AppArmor and Whonix

[html]

AppArmor (“Application Armor”) for better security.

Current status of AppArmor and Whonix:

– Non-Qubes-Whonix: We do enable apparmor by default for a while now. (https://github.com/Whonix/grub-enable-apparmor)

– Qubes-Whonix: requires some extra instructions to enable AppArmor, see: https://www.whonix.org/wiki/Qubes/AppArmor

– Therefore The Tor Project’s apparmor profile for Tor is in use on Whonix-Gateway.

– We tweak that one a bit to make it work with Whonix and obfsproxy. (https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/apparmor.d/local/system_tor.anondist)

– We don’t install any apparmor profiles by default as of Whonix 11.

– We do not install any longer the profiles from Debian (packages apparmor-profiles, apparmor-profiles-extra) since Whonix 10 because of the noise they generate in the forums.

– We do not plan on installing apparmor profiles by default for packages that are not developed under the Whonix umbrella such as for Tor Browser, pidgin, xchat, etc. (list: https://github.com/Whonix?utf8=%E2%9C%93&query=apparmor) – Package upgrades that we don’t control by upstream could make it impossible to start the application, lead to eventual fingerprinting issues, therefore installation of such apparmor profiles is manual for testers and advanced users.

– Upstreaming such profiles is a very time consuming process, also a slow process (requires a new stable debian release). Help welcome.

– For apparmor profiles developed under the Whonix such as sdwdate, whonixcheck, we plan in future for Whonix 13 or so on deprecating the separate apparmor profiles and installing those profiles by default, that is doable, because we control package upgrades.

The Whonix profiles can be installed with:

sudo apt-get install apparmor-profiles-whonix

AppArmor Whonix Wiki Page:

AppArmor

AppArmor Whonix Forum:

https://www.whonix.org/forum/index.php/board,18.0.html

Apparmor Whonix Phabricator TODO List:

https://phabricator.whonix.org/maniphest/?statuses=open%2Creview&allProjects=PHID-PROJ-q6t3ulhtja6xyqgs7l5z#R

Comments / Forum Discussion:

https://www.whonix.org/forum/index.php/topic,1237.0.html


[/html]

When updating Tor Browser to 5.5.5, apparmor denied ‘w’ permission to /var/cache/fontconfig. Not sure if that’s significant or not (probably best to just reinstall TBB). But it makes me nervous that apparmor may block a critical security update. Didn’t anticipate this.

Just now, read:

To clarify, with Whonix 13, TB (and others) profile will not be included in apparmor-profiles-whonix?

Apparmor page might need a warning regarding updates & fingerprinting issues. Perhaps profiles should be disabled (manually) before updating?

entr0py:

To clarify, with Whonix 13, TB (and others) profile will not be included in apparmor-profiles-whonix?

Incorrect.

In Whonix 13, profiles for sdwdate (etc., Whonix umbrella …) will be
installed by default. apparmor-profiles-whonix will not be installed by
default. apparmor-profiles-whonix is just a meta package that installs
all apparmor profiles developed by Whonix.

Apparmor page might need a warning regarding updates & fingerprinting issues.

Ok.

Perhaps profiles should be disabled when updating?

That doesn’t make sense for anything other than development purposes.
Bad for security. The premise here is that Tor Browser may be
compromised and AppArmor contains it. Then the compromise would spread
once you disable the AppArmor profile and start Tor Browser to update it.

1 Like

@Patrick Just discovered after many hours of tinkering that it was all imagined and I wasn’t actually doing anything :confused:

libapparmor does not correctly parse /var/log/files so aa-genprof, aa-logprof don’t do anything. simple workaround is to install auditd and libauparse0 dependency.

Debian bug report: Bug#793545: Apparmor aa-genprof not working in jessie

Ubuntu: Bug #1399027 “logparser doesn't understand /var/log/messages for...” : Bugs : AppArmor

Fixes supposedly coming to Jessie as 2.9.3. (as of 7/2015) Currently on 2.9.0.

1 Like