reopen 800385
thanks
Le 04/01/17 à 08:15, Peter Palfrader a écrit :
Thanks for your help!
On Wed, 04 Jan 2017, Laurent Bigonville wrote:
I just tried with the following hardening features, and the daemon is
starting (I kept the old value in comment):
# Hardening
AppArmorProfile=system_tor
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectControlGroups=yes #added
ProtectKernelTunables=yes #added
Maybe.
#ProtectSystem=full
ProtectSystem=strict
Maybe. That's new in sid/testing.
#ReadOnlyDirectories=/
I understand better why you choose the ReadOnlyDirectories=/ instead of
ProtectSystem=strict now
#ReadWriteDirectories=-/proc
Maybe.
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
#ReadWriteDirectories=-/var/run
ReadWriteDirectories=-/var/run/tor
Can we still create the directory if it isn't there yet?
Yes it's working, if I'm commenting it out completely the daemon fails.
I think that it only apply to the main process and not the Pre one (maybe?)
#CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
CAP_DAC_OVERRIDE
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
No, that breaks hidden services. See https://bugs.debian.org/847598
I see. Do you know what were the owner/group of
/var/lib/tor/hidden_service/ in that bug?
torify wget http://www.perdu.com returns the expected content
I think other useful tests would be
- can Tor start when a hidden service is configured?
- can Hidden services read/write to backend sockets in
/var/lib/tor-onion-sockets/?
- does transparent proxying still work (TransPort)?
- can we log to syslog?
I'll try to see when I can test that. Don't expect a reply tomorrow though.
For the syslog part, I see stuffs being logged in journald, so it's OK I
guess.
Laurent Bigonville
