AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy

AppArmor
414

All merged.

audit deny /*System.map rw,

Can’t have a file System.map in /home/user/System.map?

Not great.

Non-great solution…
For now, I’d suggest

  • add the exact same systemd unit file to apparmor-profile-everything (same path, same name, same contents)
  • (could add file extension .dist because I have to move the file otherwise)
  • add whatever changes to the systemd unit file in another commit (for purpose of making diff visible)
  • check if sdwdate is even installed in that systemd unit file ConditionFileExists or something
  • I would then add a config-package-dev displace

In effect, apparmor-profile-everything would take over the sdwdate.service systemd unit file.

Also a super complex drop-in also maybe wouldn’t be a great solution.

config-package-dev hide
Example: https://gitlab.com/whonix/debug-misc/-/blob/master/debian/debug-misc.hide

1 Like
415

No. Since there are so many places for the kernel images/System.map to be, it needs to be blunt to prevent any info leaks.

1 Like
416
1 Like
417

That could use a comment.

1 Like
418

Merged. This is now in Whonix testers repository. Untested. Please test. I don’t recall config-package-dev displaceing a systemd unit file or config-package-dev hideing an apparmor profile. Good chance it will work, also possible this needs further work.

1 Like
419

It works but there’s an error upon installation:

Failed to preset unit: Unit file sdwdate.service.dist.service does not exist.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on sdwdate.service.dist: No such file or directory
Failed to get unit file state for sdwdate.service.dist.service: No such file or directory
sdwdate.service.dist is a disabled or a static unit, not starting it.

It doesn’t seem to actually affect anything though and everything works fine.

I think the 2 main issues now are:

  • Splitting everything up more so everything get its own profile. All system services should have their own profile and the entire user session should be in its own profile too. Apps will then transition to sandbox-app-launcher which brings up issue 2.

  • sandbox-app-launcher compatibility. This might be difficult since the script that starts the sandbox needs a lot of permissions and we need to ensure that the app transitions into the right profile. Initial testing of this broke though.

I think a nice infographic would be good for Kicksecure - Secure by Default Operating System

1 Like
420

Something like:

image
image1280×960 216 KB

But probably by someone far better at graphic design than me.

1 Like
421
1 Like
422

I see. Please:

config-package-dev hide sdwdate.service. Not displace.
And add (rename sdwdate.service.dist to) sdwdate-aae.service or so instead.
I speculate Debian maintainer scripts don’t like any files in the systemd folder ending with anything other than the .service file extension.

1 Like
423

madaidan via Whonix Forum:

Add rsyslogd profile by madaidan · Pull Request #62 · Kicksecure/apparmor-profile-everything · GitHub

Merged.

Though, I don’t see need to install rsyslog by default (wasn’t suggested
either) but it might still be lingering on upgraded systems or otherwise
installed by users or even pulled by dependencies.

1 Like
424
1 Like
425

This is now in testers repository.

1 Like
426
1 Like
427

https://unix.stackexchange.com/questions/600038/config-file-etc-apparmor-parser-conf-not-found

428

Not sure you would want to support Debian?

Should we add to debian/control (which readme is based on) “developers only” or “testers only” and mention that the suggested way to get support is this forum thread only for now?

429

What other projects do you work on besides Whonix?

430

Could you fix these ones please?

AVC apparmor="ALLOWED" operation="exec" profile="/usr/lib/whonix-firewall/**" name="/usr/bin/date" pid=13252 comm="whonix-gateway-" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/whonix-firewall/**//null-/usr/bin/date"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/usr/bin/date" pid=13252 comm="date" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/usr/lib/x86_64-linux-gnu/ld-2.28.so" pid=13252 comm="date" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/etc/ld.so.cache" pid=13252 comm="date" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" pid=13252 comm="date" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" pid=13252 comm="date" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/usr/lib/locale/locale-archive" pid=13252 comm="date" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

To reproduce in Whonix-Gateway:

sudo systemctl restart whonix-firewall
431

Probably because they kept the profiles after uninstalling the package.

Yes.

1 Like
432

This should fix it.

We should also go around all the Whonix source code and change any /bin/... or /usr/bin/... to /{,usr/}bin/...

1 Like
433

Yeah. That shouldn’t be supported?
Package should only be removed using sudo apt purge apparmor-profile-everything?
Package should not be removed using sudo apt remove apparmor-profile-everything?
Not sure we can enforce that. However, on package remove the Debian prerm maintainer script of apparmor-profile-everything could look at /var/lib/dpkg/info/apparmor-profile-everything.conffiles and delete all “conffiles” (/etc/apparmor.d/…)?

Done.

1 Like