From 60e1bfd0a652156d05cfce289a9ca748bb864cfc Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 26 Jun 2012 13:50:59 +0200
Subject: [PATCH] enable apparmor policy, but only for the daemon started from
 the init script

---
 debian/control                                  |  4 ++--
 debian/rules                                    |  4 ++++
 debian/tor.apparmor-profile                     | 17 +++++++++++++++++
 ...-policy => tor.apparmor-profile.abstraction} | 16 ++--------------
 debian/tor.default                              |  8 ++++++++
 debian/tor.dirs                                 |  1 +
 debian/tor.docs                                 |  1 -
 debian/tor.init                                 | 15 ++++++++++++++-
 8 files changed, 48 insertions(+), 18 deletions(-)
 create mode 100644 debian/tor.apparmor-profile
 rename debian/{examples/apparmor-policy => tor.apparmor-profile.abstraction} (52%)

diff --git a/debian/control b/debian/control
index 93175775e6..76cce8efc2 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: tor
 Section: net
 Priority: optional
 Maintainer: Peter Palfrader <weasel@debian.org>
-Build-Depends: debhelper (>= 5), libssl-dev, dpatch, zlib1g-dev, libevent-dev (>= 1.1), binutils (>= 2.14.90.0.7), hardening-includes, asciidoc (>= 8.2), docbook-xml, docbook-xsl, xmlto
+Build-Depends: debhelper (>= 5), libssl-dev, dpatch, zlib1g-dev, libevent-dev (>= 1.1), binutils (>= 2.14.90.0.7), hardening-includes, asciidoc (>= 8.2), docbook-xml, docbook-xsl, xmlto, dh-apparmor
 Standards-Version: 3.8.1
 Homepage: https://www.torproject.org/
 Vcs-Git: git://git.torproject.org/debian/tor.git
@@ -13,7 +13,7 @@ Architecture: any
 Depends: ${shlibs:Depends}, adduser, ${misc:Depends}, lsb-base
 Conflicts: libssl0.9.8 (<< 0.9.8g-9)
 Recommends: logrotate, tor-geoipdb, torsocks
-Suggests: mixmaster, xul-ext-torbutton, socat, tor-arm, polipo (>= 1) | privoxy
+Suggests: mixmaster, xul-ext-torbutton, socat, tor-arm, polipo (>= 1) | privoxy, apparmor-utils
 Description: anonymizing overlay network for TCP
  Tor is a connection-based low-latency anonymous communication system which
  addresses many flaws in the original onion routing design.
diff --git a/debian/rules b/debian/rules
index b8cf5c01fc..dd6f5aa9f2 100755
--- a/debian/rules
+++ b/debian/rules
@@ -151,6 +151,10 @@ install: build
 	install -m 644 contrib/tor-tsocks.conf $(CURDIR)/debian/tor/etc/tor
 	install -m 644 debian/tor-service-defaults-torrc $(CURDIR)/debian/tor/usr/share/tor
 
+	install -m 644 debian/tor.apparmor-profile $(CURDIR)/debian/tor/etc/apparmor.d/system_tor
+	install -m 644 debian/tor.apparmor-profile.abstraction $(CURDIR)/debian/tor/etc/apparmor.d/abstractions/system_tor
+	dh_apparmor --profile-name=system_tor -ptor
+
 	dh_link usr/share/man/man8/tor.8 usr/share/man/man5/torrc.5
 
 	rm -f $(CURDIR)/debian/tor/usr/bin/tor-control.py
diff --git a/debian/tor.apparmor-profile b/debian/tor.apparmor-profile
new file mode 100644
index 0000000000..1c5f539d23
--- /dev/null
+++ b/debian/tor.apparmor-profile
@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+#include <tunables/global>
+
+profile system_tor {
+  #include <abstractions/tor>
+
+  owner /var/lib/tor/** rwk,
+  owner /var/log/tor/* w,
+
+  /{,var/}run/tor/control w,
+  /{,var/}run/tor/tor.pid w,
+  /{,var/}run/tor/control.authcookie w,
+  /{,var/}run/tor/control.authcookie.tmp rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/system_tor>
+}
diff --git a/debian/examples/apparmor-policy b/debian/tor.apparmor-profile.abstraction
similarity index 52%
rename from debian/examples/apparmor-policy
rename to debian/tor.apparmor-profile.abstraction
index 004a6ac9de..4399437bb6 100644
--- a/debian/examples/apparmor-policy
+++ b/debian/tor.apparmor-profile.abstraction
@@ -1,7 +1,5 @@
 # vim:syntax=apparmor
-#include <tunables/global>
 
-/usr/sbin/tor {
   #include <abstractions/base>
   #include <abstractions/nameservice>
 
@@ -15,21 +13,11 @@
   capability setgid,
   capability setuid,
 
+  /usr/sbin/tor r,
+
   /proc/sys/kernel/random/uuid r,
   /sys/devices/system/cpu/ r,
   /sys/devices/system/cpu/** r,
 
   /etc/tor/* r,
   /usr/share/tor/** r,
-
-  owner /var/lib/tor/** rwk,
-  owner /var/log/tor/* w,
-
-  /{,var/}run/tor/control w,
-  /{,var/}run/tor/tor.pid w,
-  /{,var/}run/tor/control.authcookie w,
-  /{,var/}run/tor/control.authcookie.tmp rw,
-
-  # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.tor>
-}
diff --git a/debian/tor.default b/debian/tor.default
index 19260b91db..68c063437b 100644
--- a/debian/tor.default
+++ b/debian/tor.default
@@ -53,6 +53,14 @@ RUN_DAEMON="yes"
 #
 CLEANUP_OLD_COREFILES=y
 
+#
+# By default the tor init script will launch Tor using apparmor iff
+# /usr/sbin/aa-status exists and is executable and calling it with --enabled
+# returns true, /usr/sbin/aa-exec is executable, there is a
+# /etc/apparmor.d/system_tor policy, and USE_AA_EXEC is set to 'yes'.
+#
+# USE_AA_EXEC="yes"  # default
+# USE_AA_EXEC="no"
 
 # Let the vidalia package override some of our settings.
 # People who have vidalia installed might not want to run Tor as a system
diff --git a/debian/tor.dirs b/debian/tor.dirs
index 3c28695739..72f1860ba9 100644
--- a/debian/tor.dirs
+++ b/debian/tor.dirs
@@ -1,3 +1,4 @@
+etc/apparmor.d/abstractions
 etc/tor
 var/lib/tor
 var/log/tor
diff --git a/debian/tor.docs b/debian/tor.docs
index 7f930b735e..42fd7b28b3 100644
--- a/debian/tor.docs
+++ b/debian/tor.docs
@@ -2,4 +2,3 @@ debian/README.Debian
 debian/README.polipo
 debian/README.privoxy
 contrib/tor-exit-notice.html
-debian/examples/apparmor-policy
diff --git a/debian/tor.init b/debian/tor.init
index 977539afaf..98e0a0002d 100644
--- a/debian/tor.init
+++ b/debian/tor.init
@@ -30,6 +30,7 @@ DEFAULTSFILE=/etc/default/$NAME
 WAITFORDAEMON=60
 DEFAULT_ARGS="--defaults-torrc /usr/share/tor/tor-service-defaults-torrc"
 VERIFY_ARGS="--verify-config $DEFAULT_ARGS"
+USE_AA_EXEC="yes"
 ARGS=""
 if [ "${VERBOSE:-}" != "yes" ]; then
 	ARGS="$ARGS --hush"
@@ -140,10 +141,22 @@ case "$1" in
 	if start-stop-daemon --stop --signal 0 --quiet --pidfile $TORPID --exec $DAEMON; then
 		log_action_end_msg 0 "already running"
 	else
+		if [ "$USE_AA_EXEC" = "yes" ] &&
+		   [ -x /usr/sbin/aa-status ] && \
+		   [ -x /usr/sbin/aa-exec ] && \
+		   [ -e /etc/apparmor.d/system_tor ] && \
+		   /usr/sbin/aa-status --enabled ; then
+			AA_EXEC="--startas /usr/sbin/aa-exec"
+			AA_EXEC_ARGS="--profile=system_tor -- $DAEMON"
+		else
+			AA_EXEC=""
+			AA_EXEC_ARGS=""
+		fi
 		if start-stop-daemon --start --quiet \
 			--pidfile $TORPID \
 			$NICE \
-			--exec $DAEMON -- $DEFAULT_ARGS $ARGS
+			$AA_EXEC \
+			--exec $DAEMON -- $AA_EXEC_ARGS $DEFAULT_ARGS $ARGS
 		then
 			log_action_end_msg 0
 		else
-- 
GitLab