Merge pull request #673 from freedomofpress/234-apparmor

Add AppArmor profile for client and bump to securedrop-client 0.0.11
freedomofpress · Dec 19, 2019 · 4d71556 · 4d71556
2 parents f391abe + ab82720
commit 4d71556
Show file tree

Hide file tree

Showing 6 changed files with 116 additions and 2 deletions.
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -11,6 +11,7 @@ include files/open-in-dvm.desktop
 include files/securedrop-client
 include files/securedrop-client.desktop
 include files/sd-svs-qubes-gpg-domain.sh
+include files/usr.bin.securedrop-client
 
 recursive-include alembic *
 recursive-include securedrop_client *

diff --git a/README.md b/README.md
@@ -82,6 +82,36 @@ If you want to persist data across restarts, you will need to run the client wit
 ./run.sh --sdc-home /path/to/my/dir/
 ```
 
+## AppArmor support
+
+An AppArmor profile is available for mandatory access control. When installing securedrop-client from a .deb package, the AppArmor profile will automatically be copied and enforced. Below are instructions to use the profile in non-production scenarios.
+
+### Requirements
+
+1. The entrypoint for the application must be through `/usr/bin/securedrop-client` with application code in `/opt/venvs/securedrop-client`.
+
+2. The kernel must support AppArmor (running `sudo aa-status` will return zero if AppArmor is supported).
+
+3. The `apparmor-utils` package is installed (`sudo apt install apparmor-utils` in Debian).
+
+### Enabling AppArmor
+
+1. Copy `files/usr.bin.securedrop-client` to `/etc/apparmor.d/`.
+
+2. `sudo aa-enforce /etc/apparmor.d/usr.bin.securedrop-client/`.
+
+3. `sudo aa-status` and observe securedrop-client profile is being enforced.
+
+### Testing and updating the AppArmor profile
+
+1. Update the profile in `/etc/apparmor.d/usr.bin.securedrop-client`.
+
+2. `sudo aa-teardown`.
+
+3. `sudo service apparmor restart`.
+
+4. Once you've made all the changes necessary (e.g.: no apparmor errors in `/var/log/syslog`) you can copy `/etc/apparmor.d/usr.bin.securedrop-client` into `files/usr.bin.securedrop-client` in this repository and commit the changes.
+
 ## Debugging
 
 To use `pdb`, add these lines:

diff --git a/changelog.md b/changelog.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.0.11
+
+  * Add apparmor profile (#673)
+  * Add failure message for replies (#664)
+  * Move metadata sync to api queue (#640)
+  * Add print integration (#631)
+  * Populate source list immediately upon login (#626)
+
 ## 0.0.10
 
   * Add Python 3.7/buster support (#568, #609)

diff --git a/files/usr.bin.securedrop-client b/files/usr.bin.securedrop-client
@@ -0,0 +1,75 @@
+# Last Modified: Tue Dec 10 11:57:59 2019
+#include <tunables/global>
+
+/usr/bin/securedrop-client {
+  #include <abstractions/base>
+  #include <abstractions/fonts>
+  #include <abstractions/python>
+  #include <abstractions/user-tmp>
+
+  deny /usr/bin/sudo x,
+
+  /dev/tty rw,
+  /dev/xen/evtchn rw,
+  /dev/xen/gntalloc rw,
+  /dev/xen/privcmd rw,
+  /dev/xen/xenbus rw,
+  /etc/group r,
+  /etc/machine-id r,
+  /etc/nsswitch.conf r,
+  /etc/passwd r,
+  /opt/venvs/securedrop-client/** r,
+  /opt/venvs/securedrop-client/bin/alembic mrix,
+  /opt/venvs/securedrop-client/bin/python3 ix,
+  /opt/venvs/securedrop-client/bin/sd-client mrix,
+  /opt/venvs/securedrop-client/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so mr,
+  /opt/venvs/securedrop-client/lib/python3.7/site-packages/sqlalchemy/cprocessors.cpython-37m-x86_64-linux-gnu.so mr,
+  /opt/venvs/securedrop-client/lib/python3.7/site-packages/sqlalchemy/cresultproxy.cpython-37m-x86_64-linux-gnu.so mr,
+  /opt/venvs/securedrop-client/lib/python3.7/site-packages/sqlalchemy/cutils.cpython-37m-x86_64-linux-gnu.so mr,
+  /proc/cpuinfo r,
+  /proc/filesystems r,
+  /sys/devices/system/cpu/online r,
+  /usr/bin/bash ix,
+  /usr/bin/cat mrix,
+  /usr/bin/chmod mrix,
+  /usr/bin/dash ix,
+  /usr/bin/mkdir mrix,
+  /usr/bin/qrexec-client-vm mrix,
+  /usr/bin/qubes-gpg-client mrix,
+  /usr/bin/qubes-gpg-import-key mrix,
+  /usr/bin/qvm-open-in-vm mrix,
+  /usr/bin/securedrop-client r,
+  /usr/bin/uname mrix,
+  /usr/bin/zenity mrix,
+  /usr/lib/qubes-gpg-split/pipe-cat mrix,
+  /usr/lib/qubes/qopen-in-vm mrix,
+  /usr/share/drirc.d/ r,
+  /usr/share/drirc.d/* r,
+  /usr/share/icons/** r,
+  /usr/share/mime/image/png.xml r,
+  /usr/share/mime/mime.cache r,
+  /usr/share/mime/types r,
+  /usr/share/securedrop-client/ r,
+  /usr/share/securedrop-client/** r,
+  /usr/share/zenity/* r,
+  owner /dev/pts/2 rw,
+  owner /home/*/.securedrop_client/sync_flag rw,
+  owner /home/user/.cache/** rwl,
+  owner /home/user/.securedrop_client/ rw,
+  owner /home/user/.securedrop_client/config.json r,
+  owner /home/user/.securedrop_client/data/ w,
+  owner /home/user/.securedrop_client/data/* rwl,
+  owner /home/user/.securedrop_client/gpg/ rw,
+  owner /home/user/.securedrop_client/gpg/* rwl,
+  owner /home/user/.securedrop_client/logs/ rw,
+  owner /home/user/.securedrop_client/logs/* rw,
+  owner /home/user/.securedrop_client/svs.sqlite rwk,
+  owner /home/user/.securedrop_client/svs.sqlite-journal rw,
+  owner /home/user/QubesIncoming/sd-proxy/* rw,
+  owner /opt/venvs/securedrop-client/lib/python3.7/**/__pycache__/* rw,
+  owner /opt/venvs/securedrop-client/lib/python3.7/__pycache__/* rw,
+  owner /proc/*/cmdline r,
+  owner /proc/*/fd/ r,
+  owner /usr/share/securedrop-client/** rw,
+
+}
diff --git a/securedrop_client/__init__.py b/securedrop_client/__init__.py
@@ -1 +1 @@
-__version__ = '0.0.10'
+__version__ = '0.0.11'
diff --git a/setup.py b/setup.py
@@ -14,7 +14,7 @@
 
 setuptools.setup(
     name="securedrop-client",
-    version="0.0.10",
+    version="0.0.11",
     author="Freedom of the Press Foundation",
     author_email="securedrop@freedom.press",
     description="SecureDrop Workstation client application",