AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy

Patrick · March 14, 2021, 1:12pm

github.com/Kicksecure/apparmor-profile-everything

Reboot failure on Debian 10 due to systemd confinement

opened 10:05PM - 13 Mar 21 UTC

When applying the package from the Whonix repo onto a fresh installation of Debi…an 10 (on both an AWS EC2 and a local VMWare Workstation VM) I lose the ability to reboot. I originally found this when using the 5.10 kernel from buster-backports and I tested also on the stock 4.19 kernel and it is reproducible there also. If I issue the `reboot` command the OS gets stuck on a blinking cursor and does not reboot. When setting systemd to complain using `aa-complain systemd` this issue goes away. Unable to see any logging in auditd relating to this.

madaidan · March 17, 2021, 11:59pm

Patrick · March 31, 2021, 8:43pm

madaidan · June 7, 2021, 6:52pm

Patrick · June 8, 2021, 6:13am

Thank you! Merged.

Could you please fix the whonix-firewall ALLOWED apparmor messages?

madaidan · June 8, 2021, 8:05pm

https://github.com/Whonix/whonix-firewall/pull/9

Is the sdwdate profile mature enough yet to be enforced?

Patrick · June 9, 2021, 2:44pm

It already is.

Patrick · June 9, 2021, 3:28pm

Merged.

Patrick · June 10, 2021, 2:10pm

This caused confusion:

Why a drop-in cannot be used? Is there an upstream bug report for this?

madaidan · June 11, 2021, 6:44pm

I’m not sure. It unexplainably broke when testing.

Which upstream?

The root issue is with the no_new_privs bit. It prevents a process from gaining further privileges. AppArmor respects this and prevents a process from transitioning to another AppArmor profile that grants increased permissions: linux/security/apparmor/domain.c at 3cee6079f62f4d3a37d9dda2e0851677e08028ff · torvalds/linux · GitHub

Since a lot of sandboxing options force this enabled (e.g. seccomp), we have to disable a lot of things for this to work. Theoretically, one could transition AppArmor profile and then set no_new_privs, but I don’t know how to do this. Will update Systemd sandboxing fails when using a full system apparmor policy · Issue #14277 · systemd/systemd · GitHub

Patrick · June 12, 2021, 6:51am

systemd about not honoring the drop-in disabling no new privs.

madaidan · June 13, 2021, 5:54pm

I’m not sure if it’s actually an issue within systemd. I’ll investigate more.

Patrick · August 22, 2021, 10:18pm

Made some changes. Including Ux (unconfined open). Needs to be improved. Yet, still a lot fixes required. (After bullseye release upgrade in Qubes-Whonix.)

I am still wondering if there is some shortcut to run some trusted things such as this unconfined since sorting out all of this might be unachievable in the time available?

AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/run/updatesproxycheck/" comm="inotifywait" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**" name="/proc/cmdline" comm="systemctl" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="exec" profile="/usr/lib/whonix-firewall/**" name="/usr/bin/qubesdb-cmd" comm="whonix-workstat" requested_mask="x" denied_mask="x"
AVC apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/dev/null" comm="qubesdb-read" requested_mask="w" denied_mask="w"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/bin/qubesdb-cmd" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/x86_64-linux-gnu/ld-2.28.so" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/etc/ld.so.preload" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/etc/ld.so.cache" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/libqubesdb.so" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/libqubesdb.so" comm="qubesdb-read" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" comm="qubesdb-read" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/lib/whonix-firewall/**//null-/usr/bin/qubesdb-cmd" name="/usr/lib/x86_64-linux-gnu/libc-2.28.so" comm="qubesdb-read" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**" name="/run/updatesproxycheck/" comm="inotifywait" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="exec" profile="/usr/libexec/whonix-firewall/**" name="/usr/bin/getent" comm="whonix-gateway-" requested_mask="x" denied_mask="x"
AVC apparmor="ALLOWED" operation="file_inherit" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/dev/null" comm="getent" requested_mask="w" denied_mask="w"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/bin/getent" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/ld-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.preload" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.cache" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/locale/locale-archive" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/nsswitch.conf" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/passwd" comm="getent" requested_mask="r" denied_mask="r"
user@host:~$ sudo apparmor-info -b
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**" name="/run/updatesproxycheck/" comm="inotifywait" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="exec" profile="/usr/libexec/whonix-firewall/**" name="/usr/bin/getent" comm="whonix-gateway-" requested_mask="x" denied_mask="x"
AVC apparmor="ALLOWED" operation="file_inherit" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/dev/null" comm="getent" requested_mask="w" denied_mask="w"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/bin/getent" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/ld-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.preload" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/ld.so.cache" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libc-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/locale/locale-archive" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/nsswitch.conf" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="r" denied_mask="r"
AVC apparmor="ALLOWED" operation="file_mmap" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so" comm="getent" requested_mask="rm" denied_mask="rm"
AVC apparmor="ALLOWED" operation="open" profile="/usr/libexec/whonix-firewall/**//null-/usr/bin/getent" name="/etc/passwd" comm="getent" requested_mask="r" denied_mask="r"

Patrick · September 28, 2021, 3:21pm

Just used it to fix these long standing whonix-firewall apparmor issues. Not perfect but certainly better than keeping spamming journal with it.

ike · March 11, 2023, 3:21pm

Has anyone investigated stacking apparmor profiles as a workaround for no-new-privs?:
I can’t post a link here, so just look up AppArmorStacking in the apparmor wiki.
A transition to a profile stacked with the current profile works with no-new-privs. It’s a bit tricky to get it to work - I’ve used it in debian testing (bookworm) with bwrap to get no-new-privs. Support depends on recency of apparmor version.

Patrick · October 30, 2023, 7:41pm

License change of apparmor-profile-everything to GPLv(2|3)(+) being considered:

github.com/Kicksecure/apparmor-profile-everything

Once again, AppArmor for Everything

opened 08:48PM - 29 Oct 23 UTC

monsieuremre

Hi. It is that time of the year. I wrote a [full system AppArmor policy](https:/…/github.com/monsieuremre/full-apparmor-policy) for Debian, since this does not seem to work anymore. I restricted it a lot (I guess). Combining with other profiles I ported from another project, it now functions. And by functions, I mean without breaking stuff. The [base policy](https://github.com/monsieuremre/full-apparmor-policy/blob/main/apparmor.d/profiles/full-policy) is relatively strict, and most sensitive root processes are covered in their respective profiles. I normally wanted to use this repo as a base but turns out licenses are not compatible with the other project. Anyway, I would like to merge the projects to bring this one back to life. This is important because there being a big name like Whonix behind a project makes all the difference for popularity and user trust. Else my project will just be some random abandonware in some years (or maybe not, but chances). Maybe the two can be rebased, license changed, or in some other way merged together. I am willing to do anything to help, if the maintainers are interested. If not, you can just close the issue.

neo0xff · November 2, 2023, 2:21am

That is already what Whonix is attempting to do. It already comes with a set of preinstalled applications covering everything crypto wallets to chat clients, but it don’t come with properly enforced apparmor profiles covering everything as of yet and thus, it is only compromises.

If we are talking about security and we should only force certain applications up the throats of our users then that user might as well use Windows as it contains far superior application sandboxing. This is documented on @madaidan blog.

This is not the way it should be, freedom always over security.

Patrick · November 2, 2023, 4:53pm

Done.

Patrick · November 2, 2023, 4:54pm

As discussed in Once again, AppArmor for Everything · Issue #78 · Kicksecure/apparmor-profile-everything · GitHub, apparmor-profile-everything will be retired from Kicksecure (and Whonix) as there are no contributors in a long time but hopefully it gets picked up upstream which would be much better.

neo0xff · November 3, 2023, 4:13am

That is really unfortunate. I wouldn’t mind helping test this pretty often if you ever change your mind.