Merged.
Cannot reproduce anymore. Perhaps I missed journalctl -b or --boot.
apparmor-profile-everything profile comment:
TODO: Create auditd(/journald?) profile and remove audit_*.
Therefore no longer required or lower priority since Whonix will be no longer installing auditd by default?
Are you sure uninstalling auditd is a good idea? It’s pretty useful for debugging and uninstalling it would break e.g. apparmor-info unless I’m missing something?
The audit lines in systemd journal are independent. auditd wasn’t installed on Whonix-Workstation. Only on Whonix-Gateway. Was only a Depends: in anon-gw-anonymizer-config. No other mentions of it in Whonix source code anywhere. Was only installed to debug ⚓ T537 monitor what changes /var/lib/tor/lock access rights. Since that issue doesn’t happen anymore. rip out that debugging code since causing issues (A start job is running for security auditing service - #3 by Patrick). I am confident we won’t notice a difference.
Suggestion: "Tor Control Panel" on Gateway without root reminds me of upgrade-nonroot. Would it be better for security if we got rid of that for sake of apparmor-profile-everything?
Also interesting in context of:
How would it be better? It doesn’t seem like a risk to me.
Thank you! Merged.
Could you please fix the whonix-firewall ALLOWED apparmor messages?
https://github.com/Whonix/whonix-firewall/pull/9
Is the sdwdate profile mature enough yet to be enforced?
It already is.
Merged. 
This caused confusion:
Why a drop-in cannot be used? Is there an upstream bug report for this?
I’m not sure. It unexplainably broke when testing.
Which upstream?
The root issue is with the no_new_privs bit. It prevents a process from gaining further privileges. AppArmor respects this and prevents a process from transitioning to another AppArmor profile that grants increased permissions: linux/security/apparmor/domain.c at 3cee6079f62f4d3a37d9dda2e0851677e08028ff · torvalds/linux · GitHub
Since a lot of sandboxing options force this enabled (e.g. seccomp), we have to disable a lot of things for this to work. Theoretically, one could transition AppArmor profile and then set no_new_privs, but I don’t know how to do this. Will update Systemd sandboxing fails when using a full system apparmor policy · Issue #14277 · systemd/systemd · GitHub
systemd about not honoring the drop-in disabling no new privs.
I’m not sure if it’s actually an issue within systemd. I’ll investigate more.
Made some changes. Including Ux (unconfined open). Needs to be improved. Yet, still a lot fixes required. (After bullseye release upgrade in Qubes-Whonix.)
I am still wondering if there is some shortcut to run some trusted things such as this unconfined since sorting out all of this might be unachievable in the time available?
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/run/updatesproxycheck/" comm="inotifywait" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" comm="systemctl" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="exec" profile="/usr/lib/whonix-firewall/**" name="/usr/bin/qubesdb-cmd" comm="whonix-workstat" requested_mask="x" denied_mask="x"
AVC apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/dev/null" comm="qubesdb-read" requested_mask="w" denied_mask="w"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/bin/qubesdb-cmd" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/x86_64-linux-gnu/ld-2.28.so" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/etc/ld.so.preload" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/etc/ld.so.cache" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/libqubesdb.so" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/libqubesdb.so" comm="qubesdb-read" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" comm="qubesdb-read" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**" name="/run/updatesproxycheck/" comm="inotifywait" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="exec" profile="/usr/libexec/whonix-firewall/**" name="/usr/bin/getent" comm="whonix-gateway-" requested_mask="x" denied_mask="x"
AVC apparmor="ALLOWED" operation="file_inherit" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/dev/null" comm="getent" requested_mask="w" denied_mask="w"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/bin/getent" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/ld-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.preload" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.cache" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/locale/locale-archive" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/nsswitch.conf" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/passwd" comm="getent" requested_mask="r" denied_mask="r"
user@host:~$ sudo apparmor-info -b
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**" name="/run/updatesproxycheck/" comm="inotifywait" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="exec" profile="/usr/libexec/whonix-firewall/**" name="/usr/bin/getent" comm="whonix-gateway-" requested_mask="x" denied_mask="x"
AVC apparmor="ALLOWED" operation="file_inherit" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/dev/null" comm="getent" requested_mask="w" denied_mask="w"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/bin/getent" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/ld-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.preload" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.cache" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/locale/locale-archive" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/nsswitch.conf" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/passwd" comm="getent" requested_mask="r" denied_mask="r"