- Confirmed your conclusion that TBB 6.5a4-hardened works with new environment variables without changing apparmor.
- Added explicit deny rules to apparmor profile.
deny /var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock rw,
deny /var/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock rw,
TBB continues to work without issue.
Background info from: http://man7.org/linux/man-pages/man7/unix.7.html
On Linux, connecting to a stream socket object requires write
permission on that socket; sending a datagram to a datagram socket
likewise requires write permission on that socket. POSIX does not
make any statement about the effect of the permissions on a socket
file, and on some systems (e.g., older BSDs), the socket permissions
are ignored. Portable programs should not rely on this feature for
security.
Relevant bug report? https://bugs.launchpad.net/apparmor/+bug/1208988
- AppArmor removed unix domain socket mediation as part of the 2.4 (karmic) rewrite to the security_path hooks so that it could be upstreamed into the main kernel. The result being apparmor no longer mediates access to AF_UNIX socket files. Or more specifically it does not mediation connections between sockets, creation of a socket within the filesystem is mediated
- Confined applications can currently read from and write to any AF_UNIX
socket files
- Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
So IIUC apparmor can control socket creation and destruction but not read/write to existing sockets. It says “Fix Released”. Is that to upstream AppArmor? Where is the corresponding Debian report?