I wonder if it would make sense to enable compile time hardening flags for kloak. I don’t know very much about these so I’m not sure.
All already enabled.
This could be reviewed for example by using:
hardening-check
and
checksec --file
They don’t seem to be for me on Arch Linux.
hardening-check
gives me
kloak:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, not found!
Read-only relocations: yes
Immediate binding: no, not found!
checksec
gives me
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 140 Symbols Yes 0 6 kloak
They are all fully enabled on Whonix though. It may be a difference in Debian and Arch’s default toolchain. It would probably be helpful to hard code the hardening flags in so it doesn’t rely on the OS’s toolchain having them by default.
The default compiler for kloak (GCC) also doesn’t seem to support things like control flow integrity or safestack which those scripts don’t check for either.
sudo journalctl -b -o cat | grep DENIED | grep kloak
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:99): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:100): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:101): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:102): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:103): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
AVC apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:104): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:105): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:106): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
audit: type=1400 audit(1577878831.488:107): apparmor=“DENIED” operation=“ptrace” profile=“/usr/sbin/kloak” pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer=“/usr/bin/whonixcheck”
Still.
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:25): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:26): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:27): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:28): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:29): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:30): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:31): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:32): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:33): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
I wonder how kloak and whonixcheck are connected. Any idea how to fix?
Add
deny ptrace,
to the kloak profile. Kloak shouldn’t need to ptrace whonixcheck. Dunno why it’s giving errors.
This does not happen directly after boot. Only when manually run whonixcheck form terminal after boot.
kloak has already capability sys_ptrace,
Therefore should be allowed already?
We need to understand why this happens. If it has a strange interaction with whonixcheck it might have a strange interaction with other applications too.
In worst case this could crash kloak or render it ineffective.
No, the capability and apparmor ptrace rules are different.
That should be changed to ptrace readby,
. Giving it all ptrace permissions is dangerous. It only needs readby
.
Package build on the ARM hardware platform might be fixed in Debian bullseye and above:
arm support · Issue #25 · vmonaco/kloak · GitHub
Might try again on Debian bullseye.