Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set capability dac_override for Apache AppArmor #2108

Merged
merged 1 commit into from
Aug 14, 2017
Merged

Set capability dac_override for Apache AppArmor #2108

merged 1 commit into from
Aug 14, 2017

Conversation

conorsch
Copy link
Contributor

@conorsch conorsch commented Aug 14, 2017
edited
Loading

Status

Ready for review.

Description of Changes

We were previously relying on the tor apparmor abstractions to provide capability dac_override. When the tor package removed the capability in favor of dac_read_search, the apache service started
failing due to overconfinement. Editing the AppArmor profile for Apache such that the dac_override capability is now explicitly, rather than implicitly, included.

Fixes #2105.

Testing

Confirm both clean installs on staging and upgrades from 0.4.1 restore functionality for the web applications (both Source and Journalist Interfaces).

Deployment

Hotfix release to handle breaking changes from upstream tor package. Discussion of reducing exposure to this form of breakage is in #2106.

Checklist

If you made changes to the app code:

  • Unit and functional tests pass on the development VM

If you made changes to the system configuration:

If you made changes to documentation:

  • Doc linting passed locally

@ghost
Copy link

ghost commented Aug 14, 2017 

E           OSError: [Errno 39] Directory not empty: '/tmp/securedrop'

looks like tests racing against each other ?

@conorsch
Copy link
Contributor Author

Yes, that's an easy toggle to kick off the Travis suite again, but I see that my omission of updated config tests is going to cause Circle CI to fail too. Patching commit...

Set capability dac_override for Apache AppArmor
5dcb4f1 
We were previously relying on the tor apparmor abstractions to provide
`capability dac_override`. When the tor package removed the
capability in favor of `dac_read_search`, the apache service started
failing due to overconfinement. Editing the AppArmor profile for Apache
such that the dac_override capability is now explicitly, rather than
implicitly, included.
@conorsch conorsch force-pushed the explicitly-include-dac-override-in-apache-apparmor-profile branch from 5ec6800 to 5dcb4f1 Compare August 14, 2017 22:14
@conorsch
Copy link
Contributor Author

All CI is passing. Running through the QA checklist described in #2107 prior to merging.

@conorsch
Copy link
Contributor Author

Confirmed upgrade resolves issue on hardware. Merging and continuing with pre-release QA process in #2107.

@conorsch conorsch merged commit 3ee4850 into release/0.4.2 Aug 14, 2017
@conorsch conorsch modified the milestone: 0.4.2 Aug 14, 2017
@redshiftzero redshiftzero mentioned this pull request Aug 15, 2017
Closed
@redshiftzero redshiftzero deleted the explicitly-include-dac-override-in-apache-apparmor-profile branch August 16, 2017 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.4.2
Development

Successfully merging this pull request may close these issues.
1 participant
@conorsch