Fix tor daemon & obfs4proxy apparmor profile. (#779)

* Fix tor daemon & obfs4proxy apparmor profile. There is an outstanding bug[0] with the Tor apparmor profile that causes the tor daemon to fail to start when configured with a hidden service directory. To temporarily work-around this issue this commit adds a new `/etc/apparmor.d/local/system_tor` override file that adds the missing capability. This can be removed when upstream has fixed the problem. Additionally, while debugging this issue I removed the abstractions apparmor file that Streisand previously used to replace the distro provided profile. We only need to change two lines so rather than keep an entire profile up to date this commit adds a `replace` task to update the two obfsproxy binaries to have the correct `ix` permissions. We should look into fixing this in a better way in the future. [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862993 * Remove unused file
StreisandEffect · Jul 3, 2017 · 975e2cf · 975e2cf
1 parent 02d1f25
commit 975e2cf
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 34 deletions.
diff --git a/playbooks/roles/tor-bridge/files/apparmor-local-override b/playbooks/roles/tor-bridge/files/apparmor-local-override
@@ -0,0 +1,7 @@
+# Site-specific additions and overrides for system_tor.
+# For more details, please see /etc/apparmor.d/local/README.
+
+# Workaround https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862993
+# Tor v0.3.0.9 fails to read /var/lib/tor/hidden_service without this
+# app armor capability override
+capability dac_read_search,
diff --git a/playbooks/roles/tor-bridge/files/tor-apparmor-abstraction b/playbooks/roles/tor-bridge/files/tor-apparmor-abstraction
diff --git a/playbooks/roles/tor-bridge/tasks/main.yml b/playbooks/roles/tor-bridge/tasks/main.yml
@@ -37,18 +37,33 @@
     group: root
     mode: 0644
 
-- name: Copy the fixed AppArmor abstraction into place
+# TODO(@cpu) - This should be removed once it isn't required, maybe in the next
+# release after tor 0.3.0.9
+- name: Copy a local override for the Tor AppArmor profile in place
   copy:
-    src: tor-apparmor-abstraction
-    dest: /etc/apparmor.d/abstractions/tor
+    src: apparmor-local-override
+    dest: /etc/apparmor.d/local/system_tor
     owner: root
     group: root
     mode: 0644
 
-- name: Restart AppArmor so the abstraction takes effect
-  service:
-    name: apparmor
-    state: restarted
+# TODO(@cpu) - In theory it seems like it should be possible to add the
+# following to the local override from above:
+#     /usr/bin/obfsproxy ix,
+#     /usr/bin/obfs4proxy ix,
+# but doing so results in an error from the existing `PUx` modifiers:
+#     profile system_tor: has merged rule /usr/bin/obfs4proxy with conflicting x modifiers
+# in the interest of fixing a regression we work around this by changing the
+# dist provided `/etc/apparmor.d/abstractions/tor` file.
+- name: Fix the distro Tor apparmor abstraction
+  replace:
+    path: /etc/apparmor.d/abstractions/tor
+    regexp: '^([\s]*)/usr/bin/(obfs4?proxy) PUx,$'
+    replace: '\1/usr/bin/\2 ix,'
+    backup: yes
+
+- name: Reload the system_tor AppArmor profile for the override to take effect
+  command: apparmor_parser -r /etc/apparmor.d/system_tor
 
 - name: Restart Tor so the server fingerprint will be available in the state file, and the hidden service for the Gateway will start running
   service: