Java application in a useful way with AppArmor.


Subtasks

Feature #10572: Peer review of I2P AppArmor profileConfirmed

Feature #10573: Fix/remove 'l' permission in I2P apparmor profileResolved

Bug #10924: Remove {,lib/live/mount/overlay/} from the AppArmor profile for I2PConfirmed

Bug #10925: I2P is not confined by AppArmor anymoreResolved


Related issues

Related to Tails - Feature #5370: AppArmor confinement Resolved 07/27/2013 08/24/2014
Related to Tails - Bug #9949: Audit AppArmor policy vs. hard links Rejected 08/08/2015
Blocked by Tails - Feature #9229: Import I2P 0.9.19 packages Resolved 04/14/2015
Blocked by Tails - Feature #9830: Import I2P 0.9.22 packages Resolved 07/31/2015
Blocked by Tails - Feature #12264: Reintroduce I2P Confirmed 02/25/2017

History

#1 Updated by intrigeri about 5 years ago

  • Related to Feature #5385: Have 3 AppArmor profiles in enforce mode added

#2 Updated by intrigeri about 5 years ago

  • Blocked by Feature #6198: Have AppArmor support stacked filesystems added

#3 Updated by intrigeri about 5 years ago

  • Blocked by deleted (Feature #6198: Have AppArmor support stacked filesystems)

#4 Updated by intrigeri about 5 years ago

  • Related to deleted (Feature #5385: Have 3 AppArmor profiles in enforce mode)

#5 Updated by intrigeri about 5 years ago

#6 Updated by sajolida almost 5 years ago

  • Target version set to Hardening_M1

#7 Updated by kytv over 4 years ago

  • Status changed from Confirmed to In Progress

I'm working on this upstream and think that the 0.9.18 packages will address this ticket.

#8 Updated by kytv over 4 years ago

#9 Updated by kytv over 4 years ago

The I2P daemon is confined by AppArmor in the 0.9.18 packages, which I think will satisfy this ticket's requirements.

#10 Updated by kytv over 4 years ago

  • Target version changed from Hardening_M1 to Tails_1.3.2

#11 Updated by intrigeri over 4 years ago

The I2P daemon is confined by AppArmor in the 0.9.18 packages, which I think will satisfy this ticket's requirements.

Yay! At first glance, this doesn't satisfy the criteria for inclusion in a point-release, but I'll let the RM judge.

Were these AppArmor profiles reviewed by someone skilled at AppArmor?

#12 Updated by kytv over 4 years ago

intrigeri wrote:

The I2P daemon is confined by AppArmor in the 0.9.18 packages, which I think will satisfy this ticket's requirements.

Yay! At first glance, this doesn't satisfy the criteria for inclusion in a point-release, but I'll let the RM judge.

Valid point.

Were these AppArmor profiles reviewed by someone skilled at AppArmor?

Not yet.

I started in a VM in enforce-mode disallowing everything then gradually adding rules to make it work. Then I added deny rules to avoid spamming the logs with denials for accesses that just aren't needed. I've been using the apparmor rules in enforce mode for a few weeks (in and outside of Tails) and everything still works. As far as functionality goes the rules are permissive enough.

On the other hand, another set of eyes would be most welcome to ensure that the rules I've defined are strict enough to be useful and whether certain abstractions should be avoided.

#13 Updated by kytv over 4 years ago

  • Target version changed from Tails_1.3.2 to Tails_1.4
  • QA Check set to Ready for QA

The I2P 0.9.18 packages come with an a apparmor profile that I created and these packages were included in Tails 1.3.1. Since Tails 1.3.1, I2P has been confined with apparmor in enforcing mode.

The profiles have not been reviewed by anyone skilled with apparmor and perhaps this is needed before this ticket can be closed.

#14 Updated by kytv over 4 years ago

  • Assignee deleted (kytv)

#15 Updated by intrigeri over 4 years ago

  • Assignee set to intrigeri

#16 Updated by intrigeri over 4 years ago

  • Assignee changed from intrigeri to kytv
  • % Done changed from 0 to 30
  • QA Check changed from Ready for QA to Dev Needed
  • Is there a Vcs-Git somewhere for the packaging? This would make the next dev/review cycles easier for me.
  • Please follow the indentation best practices as seen in /etc/apparmor.d/abstractions/*.
  • It's not clear what the usr.bin.i2prouter profile is for:
    • the initscript explicitly runs the wrapper with the system_i2p profile
    • in Tails 1.3.2, with I2P enabled and running, I see no process confined by usr.bin.i2prouter, so I wonder what it's about, and whether I should review it or not.
  • Do we really need to give access to {PROC}/[0-9]*/net/if_inet6 and {PROC}/[0-9]*/net/ipv6_route. IOW, what happens if we deny access to these files?
  • Perhaps /usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa should be tuned to support more than one arch?
  • The i2p abstraction has /etc/fonts/**, which is covered by the fonts abstraction, that you include already. I suspect there may be other similar cases, so please double check every line for similar/same ones in abstractions.
  • Does the i2p service really need to read /etc/default/i2p? Usually, only the initscript itself does.
  • Perhaps prepending owner to the PROC thingies would work just as well, and harden things a bit?

Otherwise, looks pretty good! Once we've completed our internal review, if you feel like it, you can also ask for a review on the AppArmor mailing-list. They're nice people, and more experienced than I am.

#17 Updated by kytv over 4 years ago

intrigeri wrote:

  • Is there a Vcs-Git somewhere for the packaging? This would make the next dev/review cycles easier for me.

I2P is managed with Monotone but I export the source to https://github.com/i2p/i2p.i2p, so this might be useful for future reviews. The git repo I use for my own packaging bits isn't online. Maybe after some filter-branch action (to remove identifying info) I can start publishing that. I do keep ./debian synched, however, with the upstream I2P repo.

  • Please follow the indentation best practices as seen in /etc/apparmor.d/abstractions/*.

OK.

  • It's not clear what the usr.bin.i2prouter profile is for:
    • the initscript explicitly runs the wrapper with the system_i2p profile
    • in Tails 1.3.2, with I2P enabled and running, I see no process confined by usr.bin.i2prouter, so I wonder what it's about, and whether I should review it or not.

It's not used by Tails. Some users don't want to have it run as a daemon, instead they want to use i2prouter start as they would without using the packaged version.

(Side note: Since we don't use /usr/bin/i2prouter in Tails, should it and its associated apparmor rules be removed during the build? If so I can create a new ticket and merge request.)

  • Do we really need to give access to {PROC}/[0-9]*/net/if_inet6 and {PROC}/[0-9]*/net/ipv6_route. IOW, what happens if we deny access to these files?

I suppose this could be disabled during the Tails build.

  • Perhaps /usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa should be tuned to support more than one arch?

This is actually only used by 32-bit JVMs. I only have the following on my amd64 box (which isn't needed by I2P):

/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/server/classes.jsa
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/server/classes.jsa
/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/server/classes.jsa
  • The i2p abstraction has /etc/fonts/**, which is covered by the fonts abstraction, that you include already. I suspect there may be other similar cases, so please double check every line for similar/same ones in abstractions.

OK.

  • Does the i2p service really need to read /etc/default/i2p? Usually, only the initscript itself does.

To be confirmed but I suspect you're correct that it's not required.

  • Perhaps prepending owner to the PROC thingies would work just as well, and harden things a bit?

To be confirmed, but probably so.

Otherwise, looks pretty good!

Thanks. :) (As I think I've said already, this was my first time "dipping into" the world of apparmor profiles.)

Once we've completed our internal review, if you feel like it, you can also ask for a review on the AppArmor mailing-list. They're nice people, and more experienced than I am.

#18 Updated by kytv over 4 years ago

kytv wrote:

intrigeri wrote:

  • Do we really need to give access to {PROC}/[0-9]*/net/if_inet6 and {PROC}/[0-9]*/net/ipv6_route. IOW, what happens if we deny access to these files?

I suppose this could be disabled during the Tails build.

I disabled this on my system and I'm still communicating over IPv6. I removed this from the 0.9.19 packages as it's not needed.

Additionally:
  • Access to /etc/default/i2p wasn't needed. Removed. (now that I'm loading the profile from the initscript I can't remember what I was doing before but this was needed then...)
  • Prepending owner to the @{PROC} lines worked fine.
  • Indentation was done according to files found in apparmor.d/abstractions

The only things left would be dealing with the usr.bin.i2prouter rule (if wanted) (and possibly /usr/bin/i2prouter) bits.

#19 Updated by kytv over 4 years ago

#20 Updated by kytv over 4 years ago

#21 Updated by kytv over 4 years ago

kytv wrote:

kytv wrote:

intrigeri wrote:

  • Do we really need to give access to {PROC}/[0-9]*/net/if_inet6 and {PROC}/[0-9]*/net/ipv6_route. IOW, what happens if we deny access to these files?

I suppose this could be disabled during the Tails build.

I disabled this on my system and I'm still communicating over IPv6. I removed this from the 0.9.19 packages as it's not needed.

I was mistaken. This is actually needed for the upstream packages but this could be disabled for Tails.

#22 Updated by kytv over 4 years ago

  • Assignee changed from kytv to intrigeri
  • QA Check changed from Dev Needed to Ready for QA
  • Feature Branch set to kytv:feature/7724-sandbox-i2p
In this branch I
  1. disable IPv6 in Apparmor
  2. remove the i2prouter apparmor rules and replace /usr/bin/i2prouter with a tiny stub script which outputs information that the script is unused in Tails.

I think the other concerns from #7724#note-16 were addressed in the upstream package.

#23 Updated by intrigeri over 4 years ago

  • Assignee changed from intrigeri to kytv
  • QA Check changed from Ready for QA to Dev Needed

kytv wrote:

disable IPv6 in Apparmor

Just a bit of nitpicking: I would prefer if the deny rules that replace the 2 upstream ones were put at the same place, instead of being re-introduced 40+ lines below. This would make the diff a tiny bit more readable IMO. Your call: if you disagree, I won't insist :)

remove the i2prouter apparmor rules and replace /usr/bin/i2prouter with a tiny stub script which outputs information that the script is unused in Tails.

Please use dpkg-divert for the three deleted or modified files, so that we're idempotent wrt. APT upgrades. There are examples in config/chroot_local-hooks/.

I think the other concerns from #7724#note-16 were addressed in the upstream package.

Great! I'll take a look once my Git clone completes + time allows.

#24 Updated by intrigeri over 4 years ago

  • % Done changed from 30 to 50

Better! It's getting pretty good. I reviewed the current state as found in the 0.9.19-3~deb7u+1 package in the Tails APT repo.

  • Thanks for the pointer to the Git repo. In the future, please do atomic commits with more detailed commit messages (at least in debian/apparmor), to ease reviews :) I'm sure you'll understand that things like commit 11c3230 are a pain to review.
  • The Git repo only has 0.9.18-1 so far. Forgot to sync?
  • A few (#include and network) lines still aren't indented correctly.
  • I know we don't care about it for Tails yet, but perhaps the 2 IPv6-related PROC rules could be prefixed by owner as well?
  • Did you "double check every line for similar/same ones in abstractions"? E.g. the /dev/random rule is covered by the base abstraction on current sid (didn't check on Wheezy, sorry).
  • Can't /sys/devices/system/cpu/** be made a little bit tighter? There are a lot of files in there.
  • Do we really need the user-tmp abstraction? At first glance, it seems to me that we're overriding most of this abstraction rules.
  • Can owner /{,var/}tmp/** be made tighter? Isn't there any prefix shared by temporary files created in there by I2P stuff. If not, no big deal.
  • "Used by some versions of the Tanuki wrapper, not needed by I2P" is confusing in a profile that's about I2P. I trust you that the two following rules are needed, but please clarify the comment :)
  • Unrelated to Tails, but I care about it so that people around don't mentally associate AppArmor with "breaks stuff": please consider testing these profiles under Ubuntu (latest LTS and current non-LTS) -- Ubuntu has additional AppArmor kernel features that may break things if profiles don't support them. If you can't be bothered doing it, just tell me and I'll do it myself when time allows.

#25 Updated by kytv over 4 years ago

  • Target version changed from Tails_1.4 to Tails_1.5

#26 Updated by kytv over 4 years ago

intrigeri wrote:

Better! It's getting pretty good. I reviewed the current state as found in the 0.9.19-3~deb7u+1 package in the Tails APT repo.

  • Thanks for the pointer to the Git repo. In the future, please do atomic commits with more detailed commit messages (at least in debian/apparmor), to ease reviews :) I'm sure you'll understand that things like commit 11c3230 are a pain to review.

OK.

  • The Git repo only has 0.9.18-1 so far. Forgot to sync?

I neglected to check in the changelog file. (I should try going more of my packaging work in monotone, I just like Git and git-buildpackage too much :S)

  • A few (#include and network) lines still aren't indented correctly.

Oops. I think those are good now.

  • I know we don't care about it for Tails yet, but perhaps the 2 IPv6-related PROC rules could be prefixed by owner as well?

Those are owned by root so the i2psvc user would be denied access.

  • Did you "double check every line for similar/same ones in abstractions"? E.g. the /dev/random rule is covered by the base abstraction on current sid (didn't check on Wheezy, sorry).

I'll be sure to do that. (I can confirm that (u)?random are indeed in the base abstraction, even in Wheezy.

  • Can't /sys/devices/system/cpu/** be made a little bit tighter? There are a lot of files in there.

Maybe.

  • Do we really need the user-tmp abstraction? At first glance, it seems to me that we're overriding most of this abstraction rules.

TBD.

  • Can owner /{,var/}tmp/** be made tighter? Isn't there any prefix shared by temporary files created in there by I2P stuff. If not, no big deal.

TBD.

  • "Used by some versions of the Tanuki wrapper, not needed by I2P" is confusing in a profile that's about I2P. I trust you that the two following rules are needed, but please clarify the comment :)

It should be clearer now.

  • Unrelated to Tails, but I care about it so that people around don't mentally associate AppArmor with "breaks stuff": please consider testing these profiles under Ubuntu (latest LTS and current non-LTS) -- Ubuntu has additional AppArmor kernel features that may break things if profiles don't support them. If you can't be bothered doing it, just tell me and I'll do it myself when time allows.

I'll be sure to do that. (I did check some versions of Ubuntu but I don't remember which those were. I know that's so very helpful. :s)

#27 Updated by intrigeri over 4 years ago

Great to see progress here! :)

#28 Updated by kytv about 4 years ago

  • Assignee changed from kytv to intrigeri
  • Target version changed from Tails_1.5 to Tails_1.6
  • QA Check changed from Dev Needed to Ready for QA

Changes pushed, dependent on the 0.9.21 packages.

#29 Updated by kytv about 4 years ago

#30 Updated by kytv about 4 years ago

  • Assignee changed from intrigeri to kytv

Actually, I want to look over the apparmor rules one more time. Taking this one back for now.

#31 Updated by intrigeri about 4 years ago

Actually, I want to look over the apparmor rules one more time. Taking this one back for now.

OK. Please also ask for a review on the AppArmor mailing-list, before submitting it for review to me.

#32 Updated by intrigeri about 4 years ago

  • Related to Bug #9949: Audit AppArmor policy vs. hard links added

#33 Updated by intrigeri about 4 years ago

  • QA Check changed from Ready for QA to Dev Needed

See #9949#note-3: the "l" permission in the i2p abstraction makes the rest of the policy basically useless, at least wrt. access to non-persistent files stored on the root filesystem.

#34 Updated by kytv about 4 years ago

  • Target version changed from Tails_1.6 to Tails_1.7

#35 Updated by intrigeri about 4 years ago

This ticket has been postponed 4 times in 6 months. I suggest creating subtasks for the main remaining issues (iirc: the l permission and lack of peer review), which should help setting a realistic timeline for the whole thing. [Yeah, I know, I have some tickets in the same situation myself..]

#36 Updated by kytv about 4 years ago

  • QA Check changed from Dev Needed to Ready for QA

#37 Updated by kytv about 4 years ago

  • QA Check changed from Ready for QA to Dev Needed

#38 Updated by kytv almost 4 years ago

  • Target version changed from Tails_1.7 to 246

#39 Updated by sajolida almost 4 years ago

  • Target version changed from 246 to Tails_2.0

#40 Updated by kytv almost 4 years ago

  • Target version changed from Tails_2.0 to Tails_2.2

Likely not before 2.0

#41 Updated by intrigeri almost 4 years ago

The "feature branch" is not relevant anymore, is it?

#42 Updated by intrigeri over 3 years ago

kytv: given how this was handled in the last 6 months, I humbly suggest that you consider calling for help regarding the maintenance of I2P in Tails. -dev@ would be a good start, and we can relay this via Twitter.

#43 Updated by anonym over 3 years ago

  • Target version changed from Tails_2.2 to Tails_2.3

#44 Updated by anonym over 3 years ago

  • Target version changed from Tails_2.3 to Tails_2.4

#45 Updated by anonym over 3 years ago

  • Target version changed from Tails_2.4 to Tails_2.5

#46 Updated by BitingBird over 3 years ago

  • Assignee deleted (kytv)
  • Target version deleted (Tails_2.5)

no news from kytv -> removing assignee and target version

#47 Updated by u over 2 years ago

We don't ship i2p anymore atm. Lowering priority.

#48 Updated by u almost 2 years ago

#49 Updated by intrigeri 7 months ago

  • Status changed from In Progress to Confirmed

Also available in: Atom PDF