Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[xenial] run haveged process confined by AppArmor #4118

Merged
merged 3 commits into from Feb 12, 2019
Merged

[xenial] run haveged process confined by AppArmor #4118

merged 3 commits into from Feb 12, 2019

Conversation

redshiftzero
Copy link
Contributor

Status

Ready for review

Description of Changes

Fixes #4098.

Changes proposed in this pull request:

  • fix AppArmor profile for haveged (enable rw to its pid file)
  • ensure that AppArmor service starts prior to haveged so haveged runs confined on boot

Testing

(the trusty CI staging job and the testinfra test modified in this PR should sufficiently test for trusty)

Xenial

  • make staging-xenial completes without error
  • sudo aa-status reports 0 processes running unconfined

Deployment

Enforcing this via ansible playbook since they will be ran as part of the Xenial upgrade

Checklist

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

@redshiftzero
apparmor: ensure haveged runs confined
30beccc 
There were two issues causing haveged to run unconfined on Xenial:

1. The AppArmor profile needed updating to whitelist rw for the PID
file that haveged uses [0].
2. The haveged service needed to be configured to start running only
after AppArmor is running [1, 2].

[0] https://bugs.launchpad.net/ubuntu/+source/haveged/+bug/1708674
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824179
[2] #4098
@redshiftzero
testinfra: all processes with an apparmor profile should run confined
34743e3
@eloquence eloquence added this to Ready for review in SecureDrop Team Board Feb 11, 2019
kushaldas
kushaldas approved these changes Feb 12, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • make staging-xenial completes without error
  • sudo aa-status reports 0 processes running unconfined

Even with a few hours of usage, the instance had no issues with the haveged.

@kushaldas kushaldas merged commit f6f6ea2 into develop Feb 12, 2019
SecureDrop Team Board automation moved this from Ready for review to Done Feb 12, 2019
@kushaldas kushaldas deleted the fix-haveged-profile branch February 12, 2019 10:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kushaldas kushaldas kushaldas approved these changes

@emkll emkll Awaiting requested review from emkll

@conorsch conorsch Awaiting requested review from conorsch

@msheiny msheiny Awaiting requested review from msheiny

Assignees
No one assigned
Labels
None yet
Projects
No open projects
SecureDrop Team Board
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[xenial] haveged process is unconfined under Xenial
2 participants
@redshiftzero @kushaldas