summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/chroot_local-patches/apparmor-aliases.diff41
-rw-r--r--wiki/src/contribute/design/application_isolation.mdwn15
2 files changed, 55 insertions, 1 deletions
diff --git a/config/chroot_local-patches/apparmor-aliases.diff b/config/chroot_local-patches/apparmor-aliases.diff
new file mode 100644
index 0000000..e606c61
--- /dev/null
+++ b/config/chroot_local-patches/apparmor-aliases.diff
@@ -0,0 +1,41 @@
+--- a/etc/apparmor.d.orig/abstractions/base 2013-07-10 22:05:57.000000000 +0000
++++ b/etc/apparmor.d/abstractions/base 2015-06-03 18:11:08.402380000 +0000
+@@ -53,10 +53,11 @@
+ /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
+
+ # we might as well allow everything to use common libraries
+- /lib{,32,64}/** r,
++ /lib{32,64}/** r,
++ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
+ /lib{,32,64}/lib*.so* mr,
+ /lib{,32,64}/**/lib*.so* mr,
+- /lib/@{multiarch}/** r,
++ /lib/@{multiarch}/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
+ /lib/@{multiarch}/lib*.so* mr,
+ /lib/@{multiarch}/**/lib*.so* mr,
+ /usr/lib{,32,64}/** r,
+diff -Naur '--exclude=cache' /etc/apparmor.d.orig/abstractions/ubuntu-helpers /etc/apparmor.d/abstractions/ubuntu-helpers
+--- a/etc/apparmor.d.orig/abstractions/ubuntu-helpers 2013-07-10 22:05:57.000000000 +0000
++++ b/etc/apparmor.d/abstractions/ubuntu-helpers 2015-06-03 18:16:42.022380000 +0000
+@@ -66,7 +66,8 @@
+ # Full access
+ / r,
+ /** rwkl,
+- /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
++ /{,usr/,usr/local/}lib{32,64}/{,**/}*.so{,.*} m,
++ /{,usr/,usr/local/}lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}{,**/}*.so{,.*} m,
+
+ # Dangerous files
+ audit deny owner /**/* m, # compiled libraries
+diff -Naur '--exclude=cache' /etc/apparmor.d.orig/tunables/alias /etc/apparmor.d/tunables/alias
+--- a/etc/apparmor.d.orig/tunables/alias 2013-07-10 22:05:57.000000000 +0000
++++ b/etc/apparmor.d/tunables/alias 2015-06-03 18:12:46.426380000 +0000
+@@ -14,3 +14,7 @@
+ #
+ # Or if mysql databases are stored in /home:
+ # alias /var/lib/mysql/ -> /home/mysql/,
++
++alias / -> /lib/live/mount/overlay/,
++alias / -> /lib/live/mount/rootfs/filesystem.squashfs/,
++
+
diff --git a/wiki/src/contribute/design/application_isolation.mdwn b/wiki/src/contribute/design/application_isolation.mdwn
index d8331de..fffe0c5 100644
--- a/wiki/src/contribute/design/application_isolation.mdwn
+++ b/wiki/src/contribute/design/application_isolation.mdwn
@@ -58,7 +58,20 @@ between an access to the upper layer, and an access to the loop-backed
underlying layer.
So, we have to adjust profiles a bit to make them support the paths
-that are actually seen by AppArmor in the context of Tails:
+that are actually seen by AppArmor in the context of Tails.
+
+First, we are using a couple of
+[aliases](http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Alias_and_rewrite_rules)
+so that rules applying to "normal" paths (e.g.
+`/home/amnesia/.gnupg/`) also apply to Debian Live -specific paths,
+such as `/lib/live/mount/overlay/home/amnesia/.gnupg/`. And, to avoid
+subsequent problems with overlapping rules, and to mitigate the
+increased policy compilation time (see details below), we also patch
+some some very broad rules to make them _not_ apply to `/lib/live/*`.
+All these changes live in
+[[!tails_gitweb config/chroot_local-patches/apparmor-aliases.diff]].
+
+Second, few more targeted adjustments are also applied:
* [[!tails_gitweb config/chroot_local-includes/etc/apparmor.d/tunables/home.d/tails]]
* [[!tails_gitweb config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff]]