Current State of Kloak?

I wonder if it would make sense to enable compile time hardening flags for kloak. I don’t know very much about these so I’m not sure.

All already enabled.

This could be reviewed for example by using:

hardening-check

and

checksec --file

They don’t seem to be for me on Arch Linux.

hardening-check gives me

kloak:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, not found!
 Read-only relocations: yes
 Immediate binding: no, not found!

checksec gives me

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable  FILE
Partial RELRO   Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   140 Symbols     Yes	0		6	kloak

They are all fully enabled on Whonix though. It may be a difference in Debian and Arch’s default toolchain. It would probably be helpful to hard code the hardening flags in so it doesn’t rely on the OS’s toolchain having them by default.

The default compiler for kloak (GCC) also doesn’t seem to support things like control flow integrity or safestack which those scripts don’t check for either.

sudo journalctl -b -o cat | grep DENIED | grep kloak

AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:99): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:100): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:101): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:102): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:103): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:104): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:105): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:106): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:107): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”

Still.

Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:25): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:26): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:27): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:28): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:29): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:30): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:31): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:32): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:33): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"

I wonder how kloak and whonixcheck are connected. Any idea how to fix?

Add

deny ptrace,

to the kloak profile. Kloak shouldn’t need to ptrace whonixcheck. Dunno why it’s giving errors.

This does not happen directly after boot. Only when manually run whonixcheck form terminal after boot.

kloak has already capability sys_ptrace, Therefore should be allowed already?

We need to understand why this happens. If it has a strange interaction with whonixcheck it might have a strange interaction with other applications too.

In worst case this could crash kloak or render it ineffective.

This fixed it:

https://github.com/Whonix/kloak/commit/081fa02799e60f8e33e39c858fe13853e01c2b5f

No, the capability and apparmor ptrace rules are different.

That should be changed to ptrace readby,. Giving it all ptrace permissions is dangerous. It only needs readby.

Using that now.

https://github.com/Whonix/kloak/commit/84fca49dc259c68b9d1caa61f4d7cddb78fb6ba9

https://github.com/vmonaco/kloak/pull/26

Package build on the ARM hardware platform might be fixed in Debian bullseye and above:
arm support · Issue #25 · vmonaco/kloak · GitHub

Might try again on Debian bullseye.

arm support · Issue #25 · vmonaco/kloak · GitHub