[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Full System AppArmor Policy - Testers Wanted!

apparmor-profile-everything is an experimental AppArmor policy which confines all user space processes on the system. It is still currently in development and requires testing.

Install it by executing:

sudo apt-get install apparmor-profile-everything

Then reboot.

apparmor-profile-everything supports different boot modes: aadebug and superroot. aadebug allows certain permissions necessary for advanced debugging and superroot relaxes the policy substantially, even making bypasses possible. It is highly recommended to stick to the default boot mode.

It also contains a wrapper to restrict apt as apt requires permissions that may be abused to circumvent the policy. When updating or installing applications, you must use the rapt command.

Please report any issues you face while using this so they can be resolved.

See also:

1 Like

Quick question. Is this intended to be installable in KickSecure as well? Because it doesn’t seem to work for me.

Just checking before I post more debugging info, etc.

Yes, please post any errors you get.

1 Like

Is it normal that after installing apparmor-profile-everything whonix will only boot in live mode?

No. But more likely not actually live mode and just live mode indicator systray being broken.

Do live mode functionality test:

https://www.whonix.org/wiki/VM_Live_Mode#Functionality_Test

Please run the following command and post the output here.

bash -x /usr/share/livecheck/livecheck.sh

Can the following command be run? @madaidan

sudo --non-interactive /bin/lsblk --noheadings --all --raw --output RO

(This is what /usr/share/livecheck/livecheck.sh does.)


https://github.com/Whonix/whonix-xfce-desktop-config/blob/master/usr/share/livecheck/livecheck.sh

1 Like

You are right, it’s just the indicator.
I can’t use pastebin link to post the output.

Both kloak and vboxadd-service units fail after installing apparmor-profile-everything.
Is it enough to post only journalctl log?
I am sorry for the noob question but I know nothing.

Upgraded your account just now. You can add links now.

See also (written just now):
https://www.whonix.org/wiki/Forum_Best_Practices#Pasting_Logs_for_Support

Probably not. Perhaps:

then in another terminal tab or window, restart these services.

sudo systemctl restart kloak

sudo systemctl restart vboxadd-service

While doing that, the relevant issue might show up in the systemd journal log.

Also please paste logs for specific daemons.

sudo journalctl -b --no-pager -u kloak

sudo journalctl -b --no-pager -u vboxadd-service

Kloak

Vboxadd-service

Apt-daily

Apt-daily-upgrade

And this is sudo journalctl -b -f output


(there are strange links here, is it ok?)
2 Likes

That helps a lot.

Extracted from the last log.

Nov 14 16:24:58 host audit[14305]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name="/sys/block/" pid=14305 comm=“lsblk” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Nov 14 16:25:09 host audit[1]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/PNP0C0A:00/power_supply/BAT0/" pid=1 comm=“systemd” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Nov 14 16:25:09 host audit[14337]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name="/var/lib/apt/daily_lock" pid=14337 comm=“apt.systemd.dai” requested_mask=“wc” denied_mask=“wc” fsuid=0 ouid=0

Nov 14 16:25:21 host audit[1]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/PNP0C0A:00/power_supply/BAT0/" pid=1 comm=“systemd” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Nov 14 16:25:21 host audit[14347]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name="/var/lib/apt/daily_lock" pid=14347 comm=“apt.systemd.dai” requested_mask=“wc” denied_mask=“wc” fsuid=0 ouid=0

Nov 14 16:25:32 host audit[14353]: AVC apparmor=“DENIED” operation=“exec” info=“no new privs” error=-1 profile=“init-systemd” name="/usr/sbin/kloak" pid=14353 comm="(kloak)" requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target="/usr/sbin/kloak"

Nov 14 16:25:46 host audit[14482]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name="/proc/modules" pid=14482 comm=“lsmod” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Let’s wait for @madaidan to fix these.

1 Like

No, this requires read access to the hard drive which is explicitly denied: https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files#L104

We could slightly relax the restrictions to allow reading /sys/devices/pci**/block/{s,v}da/dev however, this could potentially allow an attacker to bypass some restrictions and read sensitive files e.g. System.map which can aid further exploitation. Is there another way to implement this check?

Seems to be the same issue as we had with sdwdate, haveged and onion-grater. Might need to subtract some systemd hardening.

This is only allowed in aadebug mode: https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/aadebug#L5

1 Like

Not that I know. The live mode check needs some way to know if the kernel thinks there are any devices mounted as read-write.

(It only detects live mode if all devices are mounted read-only.)

Happy for suggestions for alternatives.

Currently using this:

sudo --non-interactive /bin/lsblk --noheadings --all --raw --output RO

Would it help if instead that was /path/to/some/wrapper and sudo --non-interactive /path/to/some/wrapper? Happy to implement that too. Even such a wrapper being allowed to run wouldn’t be good enough?

(That wrapper would then run /bin/lsblk --noheadings --all --raw --output RO.)

1 Like

We could just create a profile directly for /bin/lsblk since it doesn’t appear to include any functionality that is especially dangerous (if it does, we can create a rapt-like wrapper). This would also allow using lsblk for other purposes.

1 Like

Should be fixed with this

1 Like

This is conflicting with https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files#L25

Will need to also create a profile for /usr/lib/apt/apt.systemd.daily.

1 Like

Should now be fixed by

1 Like

Sounds great!
I doubt lsblk has dangerous functionality. Since its name beings with ls it’s only an informational tool. Not a manipulation tool.

1 Like

All merged and now available in testers repository.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]