Current State of Kloak?

9jnc7 · August 8, 2018, 9:58pm

I’m interested in installing the keystroke anonymization tool Kloak in Dom0 of Qubes OS. @Patrick mentioned that the upstream is dead, so how will that affect Whonix and Qubes using it? Will plans to include it be scrapped?

torjunkie · August 10, 2018, 2:33am

http://phabricator.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/T596

Patrick · March 27, 2019, 11:55pm

Release kloak v0.2 · vmonaco/kloak · GitHub

Patrick · March 28, 2019, 11:42am

Please help testing kloak v0.2, see:

SlavetotheGrind · May 6, 2019, 7:09pm

Kloak as a service fails on Qubes-Whonix. It looks for a keyboard at /dev/input/event4, but it needs to use /dev/input/event0.

Change /lib/systemd/system/kloak.service. from “ExecStart=/usr/sbin/kloak” to “ExecStart=/usr/sbin/kloak -r /dev/input/event0 -w /dev/uinput” and it will work.

Patrick · May 6, 2019, 7:14pm

That won’t work. /dev/input/event0 is not a keyboard device.

ls -la /dev/input/event0
crw-rw---- 1 root input 13, 64 May  6 08:25 /dev/input/event0

ls -la /dev/input/by-path/platform-pcspkr-event-spkr 
lrwxrwxrwx 1 root root 9 May  6 08:25 /dev/input/by-path/platform-pcspkr-event-spkr -> ../event0

That kloak is not working in Qubes and links to Qubes issue tracker is mentioned here:

Patrick · September 10, 2019, 3:42pm

github.com/vmonaco/kloak

fails to start when using linux kernel.modules_disabled=1 sysctl

opened 03:40PM - 10 Sep 19 UTC

adrelanos

When using `/etc/sysctl.d/module-loading.conf` kernel.modules_disabled=1 … kloak fails to start. Creating a file `/usr/lib/modules-load.d/kloak.conf` uinput fixes the issue. But I don't know if that is a proper solution to fix this since `/usr/lib/modules-load.d` is otherwise empty on my system. Another approach, possibly better would be changing [kloak systemd unit file](https://github.com/vmonaco/kloak/blob/master/lib/systemd/system/kloak.service) to run early enough, i.e. perhaps `Before=systemd-sysctl.service`, but I didn't succeed with that yet. Which brings me to a related issue. Perhaps systemd is not the right tool to start kloak. When attaching a new keyboard, it will no be automatically covered by kloak. Perhaps udev would be better. Created https://github.com/vmonaco/kloak/issues/17 for that.

madaidan · September 15, 2019, 9:15pm

Patrick · September 17, 2019, 7:40am

madaidan · September 17, 2019, 9:19pm

In the logs, I’m now getting errors about kloak’s AppArmor. The profile needs these lines

signal receive set=cont peer=unconfined,
signal receive set=exists peer=unconfined,
signal receive set=kill peer=unconfined,
signal receive set=term peer=unconfined,

Although, it’s weird. I think this is because systemd sends those signals to kloak to kill it but then why wouldn’t we need these for other AppArmor profiles?

Patrick · September 18, 2019, 5:06am

No idea. Reported upstream.

github.com/vmonaco/kloak

Apparmor profile signals to kill kloak by systemd

opened 05:06AM - 18 Sep 19 UTC

closed 04:30PM - 18 Sep 19 UTC

adrelanos

Qutoe @madaidan https://forums.whonix.org/t/current-state-of-kloak/5605/10 > …In the logs, I'm now getting errors about kloak's AppArmor. The profile needs these lines ``` signal receive set=cont peer=unconfined, signal receive set=exists peer=unconfined, signal receive set=kill peer=unconfined, signal receive set=term peer=unconfined, ``` > Although, it's weird. I think this is because systemd sends those signals to kloak to kill it but then why wouldn't we need these for other AppArmor profiles?

madaidan · September 18, 2019, 4:12pm

madaidan · September 18, 2019, 9:48pm

I wonder if it would make sense to enable compile time hardening flags for kloak. I don’t know very much about these so I’m not sure.

Patrick_mobile · September 19, 2019, 4:28am

All already enabled.

Patrick · September 19, 2019, 7:15am

This could be reviewed for example by using:

hardening-check

and

checksec --file

madaidan · September 19, 2019, 4:31pm

They don’t seem to be for me on Arch Linux.

hardening-check gives me

kloak:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, not found!
 Read-only relocations: yes
 Immediate binding: no, not found!

checksec gives me

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable  FILE
Partial RELRO   Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   140 Symbols     Yes	0		6	kloak

They are all fully enabled on Whonix though. It may be a difference in Debian and Arch’s default toolchain. It would probably be helpful to hard code the hardening flags in so it doesn’t rely on the OS’s toolchain having them by default.

The default compiler for kloak (GCC) also doesn’t seem to support things like control flow integrity or safestack which those scripts don’t check for either.

Patrick · January 1, 2020, 12:06pm

sudo journalctl -b -o cat | grep DENIED | grep kloak

AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:99): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:100): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:101): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:102): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:103): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:104): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:105): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:106): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:107): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”

Patrick · January 1, 2020, 12:15pm

Patrick · January 13, 2020, 5:16pm

Still.

Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:25): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:26): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:27): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:28): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:29): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:30): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:31): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:32): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:33): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"

I wonder how kloak and whonixcheck are connected. Any idea how to fix?

madaidan · January 13, 2020, 5:19pm

Add

deny ptrace,

to the kloak profile. Kloak shouldn’t need to ptrace whonixcheck. Dunno why it’s giving errors.