AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy

Patrick · September 29, 2020, 12:37pm

That fix was uploaded just now to all repositories.

madaidan · October 4, 2020, 5:29pm

I think this is ready for a call for testers. Can you post it?

Patrick · October 5, 2020, 10:20am

Was merged just now.

Patrick · October 5, 2020, 10:21am

Draft needed.

Could you write something similar as Using apparmor-profile-everything on Debian Buster? (Can be shorter - can be longer - but need some text to post.)

Patrick · October 6, 2020, 12:14pm

A post was split to a new topic: Full System AppArmor Policy - Testers Wanted!

Patrick · October 8, 2020, 9:23am

The call for testes news went live.

Patrick · October 9, 2020, 11:57am

Could you fix these please?

Oct 08 17:56:29 host audit[1907]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/lib/whonix-firewall/" name=“/usr/bin/whonix_firewall” pid=1907 comm=“enable-firewall” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target="/usr/lib/whonix-firewall///null-/usr/bin/whonix_firewall”

Oct 08 17:56:29 host audit[1907]: AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall” name=“/bin/bash” pid=1907 comm=“whonix_firewall” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Oct 08 17:56:29 host audit[1924]: AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-workstation-firewall//null-/usr/bin/id” name=“/lib/x86_64-linux-gnu/libnss_files-2.28.so” pid=1924 comm=“id” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Oct 08 17:56:29 host audit[1924]: AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-workstation-firewall//null-/usr/bin/id” name=“/lib/x86_64-linux-gnu/libnss_files-2.28.so” pid=1924 comm=“id” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0

madaidan · October 9, 2020, 2:37pm

https://github.com/Whonix/whonix-firewall/pull/8

Patrick · October 9, 2020, 2:43pm

Merged.

HulaHoop · October 10, 2020, 2:19pm

A telegram user reported broken shared folders. Perhaps access should be very permissive to this directory?

madaidan · October 11, 2020, 3:19pm

What directory? Shared folders can be set at arbitrary directories. It’s impossible to support all configurations at once. Unless you’re referring to ~/shared? That’s already allowed. You just can’t execute from it.

HulaHoop · October 12, 2020, 6:14pm

Yeah I was referring to /mnt/shared in the VM.

madaidan · October 12, 2020, 10:21pm

madaidan · November 14, 2020, 8:29pm

Patrick · December 15, 2020, 10:34am

AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" pid=2712 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" pid=2713 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="exec" profile="/usr/lib/whonix-firewall/**" name="/usr/bin/whonix_firewall" pid=2717 comm="enable-firewall" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/bin/bash" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/ld-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/ld.so.cache" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.6.1" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.6.1" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libdl-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libdl-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/dev/tty" pid=2717 comm="whonix_firewall" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/locale/locale-archive" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/nsswitch.conf" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/ld.so.cache" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/passwd" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/bin/whonix_firewall" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="exec" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/bin/whonix-gateway-firewall" pid=2718 comm="whonix_firewall" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall" name="/usr/bin/bash" pid=2718 comm="whonix-gateway-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall" name="/usr/lib/x86_64-linux-gnu/ld-2.28.so" pid=2718 comm="whonix-gateway-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall" name="/etc/ld.so.cache" pid=2718 comm="whonix-gateway-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

madaidan · December 15, 2020, 8:36pm

All of these are already allowed.

Patrick · December 15, 2020, 8:54pm

Similar to AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy - #444 by Patrick

Aren’t these just ALLOWED because the profile is still in complain mode and not yet in enforce mode? If the profile was in enforce mode, I guess these would become DENIED?

Why would the log mention ALLOWED? If apparmor profiles would log everything every time something was allowed, that would overwhelm logs. So even if allowed, that log message should be made gone somehow?

madaidan · December 16, 2020, 7:12pm

I’m not sure why this is happening but the denials you’re facing are certainly already allowed, many of them in the base abstraction.

madaidan · December 17, 2020, 7:04pm

Patrick · December 18, 2020, 9:02am

Merged.

Cannot reproduce anymore. Perhaps I missed journalctl -b or --boot.