Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confine securedrop-proxy with apparmor #1889

Closed
legoktm opened this issue Mar 4, 2024 · 2 comments · Fixed by #2039
Closed

Confine securedrop-proxy with apparmor #1889

legoktm opened this issue Mar 4, 2024 · 2 comments · Fixed by #2039
Assignees
@legoktm
Labels
proxy v2

Comments

@legoktm
Copy link
Member

legoktm commented Mar 4, 2024

In the proxy v2 architecture, it should be relatively straightforward for us to confine the proxy under apparmor, as it needs no file access and should only be making outbound requests on port 80/443.
@legoktm legoktm mentioned this issue May 2, 2024
Merged
16 tasks
@legoktm legoktm moved this to Ready to go in SecureDrop dev cycle May 21, 2024
@legoktm
Copy link
Member Author

legoktm commented May 22, 2024

I tried to do this today but aa-genprof didn't really work, it generated all the log events but processed them for the profile. Will spend a bit more time poking at it before trying something else.

@legoktm
Copy link
Member Author

legoktm commented May 28, 2024

I had much more success writing the profile by hand by following https://gitlab.com/apparmor/apparmor/-/wikis/Profiling_by_hand - not fully tested PR incoming.

legoktm added a commit that referenced this issue May 28, 2024
@legoktm
WIP: Add AppArmor profile for securedrop-proxy
601f813 
Because this is a static Rust binary, it ends up being super simple, we
just need to import the abstractions for DNS, OpenSSL and TLS certs.

Fixes #1889.
@legoktm legoktm mentioned this issue May 28, 2024
Merged
8 tasks
@legoktm legoktm self-assigned this May 28, 2024
@legoktm legoktm moved this from Ready to go to In Progress in SecureDrop dev cycle May 28, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in SecureDrop dev cycle Jun 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@legoktm legoktm

Labels
proxy v2
Projects
SecureDrop dev cycle
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add AppArmor profile for securedrop-proxy freedomofpress/securedrop-client
1 participant
@legoktm