Apparmor and kernel 4.14.18-1 creates tons of kern.log pop ups.

AppArmor
1

Using Qubes 3.2 and Whonix 13 (wasn’t sure to put this in AppArmor or Qubes-Whonix section) with AppArmor enabled. Updated dom0 and received a new vm kernel: kernel-qubes-vm.x86_64 1000:4.14.18-1.pvops.qubes. When this kernel is used on a Whonix 13 AppVM (workstation or gateway) with AppArmor enabled it produces pop up spam from the kern.log. Here is the entry:

Feb  9 16:44:31 host kernel: [   28.421099] audit: type=1400 audit(1518194671.669:36): apparmor="DENIED" operation="signal" profile="/usr/bin/whonixcheck" pid=1002 comm="whonixcheck" requested_mask="send" denied_mask="send" signal=rtmin+-93 peer="unconfined"

Temporary fix is to select kernel 4.14.13-1 for my Whonix VMs.

2

Is AppArmor actually working with the 4.14.18 kernel though? i.e. does the appamor module load? (doesn’t load in 4.14.13 as the open Qubes issue points out)

3

Seems to be.

user@host:~$ uname -a
Linux host 4.14.18-1.pvops.qubes.x86_64 #1 SMP Thu Feb 8 19:37:36 UTC 2018 x86_64 GNU/Linux
user@host:~$ sudo systemctl status apparmor.service 
● apparmor.service - LSB: AppArmor initialization
   Loaded: loaded (/etc/init.d/apparmor)
   Active: active (exited) since Sat 2018-02-10 05:43:40 UTC; 2min 17s ago
  Process: 606 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)

Feb 10 05:43:40 host apparmor[606]: Starting AppArmor profiles:.
Feb 10 05:43:40 host systemd[1]: Started LSB: AppArmor initialization.
user@host:~$ sudo aa-status
apparmor module is loaded.
11 profiles are loaded.
11 profiles are in enforce mode.
   /usr/bin/whonixcheck                                                                       
   /usr/lib/cups/backend/cups-pdf                                                             
   /usr/lib/sdwdate/url_to_unixtime                                                           
   /usr/sbin/cupsd                                                                            
   /usr/sbin/cupsd//third_party                                                               
   system_tor                                                                                 
   thunderbird                                                                                
   thunderbird//browser_java
   thunderbird//browser_openjdk
   thunderbird//gpg
   thunderbird//sanitized_helper
0 profiles are in complain mode.
6 processes have profiles defined.
6 processes are in enforce mode.
   /usr/bin/whonixcheck (830) 
   /usr/bin/whonixcheck (1714) 
   /usr/lib/sdwdate/url_to_unixtime (1174) 
   /usr/lib/sdwdate/url_to_unixtime (1432) 
   /usr/lib/sdwdate/url_to_unixtime (1449) 
   /usr/sbin/cupsd (1385) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
1 Like
4

I can confirm.

Upgrading Qubes and VM kernels to 4.14.18-1 gets AppArmor back for Whonix-WS and Whonix-GW (yah!), but now the anon-whonix and sys-whonix VMs go crazy via apparmor-notify with:

Profile: /usr/bin/whonixcheck
Operation: signal
Denied: send
Logfile: /var/log/kern.log

With the logs showing over and over (some redactions):

audit:type=1400 audit (XXXXXXXXXXXXXXX.XXX:XXX): apparmor=DENIED operation=“signal” profile=“/usr/bin/whonixcheck” pid=XXX com=“whonixcheck” requested_mask=“send” denied_mask=“send” signal=rtmin±XX peer=“unconfined”

It’s really annoying. If you try to purge or remove apparmor-notify from the templateVM it wants to remove a shitload of essential Whonix stuff, so not possible.

Edit: Interim solution to keep using 4.14.18-1 and all other apparmor profiles is of course:

sudo aa-disable /etc/apparmor.d/usr.bin.whonixcheck

in both sys-whonix and anon-whonix

1 Like
5

Crude, but should work…

sudo rm /etc/xdg/autostart/apparmor-notify.desktop
1 Like
6

I did not get this message, but hopefully it’s fixed in

2 Likes
7

Also merged! :slight_smile:

8

Thanks troubadour for tracking this down.

1 Like
9

Whonix-Gateway 13 with the updated profile still shows a ton of these warnings.

Feb 14 10:36:18 host kernel: [ 646.476206] audit: type=1400 audit(1518604578.361:642): apparmor="DENIED" operation="signal" profile="/usr/bin/whonixcheck" pid=955 comm="whonixcheck" requested_mask="send" denied_mask="send" signal=rtmin+-93 peer="unconfined"

10

Yep - that’s the problem one. I never saw the ptrace one you referenced earlier.

1 Like
11

Less crude.

sudo killall aa-noitfy

To undo:

sudo apt-get install --reinstall apparmor-notify

And reboot.

12

In VirtualBox Whonix-Gateway 13 (I have no Qubes Whonix 13), with or without the profile update, cannot see a single denied message.

On my side, I never saw the signal denied message.

1 Like
13

Since we are having an AppArmor party (and everybody is invited :slight_smile: ), apart from the whonixcheck error, I note that in Qubes-Whonix (R3.2) Whonix-WS-AppVM the following AppArmor errors for the torbrowser profile:

1.Open operation

[XX.XXXXXXX] audit: type=XXXX audit(XXXXXXXXXX.XXXX:XX): apparmor=“DENIED” operation=“open” profile=“/home/**/tor-browser*/Browser/firefox” name=“/dev/” pid=XXXX comm=“firefox” requested_mask=“r” denied_mask=“r” fsuid=XXXX ouid=X

2. Signal operation

v1 (Timer)

[XX.XXXXXXX] audit: type=XXXX audit(XXXXXXXXXX.XXX:XX): apparmor=“DENIED” operation=“signal” profile=“/home//tor-browser*/Browser/firefox" pid=XXXX comm=“Timer” requested_mask=“send” denied_mask=“send” signal=vtalrm peer="/home//tor-browser*/Browser/firefox”

v2 (ProcessHanMoni)

[XX.XXXXXXX] audit: type=XXXX audit(XXXXXXXXXX.XXX:XX): apparmor=“DENIED” operation=“signal” profile=“/home//tor-browser*/Browser/firefox" pid=XXXX comm=“ProcessHangMoni” requested_mask=“send” denied_mask=“send” signal=vtalrm peer="/home//tor-browser*/Browser/firefox”

3. Ptrace one

[XX.XXXXXXX] audit: type=XXXX audit(XXXXXXXX.XXX:XX): apparmor=“DENIED” operation=“ptrace” profile=“/home//tor-browser*/Browser/firefox" pid=XXXX comm=XXXXXXXXXXXXXX requested_mask=“trace” denied_mask=“trace” peer="/home//tor-browser*/Browser/firefox”

So I went and updated the torbrowser profile from github and the result is the same as above.

2 Likes
14

Thanks. Noted in wiki.

1 Like
15

sudo killall aa-notify is not a persistent change. Will be undone on reboot. It only kills the process showing the notification but doesn’t prevent starting it at next boot. Made a small change in the wiki.

1 Like
16

I’m advancing blinldy on those.

The torbrowser and whonixcheck profiles are updated with an opening for the ptrace and signal operations.

Could you please confirm that the whonixcheck profile works in Qubes 4 / Whonix 14 ?

2 Likes
17

Merged.

Still getting

Feb 18 14:13:45 host kernel: [   78.177928] audit: type=1400 audit(1518963225.652:84): apparmor="DENIED" operation="signal" profile="/usr/bin/whonixcheck" pid=956 comm="whonixcheck" requested_mask="send" denied_mask="send" signal=rtmin+-93 peer="unconfined"
18

Can you try

1 Like
19

BTW, I tried whonixcheck and Tor Browser in Qubes 3.2 Whonix 13. Did not get any denied message, including with TB 8.0a1.

So a fresh install seems clean apparmor-wise. In your and torjunkie’s configurations, there must be some extra software generating the messages. Does not mean we don’t have to try and fix them.

Edit:
SteadySupplies

 apparmor messages repeatedly popping up from gateway after a 
 clean install of the Whonix 13 (Stable Proposed Updates),
 about whonixcheck

Reconsidering my above statement.

1 Like
20

Merged. Testing. Keep getting this.

Feb 18 22:23:01 host kernel: audit: type=1400 audit(1518992581.365:43): apparmor="DENIED" operation="signal" profile="/usr/bin/whonixcheck" pid=1425 comm="whonixcheck" requested_mask="send" denied_mask="send" signal=rtmin+-93 peer="unconfined"