AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy

Quote AppArmor/HowToUse - Debian Wiki

  • Profiles in complain mode will send ALLOWED lines in the logs for entries that would normally be DENIED in enforce mode. You can use this to tweak configs before turning them on in enforce mode.

Could you fix the following please?

sudo journalctl -b -o cat | grep denied

AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/lib/whonix-firewall/" name=“/bin/systemctl” pid=1874 comm=“firewall-restar” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target="/usr/lib/whonix-firewall///null-/bin/systemctl”
AVC apparmor=“ALLOWED” operation=“file_inherit” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/tmp/tmp.zs8SEbAZQf” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
audit: type=1400 audit(1577880763.053:19): apparmor=“ALLOWED” operation=“exec” profile="/usr/lib/whonix-firewall/
” name=“/bin/systemctl” pid=1874 comm=“firewall-restar” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target=“/usr/lib/whonix-firewall///null-/bin/systemctl"
audit: type=1400 audit(1577880763.053:20): apparmor=“ALLOWED” operation=“file_inherit” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/tmp/tmp.zs8SEbAZQf” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
audit: type=1400 audit(1577880763.053:21): apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/bin/systemctl” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/bin/systemctl” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/ld-2.28.so” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/etc/ld.so.cache” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libc-2.28.so” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libc-2.28.so” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libselinux.so.1” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
audit: type=1400 audit(1577880763.053:22): apparmor=“ALLOWED” operation=“file_mmap” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/ld-2.28.so” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
audit: type=1400 audit(1577880763.053:23): apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/etc/ld.so.cache” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
audit: type=1400 audit(1577880763.053:24): apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libc-2.28.so” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
audit: type=1400 audit(1577880763.053:25): apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libc-2.28.so” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
audit: type=1400 audit(1577880763.053:26): apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libselinux.so.1” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
audit: type=1400 audit(1577880763.053:27): apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libselinux.so.1” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libselinux.so.1” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/liblzma.so.5.2.4” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/liblzma.so.5.2.4” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/usr/lib/x86_64-linux-gnu/liblz4.so.1.8.3” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/usr/lib/x86_64-linux-gnu/liblz4.so.1.8.3” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libgcrypt.so.20.2.4” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libgcrypt.so.20.2.4” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libblkid.so.1.1.0” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libblkid.so.1.1.0” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libpthread-2.28.so” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libpthread-2.28.so” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libpcre.so.3.13.3” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libpcre.so.3.13.3” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
audit: type=1400 audit(1577880763.053:28): apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/liblzma.so.5.2.4” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libdl-2.28.so” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libdl-2.28.so” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libgpg-error.so.0.26.1” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libgpg-error.so.0.26.1” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libuuid.so.1.3.0” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libuuid.so.1.3.0” pid=1874 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/proc/filesystems” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/usr/lib/locale/locale-archive” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/proc/1874/stat” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/proc/1/environ” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/proc/1/sched” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/proc/cmdline” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/usr/share/zoneinfo/UCT” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/run/log/journal/” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/etc/machine-id” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/run/log/journal/b08dfa6083e7567a1921a715000001fb/” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/run/log/journal/b08dfa6083e7567a1921a715000001fb/system.journal” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/run/log/journal/b08dfa6083e7567a1921a715000001fb/system@e059de1a43f24dd48f17f28ccce65000-0000000000000001-00059b12fd2ef886.journal” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/proc/sys/kernel/random/boot_id” pid=1874 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/lib/whonix-firewall/" name=“/bin/systemctl” pid=1878 comm=“firewall-restar” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target="/usr/lib/whonix-firewall///null-/bin/systemctl”
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/bin/systemctl” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/ld-2.28.so” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/etc/ld.so.cache” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libc-2.28.so” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libc-2.28.so” pid=1878 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libselinux.so.1” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libselinux.so.1” pid=1878 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/liblzma.so.5.2.4” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/liblzma.so.5.2.4” pid=1878 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/usr/lib/x86_64-linux-gnu/liblz4.so.1.8.3” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/usr/lib/x86_64-linux-gnu/liblz4.so.1.8.3” pid=1878 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libgcrypt.so.20.2.4” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libgcrypt.so.20.2.4” pid=1878 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libblkid.so.1.1.0” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libblkid.so.1.1.0” pid=1878 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libpthread-2.28.so” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libpthread-2.28.so” pid=1878 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libpcre.so.3.13.3” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libpcre.so.3.13.3” pid=1878 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libdl-2.28.so” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libdl-2.28.so” pid=1878 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libgpg-error.so.0.26.1” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libgpg-error.so.0.26.1” pid=1878 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/lib/x86_64-linux-gnu/libuuid.so.1.3.0” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/lib/x86_64-linux-gnu/libuuid.so.1.3.0” pid=1878 comm=“systemctl” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/proc/filesystems” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/usr/lib/locale/locale-archive” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/proc/1878/stat” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/proc/1/environ” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
//null-/bin/systemctl” name=“/proc/1/sched” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall///null-/bin/systemctl" name=“/proc/cmdline” pid=1878 comm=“systemctl” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“chown” profile="/usr/lib/whonix-firewall/
” name=“/run/sdwdate/success” pid=1889 comm=“chown” requested_mask=“w” denied_mask=“w” fsuid=0 ouid=109
AVC apparmor=“ALLOWED” operation=“chown” profile=“/usr/lib/whonix-firewall/" name=“/run/sdwdate/first_success” pid=1889 comm=“chown” requested_mask=“w” denied_mask=“w” fsuid=0 ouid=109
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
” name=“/etc/sudoers.d/” pid=1891 comm=“sudo” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall/" name=“/etc/sudoers.d/” pid=1896 comm=“sudo” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile="/usr/lib/whonix-firewall/
” name=“/etc/gai.conf” pid=1939 comm=“iptables” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall/**” name=“/etc/gai.conf” pid=1940 comm=“iptables” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

1 Like

Untested. Not sure yet this makes sense.

1 Like

Happening without apparmor-profile-everything.

Jan 01 13:45:16 host audit[8484]: AVC apparmor=“DENIED” operation=“exec” profile=“/usr/bin/whonixcheck” name=“/usr/lib/security-misc/pam_only_if_login” pid=8484 comm=“sudo” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0
Jan 01 13:45:16 host sudo[8484]: pam_exec(sudo:account): execve(/usr/lib/security-misc/pam_only_if_login,…) failed: Permission denied
Jan 01 13:45:16 host sudo[8483]: pam_exec(sudo:account): /usr/lib/security-misc/pam_only_if_login failed: exit code 13
Jan 01 13:45:16 host sudo[8483]: pam_access(sudo:account): failed to open accessfile=[/etc/security/access-security-misc.conf]: Permission denied
Jan 01 13:45:16 host sudo[8483]: pam_access(sudo:account): failed to parse the module arguments
Jan 01 13:45:16 host sudo[8483]: user : PAM account management error: Critical error - immediate abort ; TTY=unknown ; PWD=/ ; USER=whonixcheck ; COMMAND=/usr/lib/whonixcheck/whonixcheck --daemon --gui --cli
Jan 01 13:45:16 host audit[8483]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/bin/whonixcheck” name=“/etc/security/access-security-misc.conf” pid=8483 comm=“sudo” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Jan 01 13:45:16 host kernel: audit: type=1400 audit(1577886316.624:289): apparmor=“DENIED” operation=“exec” profile=“/usr/bin/whonixcheck” name=“/usr/lib/security-misc/pam_only_if_login” pid=8484 comm=“sudo” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0
Jan 01 13:45:16 host kernel: audit: type=1400 audit(1577886316.624:290): apparmor=“DENIED” operation=“open” profile=“/usr/bin/whonixcheck” name=“/etc/security/access-security-misc.conf” pid=8483 comm=“sudo” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

1 Like

Had to revert this. And even add more Ux rules. Things have to stay functional without apparmor-profile-everything installed. At minimum until apparmor-profile-everything is ready for production (not functional in Qubes yes, boot modes not done/tested).

I wonder how things could be made play well once apparmor-profile-everything gets installed, i.e. above rules removed.

1 Like

A bunch of other permissions like the ones in /lib/ are already granted by the base abstraction.

What’s the point of this?

1 Like

madaidan via Whonix Forum:

What’s the point of this?

Same as other security-misc pam apparmor profiles.

1 Like

The other profiles are there because they needed permissions not in the main init-systemd profile. pam_only_if_login and pam-abort-on-locked-password don’t seem to need to access anything not already permitted.

1 Like

Oh, nevermind. I see. We need the rpx rule in the base abstraction so it needs a profile.

1 Like

Reverted and reverted the revert. :slight_smile:

1 Like

A better way would be to create our own app launcher that uses aa-exec to run the app in a confined_app profile although that might be too much work having to decide which apps run in confined_app by default and make it usable.

If we do decide to do this though, we can also do things like run each app as their own user in their own bubblewrap sandbox for better confinement.

Similar to android which has zygote.

1 Like

With developers repository.

Jan 13 17:17:56 host audit[1876]: AVC apparmor="ALLOWED" operation="ptrace" profile="/usr/lib/whonix-firewall/**" pid=1876 comm="systemctl" requested_mask="read" denied_mask="read" peer="unconfined"
Jan 13 17:17:56 host audit[1876]: AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" pid=1876 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 13 17:17:56 host audit[1876]: AVC apparmor="ALLOWED" operation="ptrace" profile="/usr/lib/whonix-firewall/**" pid=1876 comm="systemctl" requested_mask="read" denied_mask="read" peer="unconfined"
Jan 13 17:17:56 host kernel: audit: type=1400 audit(1578935876.449:19): apparmor="ALLOWED" operation="ptrace" profile="/usr/lib/whonix-firewall/**" pid=1876 comm="systemctl" requested_mask="read" denied_mask="read" peer="unconfined"
Jan 13 17:17:56 host kernel: audit: type=1400 audit(1578935876.449:20): apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" pid=1876 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 13 17:17:56 host kernel: audit: type=1400 audit(1578935876.449:21): apparmor="ALLOWED" operation="ptrace" profile="/usr/lib/whonix-firewall/**" pid=1876 comm="systemctl" requested_mask="read" denied_mask="read" peer="unconfined"
Jan 13 17:17:56 host audit[1880]: AVC apparmor="ALLOWED" operation="ptrace" profile="/usr/lib/whonix-firewall/**" pid=1880 comm="systemctl" requested_mask="read" denied_mask="read" peer="unconfined"
Jan 13 17:17:56 host audit[1880]: AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" pid=1880 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 13 17:17:56 host kernel: audit: type=1400 audit(1578935876.457:22): apparmor="ALLOWED" operation="ptrace" profile="/usr/lib/whonix-firewall/**" pid=1880 comm="systemctl" requested_mask="read" denied_mask="read" peer="unconfined"
Jan 13 17:17:56 host kernel: audit: type=1400 audit(1578935876.457:23): apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" pid=1880 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 13 17:17:56 host kernel: audit: type=1400 audit(1578935876.457:24): apparmor="ALLOWED" operation="ptrace" profile="/usr/lib/whonix-firewall/**" pid=1880 comm="systemctl" requested_mask="read" denied_mask="read" peer="unconfined"
Jan 13 17:17:56 host audit[1880]: AVC apparmor="ALLOWED" operation="ptrace" profile="/usr/lib/whonix-firewall/**" pid=1880 comm="systemctl" requested_mask="read" denied_mask="read" peer="unconfined"

Could you fix please?

1 Like

https://github.com/Whonix/whonix-firewall/pull/5

1 Like

Merged.

1 Like

I figured out the problem. Denying write access to /**/systemd/ causes this.

That and a few other things are fixed in Fixes by madaidan · Pull Request #32 · Kicksecure/apparmor-profile-everything · GitHub

1 Like

Merged.

  ## Deny access to /boot and /usr/src to hide them from the logs.
  audit deny /boot/ rw,
  audit deny /boot/** rw,
  audit deny /usr/src/ rw,
  audit deny /usr/src/** rw,

What hiding form the logs useful for here?

1 Like

By “logs”, I mean apparmor logs. I noticed that something would try to access /boot and /usr/src which would then give unwanted errors in the logs.

madaidan via Whonix Forum:

By “logs”, I mean apparmor logs.

I know.

I noticed that something would try to access /boot and /usr/src which would then give unwanted errors in the logs.

What accesses /boot and /usr/src? That would be good to know so that can
be documented. Anything trying to access these folders and failing might
be OK but it might also break some functionality. Therefore better to
initially log this and disable logging later after we at least know the
major, default installed things which try to access these folders.

1 Like

For some reason, remove-system.map wasn’t being confined under kicksecure-shell-script for me so it was giving those errors. I replaced the profiles with the ones in git and the errors stopped.

I removed the deny rules and added more System.map locations in Fix remove-system.map by madaidan · Pull Request #33 · Kicksecure/apparmor-profile-everything · GitHub

1 Like

I’m getting this error now due to our sysctl restrictions:

AVC apparmor="DENIED" operation="open" profile="init-systemd" name="/proc/sys/kernel/core_pattern" pid=1 comm="systemd-shutdow" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

We’ll need to create a systemd-shutdown profile for this although I don’t know why it needs access to that anyway.

We should also create a profile for Xorg since it’s a large amount of code, has a history of vulnerabilities and to get rid of this error:

AVC apparmor="DENIED" operation="capable" profile="init-systemd" pid=1715 comm="Xorg" capability=17  capname="sys_rawio"

Granting CAP_SYS_RAWIO in the main profile is not ok as it opens up so many ways to escalate to kernel privileges such as iopl().

Even if we do make an X profile, I don’t know if I’m comfortable with exposing CAP_SYS_RAWIO to a program with such huge attack surface.

1 Like

https://github.com/Whonix/apparmor-profile-everything/pull/34

Now at 23 capabilities.

Will Remove CAP_NET_ADMIN capability by madaidan · Pull Request #25 · Kicksecure/apparmor-profile-everything · GitHub get merged?