AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy

No. Since there are so many places for the kernel images/System.map to be, it needs to be blunt to prevent any info leaks.

1 Like
1 Like

That could use a comment.

1 Like

Merged. This is now in Whonix testers repository. Untested. Please test. I don’t recall config-package-dev displaceing a systemd unit file or config-package-dev hideing an apparmor profile. Good chance it will work, also possible this needs further work.

1 Like

It works but there’s an error upon installation:

Failed to preset unit: Unit file sdwdate.service.dist.service does not exist.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on sdwdate.service.dist: No such file or directory
Failed to get unit file state for sdwdate.service.dist.service: No such file or directory
sdwdate.service.dist is a disabled or a static unit, not starting it.

It doesn’t seem to actually affect anything though and everything works fine.

I think the 2 main issues now are:

  • Splitting everything up more so everything get its own profile. All system services should have their own profile and the entire user session should be in its own profile too. Apps will then transition to sandbox-app-launcher which brings up issue 2.

  • sandbox-app-launcher compatibility. This might be difficult since the script that starts the sandbox needs a lot of permissions and we need to ensure that the app transitions into the right profile. Initial testing of this broke though.

I think a nice infographic would be good for Kicksecure - Secure by Default Operating System

1 Like

Something like:

But probably by someone far better at graphic design than me.

1 Like
1 Like

I see. Please:

config-package-dev hide sdwdate.service. Not displace.
And add (rename sdwdate.service.dist to) sdwdate-aae.service or so instead.
I speculate Debian maintainer scripts don’t like any files in the systemd folder ending with anything other than the .service file extension.

1 Like

madaidan via Whonix Forum:

Add rsyslogd profile by madaidan · Pull Request #62 · Kicksecure/apparmor-profile-everything · GitHub

Merged.

Though, I don’t see need to install rsyslog by default (wasn’t suggested
either) but it might still be lingering on upgraded systems or otherwise
installed by users or even pulled by dependencies.

1 Like
1 Like

This is now in testers repository.

1 Like
1 Like

https://unix.stackexchange.com/questions/600038/config-file-etc-apparmor-parser-conf-not-found

Not sure you would want to support Debian?

Should we add to debian/control (which readme is based on) “developers only” or “testers only” and mention that the suggested way to get support is this forum thread only for now?

What other projects do you work on besides Whonix?

Could you fix these ones please?

AVC apparmor="ALLOWED" operation="exec" profile="/usr/lib/whonix-firewall/**" name="/usr/bin/date" pid=13252 comm="whonix-gateway-" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/whonix-firewall/**//null-/usr/bin/date"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/usr/bin/date" pid=13252 comm="date" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/usr/lib/x86_64-linux-gnu/ld-2.28.so" pid=13252 comm="date" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/etc/ld.so.cache" pid=13252 comm="date" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" pid=13252 comm="date" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" pid=13252 comm="date" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/date" name="/usr/lib/locale/locale-archive" pid=13252 comm="date" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

To reproduce in Whonix-Gateway:

sudo systemctl restart whonix-firewall

Probably because they kept the profiles after uninstalling the package.

Yes.

1 Like

This should fix it.

https://github.com/Whonix/whonix-firewall/pull/6

We should also go around all the Whonix source code and change any /bin/... or /usr/bin/... to /{,usr/}bin/...

1 Like

Yeah. That shouldn’t be supported?
Package should only be removed using sudo apt purge apparmor-profile-everything?
Package should not be removed using sudo apt remove apparmor-profile-everything?
Not sure we can enforce that. However, on package remove the Debian prerm maintainer script of apparmor-profile-everything could look at /var/lib/dpkg/info/apparmor-profile-everything.conffiles and delete all “conffiles” (/etc/apparmor.d/…)?

Done.

1 Like

No it shouldn’t, it will likely break a lot of things.

1 Like