Full System AppArmor Policy - Testers Wanted!

News
21

Yes madiadan, here is the log for journalctl with apparmor-profile-everything enabled and grub settings apparmor set to 1. Using your custom kernel with kprobes enabled for LKRG.

https://pastebin.com/DCjSXDCp

There is another issue prior to booting in which async io failed to start, used sync io instead. This is when I enter my passphrase for the encrypted LUKS.

I appreciate all your support!
sudobash

2 Likes
22

Extracted errors:

audit[1164]: AVC apparmor="DENIED" operation="exec" profile="networking-aae" name="/etc/wpa_supplicant/ifupdown.sh" pid=1164 comm="run-parts" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
audit[1165]: AVC apparmor="DENIED" operation="open" profile="rsyslogd" name="/etc/resolv.conf" pid=1165 comm="rsyslogd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1165]: AVC apparmor="DENIED" operation="open" profile="rsyslogd" name="/etc/hosts" pid=1165 comm="rsyslogd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1258]: AVC apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/devices/virtual/dmi/id/product_uuid" pid=1258 comm="systemd-hostnam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1258]: AVC apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/devices/virtual/dmi/id/chassis_type" pid=1258 comm="systemd-hostnam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1258]: AVC apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/firmware/acpi/pm_profile" pid=1258 comm="systemd-hostnam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1279]: AVC apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:02.0/0000:03:00.0/drm/" pid=1279 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1279]: AVC apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:02.0/0000:03:00.0/" pid=1279 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1279]: AVC apparmor="DENIED" operation="capable" profile="Xorg" pid=1279 comm="Xorg" capability=23  capname="sys_nice"
audit[1279]: AVC apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:02.0/0000:03:00.1/sound/card1/id" pid=1279 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1279]: AVC apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:1b.0/sound/card0/id" pid=1279 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1178]: AVC apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/inhibit/2.ref" pid=1178 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
audit[1279]: AVC apparmor="DENIED" operation="signal" profile="Xorg" pid=1279 comm="Xorg" requested_mask="send" denied_mask="send" signal=usr1 peer="unconfined"
audit[1475]: AVC apparmor="DENIED" operation="open" profile="init-systemd" name="/dev/tty1" pid=1475 comm="systemd-logind" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=1000

Please edit the specified files in /etc/apparmor.d/ and enter the required rules as follows. Make sure to enter the rules within the profile section, below the line “{” but above the “}”.

sbin.networking-aae:

/etc/wpa_supplicant/ifupdown.sh mrix,

usr.sbin.rsyslogd:

/etc/resolv.conf r,
/etc/hosts r,

abstractions/init-systemd:

/sys/devices/virtual/dmi/id/{product_uuid,chassis_type} r,
/sys/firmware/acpi/pm_profile r,
/dev/tty[0-9]* rw,

usr.lib.xorg.Xorg:

/sys/devices/pci[0-9]**/{,drm/} r,
/sys/devices/pci[0-9]**/sound/card[0-9]*/id r,
capability sys_nice,
signal send set=usr1 peer=unconfined,

Report back if this fixes anything. If not, send the logs in again.

@Patrick:

We need a good way of formatting the logs so it’s easier for us to parse. I’ve been experimenting with:

journalctl | grep "DENIED" | awk '{sub(/([^ ]+ +){4}/,"")}1' | grep -v "kernel: audit: type=" | sed -e 's/audit\[.*\]: //g' | sed -e 's/pid=.* comm/comm/g' | awk '!x[$0]++'

It seems to work well.

  • Removes the date and time.
  • Excludes the kernel: lines which are just duplicates of audit’s.
  • Removes the audit: and pid= parts since they are never really needed.
  • Removes duplicates.

We should also implement abstractions for certain weird files. E.g. /dev/tty* and those pci directories in /sys:

@{sysfs_pci}=/sys/devices/pci[0-9][0-9][0-9][0-9]:[0-9][0-9]/[0-9][0-9][0-9][0-9]:[0-9][0-9]:*.*/{,[0-9][0-9][0-9][0-9]:[0-9][0-9]:*.*/}
@{dev_tty}=/dev/tty[0-9]{,[0-9])
2 Likes
23

Would be good addition for package helper-scripts. Much better to tell users to run that command than logs with tons of duplicates. /usr/sbin/apparmor-info? Tool could later add further output. Anything needed for analysis.

Perhaps even an /etc/sudoers.d exception so users could run this from user user to ease gathering logs? That is, if this is safe. Maybe not? Could an application exfiltrate information using this? Inter process communication of confined compromised applications?

Maybe this helps with wrapper development. Systemd journal, since current boot only (better drop -b and eat duplicates later?), kernel messages only, output format without timestamps.

sudo journalctl -b -k --output cat | grep DENIED

or

sudo dmesg | grep DENIED

I guess journalctl output is an easier to parse starting point.

EDIT

Even better:

sudo journalctl _TRANSPORT=audit --output cat

Wrapper could be

sudo journalctl _TRANSPORT=audit --output cat "$@" | grep DENIED [...]

The "$@" to allow adding extra journalctl parameters such as -b.

2 Likes
26

Thank you for the support! I was able to boot into XFCE via LightDM no problem. However, sdwdate/gui is broken. The notification icon keeps looping and when trying to access the terminal log, it’s blank. sdwdate being broken disables Tor Browser due to time not syncing.

System Monitor upon opening the app Resources works fine, however, Processes and File Systems tab are disabled. Perhaps due to hardened kernel as well as AppArmor?

Here are the current denieds in AppArmor:

sudo journalctl | grep “DENIED” | awk ‘{sub(/([^ ]+ +){4}/,"")}1’ | grep -v “kernel: audit: type=” | sed -e ‘s/audit[.]: //g’ | sed -e 's/pid=. comm/comm/g’ | awk ‘!x[$0]++’
[sudo] password for user:
Dec 18 15:15:46 os AVC apparmor=“DENIED” operation=“open” profile=“networking-aae” name="/etc/wpa_supplicant/functions.sh" comm=“wpasupplicant” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Dec 18 15:13:39 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 15:13:40 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=108 ouid=0
Dec 18 15:13:47 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/desktop-base/profiles/xdg-config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml" comm=“xfconfd” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:13:47 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:13:47 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/desktop-base/profiles/xdg-config/xfce4/xfconf/xfce-perchannel-xml/xfce4-desktop.xml" comm=“xfconfd” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:13:48 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 15:13:53 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/at-spi2-core/at-spi-bus-launcher" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=109 ouid=0
Dec 18 15:14:22 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 15:14:57 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:14:58 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:19:43 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/at-spi2-core/at-spi-bus-launcher" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=109 ouid=0
Dec 18 15:20:40 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/at-spi2-core/at-spi-bus-launcher" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=109 ouid=0
Dec 18 15:21:51 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:21:51 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:21:52 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:21:54 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:21:56 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:21:58 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:22:00 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:47:52 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:48:36 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:48:36 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:48:43 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/bin/gnome-keyring-daemon" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:00 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:49:21 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:49:22 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:23 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:24 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:28 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:35 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:36 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:37 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:38 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:42 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:52:47 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:52:52 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:52:53 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:52:54 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:53:03 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:54:03 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:55:36 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 15:55:38 os AVC apparmor=“DENIED” operation=“open” profile="/**/*-browser/Browser/firefox" name="/proc/5285/cgroup" comm=“firefox.real” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Dec 18 15:56:30 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 15:56:34 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 16:06:11 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 16:07:01 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/at-spi2-core/at-spi-bus-launcher" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=109 ouid=0
Dec 18 16:08:01 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 16:08:02 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

Should I enable all of these?

Thank you,
sudobash

2 Likes
27

I think it should be restricted to root to be safe.

Add the following rules and see if it fixes anything:

sbin.networking-aae:

/etc/wpa_supplicant/*.sh mrix,

usr.lib.xorg.Xorg:

/dev/dri/renderD[0-9]* rw,

usr.bin.dbus-daemon:

/usr/share/defaults/at-spi2/accessibility.conf r,
/usr/share/desktop-base/profiles/xdg-config/xfce4/xfconf/xfce-perchannel-xml/*.xml{,.new} r,
/usr/lib/at-spi2-core/at-spi-bus-launcher mrix,
/usr/lib/dconf/dconf-service mrix,
/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd mrix,
/usr/bin/gnome-keyring-daemon mrix,
2 Likes
28
2 Likes
29

Merged. This will be very handy. Added few minor commits on top.
Removed sudo from script. I am not sure we should have any interactive sudo uses hardcoded in any scripts. Reasons:

  • major: shouldn’t train users to enter their sudo password at random applications. Using sudo should be a conscious action.
  • medium: not introducing an unnecessary dependency. sudo is not required for users already logged in as root / using capablities. Perhaps one day we can go SUID free, which includes sudo free.
  • minor: sudo removed environment variables (for whatever use case that would be good here)
2 Likes
30

Man page.

NAME
apparmor-info - Shows AppArmor DENIED Log Messages

SYNOPSIS
apparmor-info

DESCRIPTION
Shows AppArmor DENIED log messages.

If there are no DENIED log messages, outputs nothing.

RETURN VALUES
○ 0 No DENIED messages found, OK.

○ 1 DENIED messages found.

EXAMPLE
sudo apparmor-info ; echo $?

0

No output from apparmor-info with exit code 0. Meaning, no DENIED messages found, OK.

2 Likes
31

We are getting closer to a working OS, however sdwdate is broken still on boot. The sdwdate-gui is looping. When you go to status in the gui it displays - Time fetching in progress. When you try to stop or restart sdwdate-gui, it does not work and when you open the log, a terminal shows up but is blank.

sudo apt dist-upgrade && sudo apt update && sudo apt upgrade
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Hit:1 tor+https://deb.debian.org/debian-security buster/updates InRelease
Hit:2 tor+https://deb.debian.org/debian buster-updates InRelease
Hit:3 tor+http://sgvtcaew4bxjd7ln.onion buster/updates InRelease
Hit:4 tor+http://vwakviie2ienjx6t.onion/debian buster-updates InRelease
Hit:5 tor+https://deb.debian.org/debian buster InRelease
Hit:6 tor+https://deb.Whonix.org buster InRelease
Hit:7 tor+http://vwakviie2ienjx6t.onion/debian buster InRelease
Reading package lists… Done
E: Release file for tor+https://deb.debian.org/debian/dists/buster-updates/InRelease is not valid yet (invalid for another 4h 26min 21s). Updates for this repository will not be applied.
E: Release file for tor+http://vwakviie2ienjx6t.onion/debian/dists/buster-updates/InRelease is not valid yet (invalid for another 4h 26min 20s). Updates for this repository will not be applied.

However, when I run sudo sdwdate

2020-12-20 03:38:08 - sdwdate - INFO - sdwdate started. PID: 2955
2020-12-20 03:38:08 - sdwdate - INFO - create temp_dir: /tmp/tmp.ZnnDVEdjIk
2020-12-20 03:38:08 - sdwdate - INFO - Tor socks host: 127.0.0.1 Tor socks port: 9050
2020-12-20 03:38:08 - sdwdate - INFO - Running sdwdate main loop. iteration: 1 / 10000
2020-12-20 03:38:09 - sdwdate - INFO - Prerequisite check: The clock is sane.
Within build timestamp Sat 12 Dec 2020 05:44:06 AM UTC and expiration timestamp Tue 17 May 2033 10:00:00 AM UTC.
2020-12-20 03:38:09 - sdwdate - INFO - Prerequisite check: The clock might be too slow. Clock is slower than consensus/valid-after 2020-12-20 10:00:00.

Possible causes:

  • The host clock is wrong → shut down the VM, fix the clock in the host and restart the VM.

  • The VM clock is wrong → manually fix the clock. Restart Tor if necessary. Then restart sdwdate.

  • A host clock attack succeeded.

  • A hardware issue (for example bios clock issues).

Tor fully bootstrapped.
2020-12-20 03:38:09 - sdwdate - INFO - Start fetching remote times.
2020-12-20 03:38:09 - sdwdate - INFO - Initial time fetching in progress…
2020-12-20 03:38:09 - sdwdate - INFO - Running sdwdate fetch loop. iteration: 1
2020-12-20 03:38:09 - sdwdate - INFO - Requested urls [‘mprt35sjunnxfa76.onion’, ‘o2jdk5mdsijm2b7l.onion’, ‘privacyintyqcroe.onion’]
2020-12-20 03:38:59 - sdwdate - INFO - Returned urls “[‘mprt35sjunnxfa76.onion’, ‘o2jdk5mdsijm2b7l.onion’, ‘privacyintyqcroe.onion’]”
2020-12-20 03:38:59 - sdwdate - INFO - remote 0: mprt35sjunnxfa76.onion
2020-12-20 03:38:59 - sdwdate - INFO - * comment: https://informant.taz.de https://web.archive.org/web/20170329061908/https://informant.taz.de
2020-12-20 03:38:59 - sdwdate - INFO - * remote_unixtime: 1608460283
2020-12-20 03:38:59 - sdwdate - INFO - * consensus/valid-after: 2020-12-20 10:00:00
2020-12-20 03:38:59 - sdwdate - INFO - * remote_time : 2020-12-20 10:31:23
2020-12-20 03:38:59 - sdwdate - INFO - * consensus/valid-until: 2020-12-20 13:00:00
2020-12-20 03:38:59 - sdwdate - INFO - * time_diff: 24744 second(s)
2020-12-20 03:38:59 - sdwdate - INFO - * timesanitycheck: sane
2020-12-20 03:38:59 - sdwdate - INFO - * time_consensus_sanity_check: sane
2020-12-20 03:38:59 - sdwdate - INFO - * remote_status: True
2020-12-20 03:38:59 - sdwdate - INFO - remote 1: o2jdk5mdsijm2b7l.onion
2020-12-20 03:38:59 - sdwdate - INFO - * comment: https://search.gibberfish.orghttps://gibberfish.org/community-resources/ Community Resources - Gibberfish, Inc
2020-12-20 03:38:59 - sdwdate - INFO - * status: False
2020-12-20 03:38:59 - sdwdate - INFO - * value: Timeout
2020-12-20 03:38:59 - sdwdate - INFO - remote 2: privacyintyqcroe.onion
2020-12-20 03:38:59 - sdwdate - INFO - * comment: https://www.privacyinternational.org https://twitter.com/privacyint/status/762656779272593408 https://web.archive.org/web/20170421233214/https:/twitter.com/privacyint/status/762656779272593408
2020-12-20 03:38:59 - sdwdate - INFO - * remote_unixtime: 1608460282
2020-12-20 03:38:59 - sdwdate - INFO - * consensus/valid-after: 2020-12-20 10:00:00
2020-12-20 03:38:59 - sdwdate - INFO - * remote_time : 2020-12-20 10:31:22
2020-12-20 03:38:59 - sdwdate - INFO - * consensus/valid-until: 2020-12-20 13:00:00
2020-12-20 03:38:59 - sdwdate - INFO - * time_diff: 24743 second(s)
2020-12-20 03:38:59 - sdwdate - INFO - * timesanitycheck: sane
2020-12-20 03:38:59 - sdwdate - INFO - * time_consensus_sanity_check: sane
2020-12-20 03:38:59 - sdwdate - INFO - * remote_status: True
2020-12-20 03:38:59 - sdwdate - INFO - Pool 1: mprt35sjunnxfa76.onion, web unixtime: 1608460283, web time: Sun Dec 20 10:31:23 UTC 2020, diff: 24744 seconds
2020-12-20 03:38:59 - sdwdate - INFO - Pool 3: privacyintyqcroe.onion, web unixtime: 1608460282, web time: Sun Dec 20 10:31:22 UTC 2020, diff: 24743 seconds
2020-12-20 03:38:59 - sdwdate - INFO - Running sdwdate fetch loop. iteration: 2
2020-12-20 03:38:59 - sdwdate - INFO - Requested urls [‘nxhhwbbxc4khvvlw.onion’]
2020-12-20 03:39:03 - sdwdate - INFO - Returned urls “[‘nxhhwbbxc4khvvlw.onion’]”
2020-12-20 03:39:03 - sdwdate - INFO - remote 0: nxhhwbbxc4khvvlw.onion
2020-12-20 03:39:03 - sdwdate - INFO - * comment: https://searx.gotrust.de https://web.archive.org/web/20170519171857/https://github.com/asciimoo/searx/wiki/Searx-instances
2020-12-20 03:39:03 - sdwdate - INFO - * remote_unixtime: 1608460920
2020-12-20 03:39:03 - sdwdate - INFO - * consensus/valid-after: 2020-12-20 10:00:00
2020-12-20 03:39:03 - sdwdate - INFO - * remote_time : 2020-12-20 10:42:00
2020-12-20 03:39:03 - sdwdate - INFO - * consensus/valid-until: 2020-12-20 13:00:00
2020-12-20 03:39:03 - sdwdate - INFO - * time_diff: 25377 second(s)
2020-12-20 03:39:03 - sdwdate - INFO - * timesanitycheck: sane
2020-12-20 03:39:03 - sdwdate - INFO - * time_consensus_sanity_check: sane
2020-12-20 03:39:03 - sdwdate - INFO - * remote_status: True
2020-12-20 03:39:03 - sdwdate - INFO - Pool 2: nxhhwbbxc4khvvlw.onion, web unixtime: 1608460920, web time: Sun Dec 20 10:42:00 UTC 2020, diff: 25377 seconds
2020-12-20 03:39:03 - sdwdate - INFO - End fetching remote times.
2020-12-20 03:39:03 - sdwdate - INFO - Pool differences, sorted: [24743, 24744, 25377]
2020-12-20 03:39:03 - sdwdate - INFO - Median time difference: +24744.000000000
2020-12-20 03:39:03 - sdwdate - INFO - randomize : +0.052989251
2020-12-20 03:39:03 - sdwdate - INFO - New time difference : +24744.052989251
2020-12-20 03:39:03 - sdwdate - INFO - Old unixttime: 1608435543.369919062
2020-12-20 03:39:03 - sdwdate - INFO - New unixtime : 1608460287.422908306
2020-12-20 03:39:03 - sdwdate - INFO - Instantly setting the time by using command: /bin/date --set “@1608460287.422908306
2020-12-20 10:31:27 - sdwdate - INFO - /bin/date output: Sun 20 Dec 2020 10:31:27 AM UTC

2020-12-20 10:31:27 - sdwdate - INFO - Success. Sleeping for 66.08333333333333 minutes.
2020-12-20 10:31:27 - sdwdate - INFO - Running command: sleep 3965.178781784
^Z
[1]+ Stopped sudo sdwdate

The icon for the sdwdate-gui does display the working icon but then loops between the X and inactive icon and keeps looping.

TOR Browser works and I’m able to update:

sudo apt dist-upgrade && sudo apt update && sudo apt upgrade
[sudo] password for user:
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Hit:1 tor+https://deb.debian.org/debian-security buster/updates InRelease
Hit:2 tor+https://deb.debian.org/debian buster-updates InRelease
Hit:3 tor+http://vwakviie2ienjx6t.onion/debian buster-updates InRelease
Hit:4 tor+https://deb.debian.org/debian buster InRelease
Hit:5 tor+https://deb.Whonix.org buster InRelease
Hit:6 tor+http://sgvtcaew4bxjd7ln.onion buster/updates InRelease
Hit:7 tor+http://vwakviie2ienjx6t.onion/debian buster InRelease
Reading package lists… Done
Building dependency tree
Reading state information… Done
All packages are up to date.
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

But for some reason, I cannot acquire the merged packages such as apparmor-info and hardened-kernel.

I run sudo apt reinstall helper-scripts and sudo apparmor-info
sudo: apparmor-info: command not found

I switched to the older kernel for these test - uname -r
4.19.0-13-amd64 so that it wouldn’t be a hardened kernel issue

I also tested sudo sdwdate-gui
[sudo] password for user:
access control disabled, clients can connect from any host
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to ‘/tmp/runtime-sdwdate-gui’
tor_status_changed unexpected error: <class ‘NameError’>
^Z
[2]+ Stopped sudo sdwdate-gui

And lastly, I ran this just now:

sudo journalctl _TRANSPORT=audit --output cat “${@}” | grep “DENIED” | sed -e ‘s/pid=.* comm/comm/g’ | sed -e 's/ fsuid.//g’ | awk ‘!x[$0]++’
AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name=“/usr/lib/at-spi2-core/at-spi2-registryd” comm=“dbus-daemon” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/dirname” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/rm” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/mv” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/gzip” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/apt-get” comm=“apt.systemd.dai” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“open” profile="/**/-browser/Browser/firefox" name=“/proc/5064/cgroup” comm=“firefox.real” requested_mask=“r” denied_mask=“r”

System Monitor does briefly show the 2 tabs that were not showing up but then disables access to it. I ran it just now and did another journalctl:

sudo journalctl _TRANSPORT=audit --output cat “${@}” | grep “DENIED” | sed -e ‘s/pid=.* comm/comm/g’ | sed -e 's/ fsuid.//g’ | awk ‘!x[$0]++’
AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name=“/usr/lib/at-spi2-core/at-spi2-registryd” comm=“dbus-daemon” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/dirname” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/rm” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/mv” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/gzip” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/apt-get” comm=“apt.systemd.dai” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“open” profile="/**/-browser/Browser/firefox" name=“/proc/5064/cgroup” comm=“firefox.real” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name=“/proc/cmdline” comm=“dconf-service” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.N4ZIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.VVZIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.77ZIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.U9ZIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.R9XIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.7LYIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.U2YIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.MJZIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.JBEDV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.WVEDV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.S7SHV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.SPTHV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.BDNFV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.0OKFV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.HIOOV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.G0OOV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.I14EV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.6T4EV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.G1PPV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.NCQPV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.GT5GV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.7A6GV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.B5KXV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.QUKXV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.090UV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.TR1UV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.S7JQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.UOKQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.1ADKV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.0RDKV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.5UIIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.1CJIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.6EVDV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.3WVDV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.VAEWV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.FXEWV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.DKQRV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.S9PRV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.BUPPV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.5BQPV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.FF8JV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.Z47JV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.84OEV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.YMPEV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.HLCYV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.1Y9XV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.7ETSV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.5QQSV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.9DWQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.0VWQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.H8VLV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.UQWLV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.W4VJV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.7TVJV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.S1VEV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.ZQVEV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.OH4WV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.KA4WV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.AA1MV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.KT1MV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.UF2QV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.VSZQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.R1ZQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.OI0QV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”

I also noticed this in boot log:

Warning from stdin (line 1): config file ‘/etc/apparmor/parser.conf’ not found
Warning from stdin (line 1): config file ‘/etc/apparmor/parser.conf’ not found
Warning from stdin (line 1): config file ‘/etc/apparmor/parser.conf’ not found
Warning from stdin (line 1): config file ‘/etc/apparmor/parser.conf’ not found

Failed to start Load AppArmor profiles.
See ‘systemctl status apparmor.service’ for details.

When checking out systemctl status apparmor.service within the OS, the result is:

● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/apparmor.service.d
└─30_live_mode.conf
Active: failed (Result: exit-code) since Sun 2020-12-20 05:57:21 UTC; 7h ago
Docs: man:apparmor(7)
Home · Wiki · AppArmor / apparmor · GitLab
Process: 783 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 783 (code=exited, status=1/FAILURE)

Dec 20 05:57:20 os systemd[1]: Starting Load AppArmor profiles…
Dec 20 05:57:20 os apparmor.systemd[783]: Restarting AppArmor
Dec 20 05:57:20 os apparmor.systemd[783]: Reloading AppArmor profiles
Dec 20 05:57:20 os apparmor.systemd[783]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/abstractions/init-systemd at line 252: Found unexpected character: ‘2’
Dec 20 05:57:20 os apparmor.systemd[783]: AppArmor parser error for /etc/apparmor.d/init-systemd in /etc/apparmor.d/abstractions/init-systemd at line 252: Found unexpected character: ‘2’
Dec 20 05:57:21 os apparmor.systemd[783]: Error: At least one profile failed to load
Dec 20 05:57:21 os systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Dec 20 05:57:21 os systemd[1]: apparmor.service: Failed with result ‘exit-code’.
Dec 20 05:57:21 os systemd[1]: Failed to start Load AppArmor profiles.
~

Thanks,
sudobash

1 Like
32

They haven’t been uploaded to the repositories yet. Download https://raw.githubusercontent.com/Whonix/helper-scripts/master/usr/sbin/apparmor-info and then execute it.

Edit the policies as follows:

usr.bin.dbus-daemon:

/usr/lib/at-spi2-core/at-spi2-registryd mrix,
/proc/cmdline r,
/home/user/.config/dconf/user.* rw,

apt.systemd.daily:

/{,usr/}bin/dirname mrix,
/{,usr/}bin/rm mrix,
/{,usr/}bin/mv mrix,
/{,usr/}bin/gzip mrix,
/{,usr/}bin/apt-get mrix,
1 Like
33

I applied the edits stated above and sdwdate is still broken with the loop issue within sdwdate-gui. Also, System Monitor seems to have the same bug with the tabs not working.

Here is my AppArmor Info:

sudo bash ‘/home/user/Downloads/apparmor-info.bash’
AVC apparmor=“DENIED” operation=“rename_dest” profile=“dbus-daemon” name="/home/user/.config/dconf/user" comm=“dconf-service” requested_mask=“wc” denied_mask=“wc”
AVC apparmor=“DENIED” operation=“open” profile=“apt.systemd.daily” name="/var/backups/" comm=“gzip” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“mknod” profile=“apt.systemd.daily” name="/var/lib/dpkg/lock-frontend" comm=“apt-get” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“open” profile=“apt.systemd.daily” name="/var/lib/dpkg/lock-frontend" comm=“apt-get” requested_mask=“wrc” denied_mask=“wrc”

2 Likes
34

Much easier now with apparmor-info. Edit the policies:

usr.bin.dbus-daemon:

/home/user/.config/dconf/user rw,

apt.systemd.daily:

/var/backups/ r,
/var/lib/dpkg/lock-frontend rw,

However, none of these seem to be sdwdate / system monitor related. Are you absolutely sure that it’s apparmor-profile-everything causing this?

1 Like
35

Yes, it happens after apparmor-profile-everything is installed. I also confirmed this with a KVM version of Whonix-Gateway in which the same thing happens when apparmor-profile-everything is installed within the VM.

I’m positive if you install a new KVM gateway, update it, then install apparmor-profile-everything, this will surely happen. I also closed sdwdate-gui and reopened it, clicked status then log, then restart and stop, then closed it and reopened once more so that maybe I could get another denied operation pertaining to sdwdate-gui. This was the result:

sudo bash ‘/home/user/Downloads/apparmor-info.bash’
AVC apparmor=“DENIED” operation=“mknod” profile=“apt.systemd.daily” name="/var/lib/dpkg/lock-frontend" comm=“apt-get” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“open” profile=“apt.systemd.daily” name="/var/lib/dpkg/lock-frontend" comm=“apt-get” requested_mask=“wrc” denied_mask=“wrc”
AVC apparmor=“DENIED” operation=“open” profile="/**/*-browser/Browser/firefox" name="/proc/5363/cgroup" comm=“firefox.real” requested_mask=“r” denied_mask=“r”

Firefox is TorBrowser posting to this forum.

Also, how may I get a browser installed such as Tor Browser working in Whonix-Gateway so that I can download the apparmor-info and send my logs from that VM?

I also did set the new rules you posted above and will reboot just for measure.

Update after Reboot:

I ran this just now while TOR is open with your edits applied.

sudo sdwdate-gui
[sudo] password for user:
access control disabled, clients can connect from any host
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to ‘/tmp/runtime-sdwdate-gui’
tor_status_changed unexpected error: <class ‘NameError’>
^Z
[1]+ Stopped sudo sdwdate-gui

sudo bash ‘/home/user/Downloads/apparmor-info.bash’
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/etc/xdg/tumbler/tumbler.rc" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/home/user/.cache/gstreamer-1.0/registry.x86_64.bin" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/proc/2641/fd/" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner" comm=“tumblerd” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/sys/devices/system/node/" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/dev/" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name="/home/user/.cache/gstreamer-1.0/registry.x86_64.bin.tmpSZH8V0" comm=“tumblerd” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name="/home/user/.cache/gstreamer-1.0/registry.x86_64.bin.tmpT4H8V0" comm=“tumblerd” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/thumbnailers/" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile="/**/*-browser/Browser/firefox" name="/proc/2704/cgroup" comm=“firefox.real” requested_mask=“r” denied_mask=“r”

All the new denieds are Firefox related (TB) as it was output 0 prior to opening TOR Browser.

Edit - Testing Whonix-Gateway in KVM using hardened-kernel VM version with -lkrg support. Apparmor-profile-everything is the only profile installed other than the pre-installed profiles pertaining to Whonix-Gateway.

Screenshot_Whonix-Gateway-Debug_2020-12-23_12:38:54
Screenshot_Whonix-Gateway-Debug_2020-12-23_12:38:541024×768 180 KB

To the left, the terminal shows the sdwdate-gui log when clicking on it. You can see the log is blank besides the firewall notices.

To the right is trying to install the app-armor profile so that’s another issue which I think was addressed with the Kicksecure edits. You also see the kernel version I’m using. How do I install a browser so I can send my logs to the forum on KVM Whonix-Gateway? Or should I setup a shared folder so I can send logs to the host machine then upload to the forum?

This is running sdwdate-gui in KVM Whonix-Gateway

Screenshot_Whonix-Gateway-Debug_2020-12-23_12:38:54
Screenshot_Whonix-Gateway-Debug_2020-12-23_12:38:541024×768 187 KB

How can I download apparmor-info via terminal or get a browser installed like TOR to download within Whonix-Gateway?

Thanks,
sudobash

36

The screenshot shows that you’re using apt to install programs — you are meant to be using the rapt wrapper.

You don’t need a browser. You can enable clipboard sharing and copy/paste across the VMs.

Whonix ™ for KVM

You can download apparmor-info from the terminal with:

scurl-download https://raw.githubusercontent.com/Whonix/helper-scripts/master/usr/sbin/apparmor-info

You should learn how to parse the AppArmor logs yourself so you can quickly apply the necessary rules and then you can post the end result here so that I can upload them to git. Will save a lot of time instead of having to go back and forth on the forums.

37

Relationship between sdwdate-gui and APT does currently not exist. sdwdate-gui can restart sdwdate. Story could stop there.

sdwdate runs prerequisite_check which then runs /usr/lib/helper-scripts/te_pe_tb_check. I am not sure what the acronym meant but what it does is:

  • Time Sanity Check
  • Tor enabled check
  • Tor circuit established

It used to check if there is currently a package manager running using /usr/lib/helper-scripts/pkg_manager_running_check but that is disabled for a long time.

Not supposed to run as root. For proper reproduction, if manually started:

  • make sure all existing related processes have been terminated (duplicates might cause issues, generally, probably not the case here).
  • application has to be run the same way it is being run by the system.

/etc/xdg/autostart/sdwdate-gui.desktop runs

/usr/lib/sdwdate-gui/start-maybe

which then in Qubes-Whonix runs

sdwdate-gui

This should be avoided. Better use a browser on the host or even better in another VM. Use shared folder or copy/paste/chmod +x file-name. scurl-download method is also better.

Running a browser inside Whonix-Gateway may be possible but I am not sure that’s currently documented.

1 Like
38

I booted into Kicksecure with the profile changes all mentioned above and ran:

sudo bash ‘/home/user/Downloads/apparmor-info.bash’

This came up with zero results and yet the sdwdate-gui is still having the looping bug. I can confirm it also has the bug within KVM Whonix-Gateway using the same apparmor profile edits that Kicksecure shares.

I next ran:

/usr/lib/sdwdate-gui/start-maybe
access control disabled, clients can connect from any host
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to ‘/tmp/runtime-sdwdate-gui’
tor_status_changed unexpected error: <class ‘NameError’>
^Z
[3]+ Stopped /usr/lib/sdwdate-gui/start-maybe

/etc/xdg/autostart/sdwdate-gui.desktop runs
bash: /etc/xdg/autostart/sdwdate-gui.desktop: Permission denied

Only thing that comes up:

sudo bash ‘/home/user/Downloads/apparmor-info.bash’
AVC apparmor=“DENIED” operation=“file_lock” profile=“apt.systemd.daily” name="/var/lib/dpkg/lock-frontend" comm=“apt-get” requested_mask=“k” denied_mask=“k”
AVC apparmor=“DENIED” operation=“open” profile="/**/*-browser/Browser/firefox" name="/proc/2650/cgroup" comm=“firefox.real” requested_mask=“r” denied_mask=“r”

It’s safe to say that both denieds above have nothing to do with sdwdate. Good news though is everything else works in Kicksecure that I’ve tested from KVM to System Monitor and all is running normally.

My next goal is to install apparmor-profile-everything within KVM Whonix-Workstation with the VM hardened kernel with -lkrg. I will apply the same edits stated in this forum. I’ll test the basics like NGINX, PHP, MySQL, etc.

The looping bug can be bypassed by running sdwdate in the terminal and syncs properly.

1 Like
39
2 Likes
40

Merged.

41

I forgot what I updated via the testers repo for Kicksecure but it broke some things.

sudo apt-get-update-plus dist-upgrade
Hit:1 tor+https://deb.debian.org/debian-security buster/updates InRelease
Hit:2 tor+https://deb.debian.org/debian buster-updates InRelease
Hit:3 tor+https://deb.debian.org/debian buster InRelease
Get:4 tor+https://deb.whonix.org buster-testers InRelease [37.5 kB]
Get:5 tor+https://deb.whonix.org buster-testers/non-free amd64 Packages [1,542 B]
Get:6 tor+https://deb.whonix.org buster-testers/main amd64 Packages [58.3 kB]
Get:7 tor+https://deb.whonix.org buster-testers/contrib amd64 Packages [1,390 B]
Fetched 98.7 kB in 7s (13.3 kB/s)
Reading package lists…
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Here is my apparmor status:

sudo aa-status
apparmor module is loaded.
66 profiles are loaded.
49 profiles are in enforce mode.
/**/*-browser/Browser/firefox
/usr/bin/gwenview
/usr/bin/hexchat
/usr/bin/man
/usr/bin/okular
/usr/bin/pidgin
/usr/bin/pidgin//sanitized_helper
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/bin/totem//sanitized_helper
/usr/bin/xchat
/usr/lib/helper-scripts/first-boot-skel
/usr/lib/sdwdate/url_to_unixtime
/usr/lib/security-misc/pam-abort-on-locked-password
/usr/lib/security-misc/pam_only_if_login
/usr/lib/security-misc/pam_tally2-info
/usr/lib/security-misc/panic-on-oops
/usr/lib/security-misc/permission-lockdown
/usr/lib/security-misc/remove-system.map
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium
/usr/sbin/apt-cacher-ng
/usr/sbin/haveged
/usr/sbin/kloak
/usr/sbin/libvirtd
/usr/sbin/libvirtd//qemu_bridge_helper
Xorg
apt.systemd.daily
bootclockrandomization
dbus-daemon
init-systemd
init-systemd-debug
init-systemd-superroot
lsblk
man_filter
man_groff
networking-aae
nvidia_modprobe
nvidia_modprobe//kmod
rapt
rsyslogd
spice-vdagent
spice-vdagentd
system_tor
systemd-modules-load
systemd-shutdown
systemd-sysctl
virt-aa-helper
17 profiles are in complain mode.
/usr/bin/irssi
/usr/bin/sdwdate
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
avahi-daemon
identd
klogd
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
27 processes have profiles defined.
16 processes are in enforce mode.
/usr/sbin/haveged (843)
/usr/sbin/kloak (847)
/usr/sbin/libvirtd (989)
/usr/lib/xorg/Xorg (1002) Xorg
/usr/bin/dbus-daemon (862) dbus-daemon
/usr/bin/dbus-daemon (1321) dbus-daemon
/usr/lib/at-spi2-core/at-spi-bus-launcher (1328) dbus-daemon
/usr/bin/dbus-daemon (1582) dbus-daemon
/usr/bin/dbus-daemon (1610) dbus-daemon
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (1632) dbus-daemon
/usr/lib/at-spi2-core/at-spi-bus-launcher (1679) dbus-daemon
/usr/bin/dbus-daemon (1749) dbus-daemon
/usr/lib/systemd/systemd (1452) init-systemd
/usr/lib/systemd/systemd (1651) init-systemd
/usr/sbin/rsyslogd (869) rsyslogd
/usr/bin/tor (1027) system_tor
11 processes are in complain mode.
/usr/bin/python3.7 (2210) /usr/bin/sdwdate
/usr/bin/dash (2297) /usr/bin/sdwdate
/usr/bin/sleep (2298) /usr/bin/sdwdate
/usr/bin/python3.7 (2706) /usr/bin/sdwdate
/usr/bin/python3.7 (2736) /usr/bin/sdwdate
/usr/sbin/dnsmasq (985)
/usr/sbin/dnsmasq (1185)
/usr/sbin/dnsmasq (1325)
/usr/sbin/dnsmasq (1327)
/usr/sbin/avahi-daemon (871) avahi-daemon
/usr/sbin/avahi-daemon (936) avahi-daemon
0 processes are unconfined but have a profile defined.

Apparmor-info gives these new denied(s):

sudo bash ‘/home/user/Downloads/apparmor-info.bash’
AVC apparmor=“DENIED” operation=“file_receive” profile=“dbus-daemon” name="/run/systemd/inhibit/2.ref" comm=“dbus-daemon” requested_mask=“w” denied_mask=“w”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/var/lib/lightdm/.Xauthority" comm=“at-spi-bus-laun” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name="/var/lib/lightdm/.cache/dconf/user" comm=“at-spi-bus-laun” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/var/lib/lightdm/.cache/dconf/user" comm=“at-spi-bus-laun” requested_mask=“wrc” denied_mask=“wrc”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/var/lib/lightdm/.cache/dconf/user" comm=64636F6E6620776F726B6572 requested_mask=“wrc” denied_mask=“wrc”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/proc/1348/fd/" comm=“at-spi-bus-laun” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/bin/dbus-daemon" comm=“at-spi-bus-laun” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/gvfs/gvfsd" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name="/home/user/.cache/dconf/user" comm=“at-spi-bus-laun” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/home/user/.cache/dconf/user" comm=“at-spi-bus-laun” requested_mask=“wrc” denied_mask=“wrc”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/home/user/.cache/dconf/user" comm=64636F6E6620776F726B6572 requested_mask=“wrc” denied_mask=“wrc”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/proc/1698/fd/" comm=“at-spi-bus-laun” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name="/sys/class/" comm=“systemd-logind” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/gvfs/gvfs-udisks2-volume-monitor" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/etc/xdg/tumbler/tumbler.rc" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/home/user/.cache/gstreamer-1.0/registry.x86_64.bin" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/proc/2850/fd/" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner" comm=“tumblerd” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/sys/devices/system/node/" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/dev/" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name="/home/user/.cache/gstreamer-1.0/registry.x86_64.bin.tmpKW3EW0" comm=“tumblerd” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name="/home/user/.cache/gstreamer-1.0/registry.x86_64.bin.tmpYZ3EW0" comm=“tumblerd” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/thumbnailers/" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/gvfs/remote-volume-monitors/" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/proc/2847/mountinfo" comm=“gmain” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/etc/fstab" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/proc/2847/mountinfo" comm=“tumblerd” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“mkdir” profile=“dbus-daemon” name="/run/sdwdate-gui/.cache/dconf/" comm=“at-spi-bus-laun” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mkdir” profile=“dbus-daemon” name="/run/sdwdate-gui/.cache/dconf/" comm=64636F6E6620776F726B6572 requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/proc/4337/fd/" comm=“at-spi-bus-laun” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile="/**/*-browser/Browser/firefox" name="/proc/4389/cgroup" comm=“firefox.real” requested_mask=“r” denied_mask=“r”

sdwdate-gui is still looping after downloading testing repo update as of this post. I noticed there is some sdwdate items in complain mode. I would try to diagnose this myself but I’m still learning app-armor and its functionality.

Looks like whatever update I did it broke DEVICES within File Manager where my USB drives nor my additional sata drives do NOT show up as an available drive to mount.

What is displayed now is File System, File System root, boot, and cdrom0 whereas I had a couple sata drives show up as well as USB drives such as a flash drive and an WD external drive.

I have tested Whonix-Gateway and Whonix-Workstation with apparmor-profile-everything but we won’t get ahead of ourselves.

Thanks,
sudobash

1 Like
42

One thing about that is confusing:

  • now for those enabled persistent systemd journal log and
  • Qubes users (shows systemd journal messages from previous boot in TemplateVM)
  • in future in Debian bullseye and above when Debian enables persistent systemd journal log by default

are shows DENIED messages from any previous boot. (As far back as systemd journal log goes.)

Should we add parameter --boot to journalctl in apparmor-info by default? Or should we have two different wrappers? One with --boot and one without?

  • apparmor-info-all-boots (not using --boot)
  • apparmor-info-current-boot (using --boot)

Meanwhile one can manually run

sudo apparmor-info --boot

which results in showing apparmor messages cor current boot only.

References:

For now apparmor-info shows only DENIED messages. Objections against adding ALLOWED messages too? We need to see these too so these profiles can be fixed too.
(These aren’t operations which where actually allowed. That would be too many. In apparmor profile enforce mode, these are DENIED while in complain mode these are ALLOWED. )
(Apparmor should have probably named these COMPLAIN in logs instead of ALLOWED. Would be less confusing.)

2 Likes