[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Current State of Kloak?

I’m interested in installing the keystroke anonymization tool Kloak in Dom0 of Qubes OS. @Patrick mentioned that the upstream is dead, so how will that affect Whonix and Qubes using it? Will plans to include it be scrapped?

http://phabricator.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/T596

1 Like

https://github.com/vmonaco/kloak/releases/tag/v0.2

Please help testing kloak v0.2, see:

Kloak as a service fails on Qubes-Whonix. It looks for a keyboard at /dev/input/event4, but it needs to use /dev/input/event0.

Change /lib/systemd/system/kloak.service. from “ExecStart=/usr/sbin/kloak” to “ExecStart=/usr/sbin/kloak -r /dev/input/event0 -w /dev/uinput” and it will work.

That won’t work. /dev/input/event0 is not a keyboard device.

ls -la /dev/input/event0
crw-rw---- 1 root input 13, 64 May  6 08:25 /dev/input/event0

ls -la /dev/input/by-path/platform-pcspkr-event-spkr 
lrwxrwxrwx 1 root root 9 May  6 08:25 /dev/input/by-path/platform-pcspkr-event-spkr -> ../event0

That kloak is not working in Qubes and links to Qubes issue tracker is mentioned here:

1 Like
1 Like
2 Likes

In the logs, I’m now getting errors about kloak’s AppArmor. The profile needs these lines

signal receive set=cont peer=unconfined,
signal receive set=exists peer=unconfined,
signal receive set=kill peer=unconfined,
signal receive set=term peer=unconfined,

Although, it’s weird. I think this is because systemd sends those signals to kloak to kill it but then why wouldn’t we need these for other AppArmor profiles?

1 Like

No idea. Reported upstream.

1 Like
2 Likes

I wonder if it would make sense to enable compile time hardening flags for kloak. I don’t know very much about these so I’m not sure.

1 Like

All already enabled.

2 Likes

This could be reviewed for example by using:

hardening-check

and

checksec --file
1 Like

They don’t seem to be for me on Arch Linux.

hardening-check gives me

kloak:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, not found!
 Read-only relocations: yes
 Immediate binding: no, not found!

checksec gives me

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable  FILE
Partial RELRO   Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   140 Symbols     Yes	0		6	kloak

They are all fully enabled on Whonix though. It may be a difference in Debian and Arch’s default toolchain. It would probably be helpful to hard code the hardening flags in so it doesn’t rely on the OS’s toolchain having them by default.

The default compiler for kloak (GCC) also doesn’t seem to support things like control flow integrity or safestack which those scripts don’t check for either.

1 Like
sudo journalctl -b -o cat | grep DENIED | grep kloak

AVC apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
AVC apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
AVC apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
AVC apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
audit: type=1400 audit(1577878831.488:99): apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
audit: type=1400 audit(1577878831.488:100): apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
audit: type=1400 audit(1577878831.488:101): apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
audit: type=1400 audit(1577878831.488:102): apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
audit: type=1400 audit(1577878831.488:103): apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
AVC apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
AVC apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
AVC apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
AVC apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
AVC apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
audit: type=1400 audit(1577878831.488:104): apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
audit: type=1400 audit(1577878831.488:105): apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
audit: type=1400 audit(1577878831.488:106): apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"
audit: type=1400 audit(1577878831.488:107): apparmor=“DENIED” operation=“ptrace” profile="/usr/sbin/kloak" pid=3211 comm=“fuser” requested_mask=“readby” denied_mask=“readby” peer="/usr/bin/whonixcheck"

1 Like
1 Like

Still.

Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:25): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:26): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:27): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:28): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:29): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:30): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:31): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:32): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host kernel: audit: type=1400 audit(1578935540.625:33): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"
Jan 13 17:12:20 host audit[4001]: AVC apparmor="DENIED" operation="ptrace" profile="/usr/sbin/kloak" pid=4001 comm="fuser" requested_mask="readby" denied_mask="readby" peer="/usr/bin/whonixcheck"

I wonder how kloak and whonixcheck are connected. Any idea how to fix?

1 Like

Add

deny ptrace,

to the kloak profile. Kloak shouldn’t need to ptrace whonixcheck. Dunno why it’s giving errors.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]