[tor-bugs] #16782 [Tor]: systemd unit file is not compatible with the AppArmorProfile= directive

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Aug 14 12:01:26 UTC 2015 

#16782: systemd unit file is not compatible with the AppArmorProfile= directive
---------------------------+-------------------------------
     Reporter:  intrigeri  |      Owner:
         Type:  defect     |     Status:  new
     Priority:  normal     |  Milestone:
    Component:  Tor        |    Version:
   Resolution:             |   Keywords:  systemd, apparmor
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+-------------------------------

Comment (by intrigeri):

 Replying to [comment:1 nickm]:
 > I'd be happy to have our systemd profile work with AppArmor.

 :)

 > Quick question though: does it really need write access to *all* of
 proc?  (Or is the subset of proc that it needs so complex that really we
 can't limit it?)

 My understanding of the code (keep in mind that I'm no C programmer) is
 that to set the AppArmor profile (with {{{aa_change_onexec}}}), systemd
 only needs write access to {{{/proc/PID/attr/current}}}. But systemd's
 namespacing (including {{{ReadWriteDirectories}}} and friends) is applied
 earlier, that is at a time when we don't know the PID yet. So, sadly I
 don't see how we could give write access to only a subset of proc here.

 To sum up:

 * For AppArmor users, the proposed change will be an improvement (they'll
 get slightly weaker protection from systemd, but finer grained confinement
 from AppArmor which largely compensates the former).
 * For non-AppArmor users, the proposed change indeed increases the attack
 surface a bit. I lack the low-level skills to quantify this, though: given
 the system-wide tor daemon is typically run as a dedicated user, in
 practice having write access to {{{/proc}}} means having write access only
 to files in {{{/proc/PID/}}} that are owner-writable (modulo kernel bugs).
 I don't know how much this opens the attack surface in practice.

 I'll let better skilled people than me evaluate if the former is worth the
 latter.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16782#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list