subgraph-os-issues icon indicating copy to clipboard operation
subgraph-os-issues copied to clipboard

Published 20 hours ago verified publisher icon subgraph

tor hardening prevents execution of /usr/bin/obfs4proxy

Open dma opened this issue 7 years ago • 7 comments

Configuring an obfs3/4 bridge results in this error when Tor attempts to use the bridge:

Jun 29 15:02:24.000 [warn] Could not launch managed proxy executable at '/usr/bin/obfs4proxy' ('Operation not permitted').

No AppArmor violations in audit log.

Workaround: Can be fixed by disabling all hardening in /lib/systemd/system/[email protected]

Do not yet know precisely which hardening setting is responsible for this.

dma avatar Jul 01 '17 18:07 dma

Hi, It's 'user___' from IRC :) So after playing around a bit, and looking at a bunch of bug reports on launchpad, I found a much safer workaround/fix for getting bridges to work properly. The issue lies in the system_tor AppArmor abstraction file, /etc/apparmor.d/abstractions/tor

Simply change line 27 from /usr/bin/obfs4proxy, PUx, to /usr/bin/obfs4proxy, ix, and reboot. (note the commas)

Here is a full dump of the corrected /etc/apparmor.d/abstractions/tor:

`# vim:syntax=apparmor

  #include <abstractions/base>
  #include <abstractions/nameservice>

  network tcp,
  network udp,

  capability chown,
  capability dac_override,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,

  /usr/bin/tor r,
  /usr/sbin/tor r,

  /proc/sys/kernel/random/uuid r,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/** r,

  /etc/tor/* r,
  /usr/share/tor/** r,

  /usr/bin/obfsproxy PUx,
  /usr/bin/obfs4proxy ix,`

Credits to Ali Mirjamali (alimirjamali) from (https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1568435) (comment number six) for the solution.

A quick note on security According to Apparmor's QuickProfileLanguage specifications: 'Pux' means: "Execute under a specific profile (scrub the environment) but fallback to executing unconfined if the target profile is not found," while 'ix' means " Execute and inherit the current profile"

I'll probably make a pull request tomorrow.

HexicPyth avatar Jul 11 '17 01:07 HexicPyth

https://bugs.debian.org/867342 might help.

intrigeri avatar Sep 24 '17 18:09 intrigeri

https://support.subgraph.com/downloads/system_tor as a candidate to go into /etc/apparmor.d/local

dma avatar Jan 14 '18 19:01 dma

I wanted to fix this without touching the AA policies shipped with the Debian Tor package, but it seems we can't, unless I'm missing something. The AA parser doesn't treat overrides and conflicts the way I'd expected, so we can't put our own changes into local/system_tor.

Changing to Pix in the apparmor.d/abstractions/tor (as intrigeri suggests) works, I guess w'ell have to do that.

dma avatar Jan 15 '18 07:01 dma

Wait, what version of the tor package are you shipping? This bug was fixed in 0.3.1.5-alpha-2. Assuming SGOS is still on Stretch: stretch-backports includes 0.3.1.9-1~bpo9+1 and Tails 3.4 has 0.3.1.9-1~d90.stretch+1 from deb.torproject.org. Perhaps upgrading to one of those would be the easiest way forward?

intrigeri avatar Jan 15 '18 07:01 intrigeri

We're shipping old stretch tor: 0.2.9.14-1.

Upgrading to a fixed tor would indeed preferable.. here's the fix, I should have seen this:

https://gitweb.torproject.org/debian/tor.git/tree/debian/tor.apparmor-profile.abstraction

Thanks for pointing this out, I think we'll proceed this way.

dma avatar Jan 15 '18 08:01 dma

Thanks for pointing this out, I think we'll proceed this way.

:)

intrigeri avatar Jan 15 '18 08:01 intrigeri