Thank you! Merged.
Could you please fix the whonix-firewall ALLOWED apparmor messages?
Is the sdwdate profile mature enough yet to be enforced?
It already is.
This caused confusion:
Why a drop-in cannot be used? Is there an upstream bug report for this?
I’m not sure. It unexplainably broke when testing.
The root issue is with the
no_new_privs bit. It prevents a process from gaining further privileges. AppArmor respects this and prevents a process from transitioning to another AppArmor profile that grants increased permissions: linux/domain.c at 3cee6079f62f4d3a37d9dda2e0851677e08028ff · torvalds/linux · GitHub
Since a lot of sandboxing options force this enabled (e.g. seccomp), we have to disable a lot of things for this to work. Theoretically, one could transition AppArmor profile and then set
no_new_privs, but I don’t know how to do this. Will update Systemd sandboxing fails when using a full system apparmor policy · Issue #14277 · systemd/systemd · GitHub
systemd about not honoring the drop-in disabling no new privs.
I’m not sure if it’s actually an issue within systemd. I’ll investigate more.