The call for testes news went live.
Could you fix these please?
Oct 08 17:56:29 host audit[1907]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/lib/whonix-firewall/" name=“/usr/bin/whonix_firewall” pid=1907 comm=“enable-firewall” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target="/usr/lib/whonix-firewall///null-/usr/bin/whonix_firewall”
Oct 08 17:56:29 host audit[1907]: AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall” name=“/bin/bash” pid=1907 comm=“whonix_firewall” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Oct 08 17:56:29 host audit[1924]: AVC apparmor=“ALLOWED” operation=“open” profile=“/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-workstation-firewall//null-/usr/bin/id” name=“/lib/x86_64-linux-gnu/libnss_files-2.28.so” pid=1924 comm=“id” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Oct 08 17:56:29 host audit[1924]: AVC apparmor=“ALLOWED” operation=“file_mmap” profile=“/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-workstation-firewall//null-/usr/bin/id” name=“/lib/x86_64-linux-gnu/libnss_files-2.28.so” pid=1924 comm=“id” requested_mask=“rm” denied_mask=“rm” fsuid=0 ouid=0
1 Like
Merged.
1 Like
A telegram user reported broken shared folders. Perhaps access should be very permissive to this directory?
2 Likes
What directory? Shared folders can be set at arbitrary directories. It’s impossible to support all configurations at once. Unless you’re referring to ~/shared? That’s already allowed. You just can’t execute from it.
2 Likes
Yeah I was referring to /mnt/shared in the VM.
2 Likes
2 Likes
1 Like
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" pid=2712 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" pid=2713 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="exec" profile="/usr/lib/whonix-firewall/**" name="/usr/bin/whonix_firewall" pid=2717 comm="enable-firewall" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/bin/bash" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/ld-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/ld.so.cache" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.6.1" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.6.1" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libdl-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libdl-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/dev/tty" pid=2717 comm="whonix_firewall" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/locale/locale-archive" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/nsswitch.conf" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/ld.so.cache" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.28.so" pid=2717 comm="whonix_firewall" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/etc/passwd" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/bin/whonix_firewall" pid=2717 comm="whonix_firewall" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="exec" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall" name="/usr/bin/whonix-gateway-firewall" pid=2718 comm="whonix_firewall" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall" name="/usr/bin/bash" pid=2718 comm="whonix-gateway-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall" name="/usr/lib/x86_64-linux-gnu/ld-2.28.so" pid=2718 comm="whonix-gateway-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/whonix_firewall//null-/usr/bin/whonix-gateway-firewall" name="/etc/ld.so.cache" pid=2718 comm="whonix-gateway-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0All of these are already allowed.
1 Like
Aren’t these just ALLOWED because the profile is still in complain mode and not yet in enforce mode? If the profile was in enforce mode, I guess these would become DENIED?
Why would the log mention ALLOWED? If apparmor profiles would log everything every time something was allowed, that would overwhelm logs. So even if allowed, that log message should be made gone somehow?
1 Like
I’m not sure why this is happening but the denials you’re facing are certainly already allowed, many of them in the base abstraction.
1 Like
Merged.
Cannot reproduce anymore. Perhaps I missed journalctl -b or --boot.
1 Like
apparmor-profile-everything profile comment:
TODO: Create auditd(/journald?) profile and remove audit_*.
Therefore no longer required or lower priority since Whonix will be no longer installing auditd by default?
1 Like
Are you sure uninstalling auditd is a good idea? It’s pretty useful for debugging and uninstalling it would break e.g. apparmor-info unless I’m missing something?
1 Like
The audit lines in systemd journal are independent. auditd wasn’t installed on Whonix-Workstation. Only on Whonix-Gateway. Was only a Depends: in anon-gw-anonymizer-config. No other mentions of it in Whonix source code anywhere. Was only installed to debug ⚓ T537 monitor what changes /var/lib/tor/lock access rights. Since that issue doesn’t happen anymore. rip out that debugging code since causing issues (A start job is running for security auditing service - #3 by Patrick). I am confident we won’t notice a difference.
1 Like
Suggestion: "Tor Control Panel" on Gateway without root reminds me of upgrade-nonroot. Would it be better for security if we got rid of that for sake of apparmor-profile-everything?
Also interesting in context of:
1 Like
How would it be better? It doesn’t seem like a risk to me.
1 Like