[x86] correct apparmor.d/system_tor (#2876)

2024-11-19 01:40:16 +01:00 · 2022-01-10 18:02:29 +00:00 · 2022-01-10 18:02:29 +00:00 · a72fad3607
commit a72fad3607
parent 17524cfb10
2 changed files with 44 additions and 12 deletions
--- a/alternative.platforms/amd64/packer/scripts/init.sh
+++ b/alternative.platforms/amd64/packer/scripts/init.sh
@ -22,9 +22,3 @@ wget --no-check-certificate \
     -O /home/vagrant/.ssh/authorized_keys
 chmod 0600 /home/vagrant/.ssh/authorized_keys
 chown -R vagrant /home/vagrant/.ssh
-
-# disable apparmor - tor will not work with raspiblitz customization
-mkdir -p /etc/default/grub.d
-echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
-    | tee /etc/default/grub.d/apparmor.cfg
-update-grub
--- a/home.admin/config.scripts/tor.install.sh
+++ b/home.admin/config.scripts/tor.install.sh
@ -209,16 +209,54 @@ if [ "${action}" = "enable" ]; then
  sudo sed -i "s/^NoNewPrivileges=yes/NoNewPrivileges=no/g" /lib/systemd/system/tor@.service
  sudo mkdir -p /etc/systemd/system/tor@default.service.d
  echo "# DO NOT EDIT! This file is generated by raspiblitz and will be overwritten
-    [Service]
-    ReadWriteDirectories=-${tor_data_dir}
-    [Unit]
-    After=network.target nss-lookup.target mnt-hdd.mount
-    " | sudo tee /etc/systemd/system/tor@default.service.d/raspiblitz.conf
+[Service]
+ReadWriteDirectories=-${tor_data_dir}
+[Unit]
+After=network.target nss-lookup.target mnt-hdd.mount
+" | sudo tee /etc/systemd/system/tor@default.service.d/raspiblitz.conf
+
+  # fix apparmor - https://github.com/rootzoll/raspiblitz/issues/2531
+  if [ $(systemctl --type=service | grep -c apparmor) -gt 0 ]; then
+    echo "- add custom directories to apparmor"
+    echo "\
+    # vim:syntax=apparmor
+#include <tunables/global>
+
+profile system_tor flags=(attach_disconnected) {
+  #include <abstractions/tor>
+
+  owner /var/lib/tor/** rwk,
+  owner /var/lib/tor/ r,
+  owner /var/log/tor/* w,
+
+  owner ${tor_data_dir}/** rwk,
+  owner ${tor_data_dir}/ r,
+  owner ${tor_conf_dir}/** rwk,
+
+  # During startup, tor (as root) tries to open various things such as
+  # directories via check_private_dir().  Let it.
+  /var/lib/tor/** r,
+  ${tor_data_dir}/** r,
+  ${tor_conf_dir}/** r,
+
+  /{,var/}run/tor/ r,
+  /{,var/}run/tor/control w,
+  /{,var/}run/tor/socks w,
+  /{,var/}run/tor/tor.pid w,
+  /{,var/}run/tor/control.authcookie w,
+  /{,var/}run/tor/control.authcookie.tmp rw,
+  /{,var/}run/systemd/notify w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/system_tor>
+}"  | sudo tee /etc/apparmor.d/system_tor
+    sudo systemctl restart apparmor
+  fi

  # enable tor services
  sudo systemctl unmask tor@default
  sudo systemctl daemon-reload
-  sudo systemctl enable --now tor@ tor@service
+  sudo systemctl enable --now tor@service
  sudo systemctl restart tor@default

  echo