apparmor-profiles / apparmor-profiles-extra vs broken sudo aa-enforce /etc/apparmor.d/*

Hope everything is having a great weekend. With that big update that came through the other day I felt it was a good time to do my routine fresh install just to keep things clean. When I applied the “hardened-debian” apparmor profiles I am getting these profiles in complain mode on the workstation:

16 profiles are in complain mode.
/usr/bin/irssi
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
avahi-daemon
identd
klogd
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute

Is this a safety issue? Thanks

If inside the VM then there is a technical small loss of protection as these profiles are no longer enforced.

If on the host then your Libvirt’s DHCP daemon is no longer confined but that’s of little consequence because we don’t really use it.

This recent documentation change by anonymous is likely source of confusion:

• AppArmor: Difference between revisions - Whonix
• https://www.whonix.org/wiki/AppArmor#Install_all_AppArmor_Profiles

Also it may not be clear if that page is addressing users of

• Debian
• Kicksecure
• Whonix

either one or multiple of them?

dpkg -S /etc/apparmor.d/usr.bin.irssi

apparmor-profiles-extra: /etc/apparmor.d/usr.bin.irssi

Is it worth installing

• Debian -- Details of package apparmor-profiles in buster
• Debian -- Details of package apparmor-profiles-extra in buster

?

We could add to documentation: set them all to enforce mode. Yeah, but how?

sudo aa-enforce /etc/apparmor.d/*

Right?

No. Running into a known bug.

ERROR: Values added to a non-existing variable @{HOMEDIRS}: /rw/home/ in tunables/home.d/live-mode

A bug that was already reported in Whonix forums and upstream, see:

https://forums.whonix.org/t/error-values-added-to-a-non-existing-variable-homedirs-rw-home-in-tunables-home-d-live-mode/8065

I did originally use the new command of “sudo apt-get install apparmor-profiles apparmor-profiles-extra apparmor-profiles-hardened-debian”. I tried it again this afternoon, just to make sure. I did a new install of 15.0.0.3.3 followed by that new large update. I then did the “hardened-debian” command with the same result of those 16 profiles in complain mode.

Expected.

Open documentation / development issue. As per my above post.

Sorry, my mistake. Thanks!

These profiles are not mature enough to be shipped in enforce mode by default on Debian. They are shipped in complain mode so that users can test them, choose which are desired, and help improve them upstream if needed.