[tor-bugs] #5791 [Tor bundles/installation]: Gather apparmor/selinux/sandbox instructions for each component of TBB
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu May 24 05:52:41 UTC 2012
#5791: Gather apparmor/selinux/sandbox instructions for each component of TBB
--------------------------------------+-------------------------------------
Reporter: arma | Owner: cypherpunks
Type: project | Status: assigned
Priority: normal | Milestone: Sponsor Z: March 1, 2013
Component: Tor bundles/installation | Version:
Keywords: | Parent: #4522
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Changes (by mikeperry):
* owner: => cypherpunks
* status: new => assigned
* parent: => #4522
Comment:
Replying to [comment:9 trams]:
> Note that one of the bigger issues with going apparmor/selinux is that
there is no way for the application to "opt-in" for the extra protection.
The user needs to load a profile or a module to get it contained. This
requires root privileges on the system.
Actually now that I think about it, isn't stuff like this what PAM was
designed for? Can't ./start-tor-browser just ask for root authentication
to temporarily enable either an SELinux module or AppArmor profile? I know
on Mac OS this definitely is the case (but most likely Mac won't require
root to load Seatbelt profiles, I assume).
Assuming, of course, that the kernel itself doesn't write a record to disk
of the profile being loaded... Though even if it does, we could just warn
the user of that fact.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5791#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list