On Fri, 16 Dec 2016 12:30:28 +0000 Peter Palfrader <wea...@debian.org>
wrote:
> On Sun, 04 Oct 2015, Peter Palfrader wrote:
>
> > On Mon, 28 Sep 2015, Laurent Bigonville wrote:
> > > -CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
> > > +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER
> > >
> > > The dac_override one could atleast be dropped if root also had access
> > > to the /var/log/tor /var/lib/tor directories (giving access to
the root
> > > group?). Not too sure about the other ones.
> >
> > But root doesn't. And I think we need chown since we start as root and
> > then create sockets and give that to the target user. Do you disagree?
>
> We dropped CAP_CHOWN CAP_FOWNER with 0.2.9.7-rc and 0.2.8.11. We still
> need CAP_DAC_OVERRIDE as tor accesses directories as root before
> chowning to debian-tor.
I just tried with the following hardening features, and the daemon is
starting (I kept the old value in comment):
# Hardening
AppArmorProfile=system_tor
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectControlGroups=yes #added
ProtectKernelTunables=yes #added
#ProtectSystem=full
ProtectSystem=strict
#ReadOnlyDirectories=/
#ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
#ReadWriteDirectories=-/var/run
ReadWriteDirectories=-/var/run/tor
#CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
CAP_DAC_OVERRIDE
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
torify wget http://www.perdu.com returns the expected content
Not sure why you set /proc as R/W (this is also controlled by
ProtectKernelTunables=yes/no if I understood the manpage correctly)
