search

subgraph / subgraph-os-issues

Subgraph OS issues repository
73 stars 10 forks source link

tor hardening prevents execution of /usr/bin/obfs4proxy #256

Open dma opened 7 years ago

dma commented 7 years ago

Configuring an obfs3/4 bridge results in this error when Tor attempts to use the bridge:

Jun 29 15:02:24.000 [warn] Could not launch managed proxy executable at '/usr/bin/obfs4proxy' ('Operation not permitted').

No AppArmor violations in audit log.

Workaround: Can be fixed by disabling all hardening in /lib/systemd/system/tor@default.service

Do not yet know precisely which hardening setting is responsible for this.

HexicPyth commented 7 years ago

Hi, It's 'user___' from IRC :) So after playing around a bit, and looking at a bunch of bug reports on launchpad, I found a much safer workaround/fix for getting bridges to work properly. The issue lies in the system_tor AppArmor abstraction file, /etc/apparmor.d/abstractions/tor

Simply change line 27 from /usr/bin/obfs4proxy, PUx, to /usr/bin/obfs4proxy, ix, and reboot. (note the commas)

Here is a full dump of the corrected /etc/apparmor.d/abstractions/tor:

`# vim:syntax=apparmor

  #include <abstractions/base>
  #include <abstractions/nameservice>

  network tcp,
  network udp,

  capability chown,
  capability dac_override,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,

  /usr/bin/tor r,
  /usr/sbin/tor r,

  /proc/sys/kernel/random/uuid r,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/** r,

  /etc/tor/* r,
  /usr/share/tor/** r,

  /usr/bin/obfsproxy PUx,
  /usr/bin/obfs4proxy ix,`

Credits to Ali Mirjamali (alimirjamali) from (https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1568435) (comment number six) for the solution.

A quick note on security According to Apparmor's QuickProfileLanguage specifications: 'Pux' means: "Execute under a specific profile (scrub the environment) but fallback to executing unconfined if the target profile is not found," while 'ix' means " Execute and inherit the current profile"

I'll probably make a pull request tomorrow.

intrigeri commented 6 years ago

https://bugs.debian.org/867342 might help.

dma commented 6 years ago

https://support.subgraph.com/downloads/system_tor as a candidate to go into /etc/apparmor.d/local

dma commented 6 years ago

I wanted to fix this without touching the AA policies shipped with the Debian Tor package, but it seems we can't, unless I'm missing something. The AA parser doesn't treat overrides and conflicts the way I'd expected, so we can't put our own changes into local/system_tor.

Changing to Pix in the apparmor.d/abstractions/tor (as intrigeri suggests) works, I guess w'ell have to do that.

intrigeri commented 6 years ago

Wait, what version of the tor package are you shipping? This bug was fixed in 0.3.1.5-alpha-2. Assuming SGOS is still on Stretch: stretch-backports includes 0.3.1.9-1~bpo9+1 and Tails 3.4 has 0.3.1.9-1~d90.stretch+1 from deb.torproject.org. Perhaps upgrading to one of those would be the easiest way forward?

dma commented 6 years ago

We're shipping old stretch tor: 0.2.9.14-1.

Upgrading to a fixed tor would indeed preferable.. here's the fix, I should have seen this:

https://gitweb.torproject.org/debian/tor.git/tree/debian/tor.apparmor-profile.abstraction

Thanks for pointing this out, I think we'll proceed this way.

intrigeri commented 6 years ago

Thanks for pointing this out, I think we'll proceed this way.

:)