apparmor-profiles Enforce

Steve_Boxer · April 25, 2020, 6:02pm

According to document in whonix wiki i have installed maximum apparmor profiles in both GATEWAY and WORKSTATION

sudo apt-get install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure

and then as per documentation recommendation i have enforced all profiles in /etc/apparmor.d/

sudo aa-enforce /etc/apparmor.d/*

now upon checking denied logs i have seen some denied entries from Whonix firewall …

is it safe ?

madaidan · April 25, 2020, 6:07pm

The Whonix firewall profile isn’t meant to be enforced yet.

Run:

sudo aa-complain /etc/apparmor.d/whonix-firewall

Steve_Boxer · April 25, 2020, 6:12pm

Thanks you so much for you kind reply
here is my aa-status

user@host:~$ sudo aa-status
[sudo] password for user:
apparmor module is loaded.
45 profiles are loaded.
45 profiles are in enforce mode.
//*-browser/Browser/firefox
/usr/bin/gwenview
/usr/bin/hexchat
/usr/bin/irssi
/usr/bin/man
/usr/bin/okular
/usr/bin/onioncircuits
/usr/bin/pidgin
/usr/bin/pidgin//sanitized_helper
/usr/bin/sdwdate
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/bin/totem//sanitized_helper
/usr/bin/whonix_firewall
/usr/bin/whonixcheck
/usr/bin/xchat
/usr/lib/onion-grater
/usr/lib/sdwdate/url_to_unixtime
/usr/lib/whonix-firewall/
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium
/usr/sbin/apt-cacher-ng
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
/usr/sbin/haveged
avahi-daemon
bootclockrandomization
identd
klogd
man_filter
man_groff
mdnsd
nmbd
nscd
nvidia_modprobe
nvidia_modprobe//kmod
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
system_tor
traceroute
0 profiles are in complain mode.
9 processes have profiles defined.
9 processes are in enforce mode.
/usr/bin/python3.7 (889) /usr/bin/sdwdate
/bin/dash (2136) /usr/bin/sdwdate
/bin/sleep (2137) /usr/bin/sdwdate
/usr/bin/python3.7 (2308) /usr/lib/onion-grater
/bin/bash (781) /usr/lib/whonix-firewall/**
/bin/bash (796) /usr/lib/whonix-firewall/**
/usr/bin/inotifywait (797) /usr/lib/whonix-firewall/**
/usr/sbin/haveged (414)
/usr/bin/tor (884) system_tor
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

kindly help me which profiles i have to set in complain mode

noted about whonix firewall

regards

madaidan · April 25, 2020, 6:18pm

That should be fine.

Patrick · April 25, 2020, 9:28pm

I’ve fixed and otherwise improved documentation just now:
AppArmor: Difference between revisions - Whonix

See:

Steve_Boxer · April 25, 2020, 10:28pm

Thanks you so much patrick for your kind time

It might not be advisable or useful to enable all available AppArmor profiles.

Now i will disable profiles which i enabled before

Thanks again