madaidan
September 29, 2020, 11:55am
436
Installing apparmor-profile-everything breaks with this error:
dpkg-divert: error: 'diversion of /lib/systemd/system/sdwdate.service to /usr/share/apparmor-profile-everything/lib++systemd++system++sdwdate.service by apparmor-profile-everything' clashes with 'diversion of /lib/systemd/system/sdwdate.service to /lib/systemd/system/sdwdate.service.dist-orig by apparmor-profile-everything'
####################################################################
## BEGIN ERROR in /var/lib/dpkg/info/apparmor-profile-everything.postinst detected!
##
## ERROR LOG:
## See above.
##
## BASH_COMMAND: dpkg-divert --divert "$theirfile" --rename --package "$package" --add "$file"
## EXIT_CODE: 2
##
## END ERROR in /var/lib/dpkg/info/apparmor-profile-everything.postinst detected!
## Please report this bug!
####################################################################
I don’t know much about Debian packaging. Can you fix this?
1 Like
Patrick
September 29, 2020, 12:35pm
437
Merged.
Confirmed.
Fixed for new installations.
committed 12:25PM - 29 Sep 20 UTC
since we already config-package-dev hide it
To unbreak existing broken APT (won’t be required for new users), the following command would probably do:
sudo dpkg-divert --rename --remove /lib/systemd/system/sdwdate.service
1 Like
Patrick
September 29, 2020, 12:37pm
438
That fix was uploaded just now to all repositories.
1 Like
I think this is ready for a call for testers. Can you post it?
1 Like
Patrick
October 5, 2020, 10:21am
441
Draft needed.
Could you write something similar as Using apparmor-profile-everything on Debian Buster ? (Can be shorter - can be longer - but need some text to post.)
1 Like
Patrick
Split this topic
October 6, 2020, 12:14pm
442
Patrick
October 8, 2020, 9:23am
443
The call for testes news went live.
apparmor-profile-everything is an experimental AppArmor policy which confines all user space processes on the system. It is still currently in development and requires testing.
Install it by executing:
sudo apt-get install apparmor-profile-everything
Then reboot.
apparmor-profile-everything supports different boot modes: aadebug and superroot. aadebug allows certain permissions necessary for advanced debugging and superroot relaxes the policy substantially, even making bypasses possible. It …
Patrick
October 9, 2020, 11:57am
444
Could you fix these please?
Oct 08 17:56:29 host audit[1907]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/lib/whonix-firewall/" name=“/usr/bin/whonix_firewall” pid=1907 comm=“enable-firewall” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target="/usr/lib/whonix-firewall/ //null-/usr/bin/whonix_firewall”
Oct 08 17:56:29 host audit[1907]: AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall” name=“/bin/bash” pid=1907 comm=“whonix_firewall” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Oct 08 17:56:29 host audit[1924]: AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-workstation-firewall//null-/usr/bin/id” name=“/lib/x86_64-linux-gnu/libnss_files-2.28.so” pid=1924 comm=“id” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Oct 08 17:56:29 host audit[1924]: AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-workstation-firewall//null-/usr/bin/id” name=“/lib/x86_64-linux-gnu/libnss_files-2.28.so” pid=1924 comm=“id” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
1 Like
A telegram user reported broken shared folders. Perhaps access should be very permissive to this directory?
2 Likes
What directory? Shared folders can be set at arbitrary directories. It’s impossible to support all configurations at once. Unless you’re referring to ~/shared
? That’s already allowed. You just can’t execute from it.
2 Likes
madaidan:
What directory?
Yeah I was referring to /mnt/shared
in the VM.
2 Likes
Patrick
December 15, 2020, 10:34am
452
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" pid=2712 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" pid=2713 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="exec" profile="/usr/lib/whonix-firewall/**" name="/usr/bin/whonix_firewall" pid=2717 comm="enable-firewall" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/bin/bash" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/ld-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/ld.so.cache" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.6.1" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.6.1" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libdl-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libdl-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/dev/tty" pid=2717 comm="whonix_firewall" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/locale/locale-archive" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/nsswitch.conf" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/ld.so.cache" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/passwd" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/bin/whonix_firewall" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="exec" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/bin/whonix-gateway-firewall" pid=2718 comm="whonix_firewall" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall" name="/usr/bin/bash" pid=2718 comm="whonix-gateway-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall" name="/usr/lib/x86_64-linux-gnu/ld-2.28.so" pid=2718 comm="whonix-gateway-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall" name="/etc/ld.so.cache" pid=2718 comm="whonix-gateway-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
All of these are already allowed.
1 Like
Patrick
December 15, 2020, 8:54pm
454
Similar to AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy - #444 by Patrick
Aren’t these just ALLOWED because the profile is still in complain mode and not yet in enforce mode? If the profile was in enforce mode, I guess these would become DENIED?
Why would the log mention ALLOWED? If apparmor profiles would log everything every time something was allowed, that would overwhelm logs. So even if allowed, that log message should be made gone somehow?
1 Like
I’m not sure why this is happening but the denials you’re facing are certainly already allowed, many of them in the base abstraction.
1 Like