AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy

1 Like

Thank you! Merged.

Could you please fix the whonix-firewall ALLOWED apparmor messages?

1 Like

https://github.com/Whonix/whonix-firewall/pull/9

Is the sdwdate profile mature enough yet to be enforced?

1 Like

It already is.

1 Like

Merged. :slight_smile:

1 Like

This caused confusion:

Why a drop-in cannot be used? Is there an upstream bug report for this?

1 Like

I’m not sure. It unexplainably broke when testing.

Which upstream?

The root issue is with the no_new_privs bit. It prevents a process from gaining further privileges. AppArmor respects this and prevents a process from transitioning to another AppArmor profile that grants increased permissions: linux/security/apparmor/domain.c at 3cee6079f62f4d3a37d9dda2e0851677e08028ff · torvalds/linux · GitHub

Since a lot of sandboxing options force this enabled (e.g. seccomp), we have to disable a lot of things for this to work. Theoretically, one could transition AppArmor profile and then set no_new_privs, but I don’t know how to do this. Will update Systemd sandboxing fails when using a full system apparmor policy · Issue #14277 · systemd/systemd · GitHub

1 Like

systemd about not honoring the drop-in disabling no new privs.

1 Like

I’m not sure if it’s actually an issue within systemd. I’ll investigate more.

1 Like

Made some changes. Including Ux (unconfined open). Needs to be improved. Yet, still a lot fixes required. (After bullseye release upgrade in Qubes-Whonix.)

I am still wondering if there is some shortcut to run some trusted things such as this unconfined since sorting out all of this might be unachievable in the time available?

AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/run/updatesproxycheck/" comm="inotifywait" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" comm="systemctl" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="exec" profile="/usr/lib/whonix-firewall/**" name="/usr/bin/qubesdb-cmd" comm="whonix-workstat" requested_mask="x" denied_mask="x"
AVC apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/dev/null" comm="qubesdb-read" requested_mask="w" denied_mask="w"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/bin/qubesdb-cmd" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/x86_64-linux-gnu/ld-2.28.so" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/etc/ld.so.preload" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/etc/ld.so.cache" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/libqubesdb.so" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/libqubesdb.so" comm="qubesdb-read" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" comm="qubesdb-read" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**" name="/run/updatesproxycheck/" comm="inotifywait" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="exec" profile="/usr/libexec/whonix-firewall/**" name="/usr/bin/getent" comm="whonix-gateway-" requested_mask="x" denied_mask="x"
AVC apparmor="ALLOWED" operation="file_inherit" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/dev/null" comm="getent" requested_mask="w" denied_mask="w"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/bin/getent" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/ld-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.preload" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.cache" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/locale/locale-archive" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/nsswitch.conf" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/passwd" comm="getent" requested_mask="r" denied_mask="r"
user@host:~$ sudo apparmor-info -b
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**" name="/run/updatesproxycheck/" comm="inotifywait" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="exec" profile="/usr/libexec/whonix-firewall/**" name="/usr/bin/getent" comm="whonix-gateway-" requested_mask="x" denied_mask="x"
AVC apparmor="ALLOWED" operation="file_inherit" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/dev/null" comm="getent" requested_mask="w" denied_mask="w"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/bin/getent" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/ld-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.preload" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.cache" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/locale/locale-archive" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/nsswitch.conf" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/passwd" comm="getent" requested_mask="r" denied_mask="r"

Just used it to fix these long standing whonix-firewall apparmor issues. Not perfect but certainly better than keeping spamming journal with it.

Has anyone investigated stacking apparmor profiles as a workaround for no-new-privs?:
I can’t post a link here, so just look up AppArmorStacking in the apparmor wiki.
A transition to a profile stacked with the current profile works with no-new-privs. It’s a bit tricky to get it to work - I’ve used it in debian testing (bookworm) with bwrap to get no-new-privs. Support depends on recency of apparmor version.

License change of apparmor-profile-everything to GPLv(2|3)(+) being considered:

That is already what Whonix is attempting to do. It already comes with a set of preinstalled applications covering everything crypto wallets to chat clients, but it don’t come with properly enforced apparmor profiles covering everything as of yet and thus, it is only compromises.

If we are talking about security and we should only force certain applications up the throats of our users then that user might as well use Windows as it contains far superior application sandboxing. This is documented on @madaidan blog.

This is not the way it should be, freedom always over security.

Done.

As discussed in Once again, AppArmor for Everything · Issue #78 · Kicksecure/apparmor-profile-everything · GitHub, apparmor-profile-everything will be retired from Kicksecure (and Whonix) as there are no contributors in a long time but hopefully it gets picked up upstream which would be much better.

1 Like

That is really unfortunate. I wouldn’t mind helping test this pretty often if you ever change your mind.

Testing wasn’t the lacking resource. Development is.

apparmor-profile-everything is deprecated!

It might become replaced by apparmor.d, see