AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy

madaidan · December 16, 2020, 7:12pm

I’m not sure why this is happening but the denials you’re facing are certainly already allowed, many of them in the base abstraction.

madaidan · December 17, 2020, 7:04pm

Patrick · December 18, 2020, 9:02am

Merged.

Cannot reproduce anymore. Perhaps I missed journalctl -b or --boot.

Patrick · December 25, 2020, 12:30pm

apparmor-profile-everything profile comment:

TODO: Create auditd(/journald?) profile and remove audit_*.

Therefore no longer required or lower priority since Whonix will be no longer installing auditd by default?

madaidan · December 26, 2020, 11:27pm

Are you sure uninstalling auditd is a good idea? It’s pretty useful for debugging and uninstalling it would break e.g. apparmor-info unless I’m missing something?

Patrick · December 27, 2020, 9:25am

The audit lines in systemd journal are independent. auditd wasn’t installed on Whonix-Workstation. Only on Whonix-Gateway. Was only a Depends: in anon-gw-anonymizer-config. No other mentions of it in Whonix source code anywhere. Was only installed to debug ⚓ T537 monitor what changes /var/lib/tor/lock access rights. Since that issue doesn’t happen anymore. rip out that debugging code since causing issues (A start job is running for security auditing service - #3 by Patrick). I am confident we won’t notice a difference.

Patrick · February 3, 2021, 12:04pm

Suggestion: "Tor Control Panel" on Gateway without root reminds me of upgrade-nonroot. Would it be better for security if we got rid of that for sake of apparmor-profile-everything?

Also interesting in context of:

madaidan · March 12, 2021, 6:30pm

How would it be better? It doesn’t seem like a risk to me.

Patrick · March 14, 2021, 1:12pm

github.com/Kicksecure/apparmor-profile-everything

Reboot failure on Debian 10 due to systemd confinement

opened 10:05PM - 13 Mar 21 UTC

flawedworld

When applying the package from the Whonix repo onto a fresh installation of Debi…an 10 (on both an AWS EC2 and a local VMWare Workstation VM) I lose the ability to reboot. I originally found this when using the 5.10 kernel from buster-backports and I tested also on the stock 4.19 kernel and it is reproducible there also. If I issue the `reboot` command the OS gets stuck on a blinking cursor and does not reboot. When setting systemd to complain using `aa-complain systemd` this issue goes away. Unable to see any logging in auditd relating to this.

madaidan · March 17, 2021, 11:59pm

Patrick · March 31, 2021, 8:43pm

madaidan · June 7, 2021, 6:52pm

Patrick · June 8, 2021, 6:13am

Thank you! Merged.

Could you please fix the whonix-firewall ALLOWED apparmor messages?

madaidan · June 8, 2021, 8:05pm

https://github.com/Whonix/whonix-firewall/pull/9

Is the sdwdate profile mature enough yet to be enforced?

Patrick · June 9, 2021, 2:44pm

It already is.

Patrick · June 9, 2021, 3:28pm

Merged.

Patrick · June 10, 2021, 2:10pm

This caused confusion:

Why a drop-in cannot be used? Is there an upstream bug report for this?

madaidan · June 11, 2021, 6:44pm

I’m not sure. It unexplainably broke when testing.

Which upstream?

The root issue is with the no_new_privs bit. It prevents a process from gaining further privileges. AppArmor respects this and prevents a process from transitioning to another AppArmor profile that grants increased permissions: linux/security/apparmor/domain.c at 3cee6079f62f4d3a37d9dda2e0851677e08028ff · torvalds/linux · GitHub

Since a lot of sandboxing options force this enabled (e.g. seccomp), we have to disable a lot of things for this to work. Theoretically, one could transition AppArmor profile and then set no_new_privs, but I don’t know how to do this. Will update Systemd sandboxing fails when using a full system apparmor policy · Issue #14277 · systemd/systemd · GitHub

Patrick · June 12, 2021, 6:51am

systemd about not honoring the drop-in disabling no new privs.

madaidan · June 13, 2021, 5:54pm

I’m not sure if it’s actually an issue within systemd. I’ll investigate more.