summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-patches
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2015-11-10 10:56:37 +0000
committerintrigeri <intrigeri@boum.org>2015-11-10 10:58:32 +0000
commitfa5e9988d3ea1a99fa1671567b49fb71abe9704c (patch)
treee33414e8cb85c803fbdc6fca7aae2193334d872a /config/chroot_local-patches
parent79a11e23f17f2e2ff5bebf46713956e77a456a2f (diff)
Restore AppArmor confinement of Tor by renaming the AppArmor profile.
Jessie's systemd has no AppArmor support, so Tor 0.2.7.x backport for Jessie's systemd unit files don't load the profile. We've ensure that on Stretch everything will work just as we need, but for Jessie we need this kludge: simply rename the system_tor profile so that it's used automatically, without having to explicitly assign it to the service. Closes: #10528
Diffstat (limited to 'config/chroot_local-patches')
-rw-r--r--config/chroot_local-patches/apparmor-adjust-tor-profile.diff14
1 files changed, 11 insertions, 3 deletions
diff --git a/config/chroot_local-patches/apparmor-adjust-tor-profile.diff b/config/chroot_local-patches/apparmor-adjust-tor-profile.diff
index a22c22d..4fec762 100644
--- a/config/chroot_local-patches/apparmor-adjust-tor-profile.diff
+++ b/config/chroot_local-patches/apparmor-adjust-tor-profile.diff
@@ -1,7 +1,16 @@
+XXX: renaming the profile should not be needed on Stretch anymore,
+since tor@default.service loads the profile correctly itself there
+(and actually, renaming the profile as this patch does may prevent
+the service from starting at all).
+
--- a/etc/apparmor.d/system_tor 2015-06-04 12:28:12.243020484 +0000
+++ b/etc/apparmor.d/system_tor 2015-06-04 12:29:32.580249731 +0000
-@@ -4,6 +4,9 @@
- profile system_tor {
+@@ -1,9 +1,12 @@
+ # vim:syntax=apparmor
+ #include <tunables/global>
+
+-profile system_tor {
++/usr/bin/tor flags=(attach_disconnected) {
#include <abstractions/tor>
+ link /etc/tor/.wh.torrc -> /.wh..wh.aufs,
@@ -10,4 +19,3 @@
owner /var/lib/tor/** rwk,
owner /var/log/tor/* w,
-