I was only able to get past lightdm with this added to /etc/apparmor.d/tunables/:
## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
@{sys_pci_numbers}=[0-9,a-z][0-9,a-z][0-9,a-z][0-9,a-z]:[0-9,a-z][0-9,a-z]
@{sys_pci}=/sys/devices/***
@{dev_ttys}=/dev/tty{,S}[0-9]{,[0-9]}
I tried the 3 dots, no go, the asterisk seems to work which brought up other denieds so I added this to /etc/apparmor.d/local/usr.bin.dbus-daemon:
/run/systemd/sessions/*.ref w,
/run/systemd/inhibit/*.ref w,
I added these to /etc/apparmor.d/local/init-systemd for more denieds:
/sys/power/state r,
/dev/tty1 rw,
/sys/class/ r,
I did a reboot and checked dmesg, new denieds came:
[ 48.113020] audit: type=1400 audit(1623060317.967:50): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1082 comm="systemd" requested_mask="receive" denied_mask="receive" signal=term peer="init-systemd"
[ 48.113281] audit: type=1400 audit(1623060317.971:51): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1082 comm="systemd" requested_mask="receive" denied_mask="receive" signal=kill peer="init-systemd"
[ 48.113431] audit: type=1400 audit(1623060317.971:52): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1082 comm="systemd" requested_mask="receive" denied_mask="receive" signal=term peer="init-systemd"
[ 48.113623] audit: type=1400 audit(1623060317.971:53): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1082 comm="systemd" requested_mask="receive" denied_mask="receive" signal=kill peer="init-systemd"
[ 60.348617] audit: type=1400 audit(1623060330.203:54): apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/1486/cgroup" pid=1486 comm="firefox.real" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
I added this to /etc/apparmor.d/local/usr.bin.dbus-daemon for the new denieds:
signal receive set=term,
signal receive set=kill,
sdwdate does not work by running sdwdate in terminal:
2021-06-07 10:14:34 - sdwdate - INFO - sdwdate started. PID: 1896
Traceback (most recent call last):
File "/usr/bin/sdwdate", line 10, in <module>
sdwdate.main()
File "/usr/lib/python3/dist-packages/sdwdate/sdwdate.py", line 1022, in main
global_files()
File "/usr/lib/python3/dist-packages/sdwdate/sdwdate.py", line 974, in global_files
Path(sdwdate_status_files_folder).mkdir(parents=True, exist_ok=True)
File "/usr/lib/python3.7/pathlib.py", line 1251, in mkdir
self._accessor.mkdir(self, mode)
PermissionError: [Errno 13] Permission denied: '/home/user/sdwdate'
Also swdate-gui throws up an error, I realized sdwdate-gui isn’t in the sdwdate apparmor profile.
access control disabled, clients can connect from any host
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-sdwdate-gui'
tor_status_changed unexpected error: <class 'NameError'>
I do have a better understanding of apparmor now due to this thread so I appreciate everyone’s help on this forum especially madaidan!
On reboot, another denied:
[ 59.175475] audit: type=1400 audit(1623061641.571:50): apparmor=“DENIED” operation=“signal” profile=“dbus-daemon” pid=1068 comm=“systemd” requested_mask=“receive” denied_mask=“receive” signal=cont peer=“init-systemd”
So I added to /etc/apparmor.d/local/usr.bin.dbus-daemon:
signal receive set=cont,
Reboot and no denieds, just some unconfineds:
[ 26.120617] audit: type=1400 audit(1623062030.560:6): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“rapt” pid=684 comm=“apparmor_parser”
[ 26.123554] audit: type=1400 audit(1623062030.564:7): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“apt.systemd.daily” pid=685 comm=“apparmor_parser”
[ 26.126195] audit: type=1400 audit(1623062030.568:8): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“spice-vdagent” pid=678 comm=“apparmor_parser”
[ 26.126207] audit: type=1400 audit(1623062030.568:9): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“spice-vdagentd” pid=678 comm=“apparmor_parser”
[ 26.126519] audit: type=1400 audit(1623062030.568:10): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“/usr/bin/tor-circuit-established-check” pid=682 comm=“apparmor_parser”
[ 26.133117] audit: type=1400 audit(1623062030.572:11): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“/usr/bin/timesanitycheck” pid=681 comm=“apparmor_parser”
[ 26.137211] audit: type=1400 audit(1623062030.576:12): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“/usr/sbin/libvirtd” pid=683 comm=“apparmor_parser”
[ 26.137222] audit: type=1400 audit(1623062030.576:13): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“/usr/sbin/libvirtd//qemu_bridge_helper” pid=683 comm=“apparmor_parser”
I’m looking into the sdwdate issue so I can get it to work. I believe it’s an important feature of Kicksecure. I don’t see any denieds for sdwdate so I’m curious as to why it’s not working, perhaps a rule that denys the app from running within the apparmor profile?
Thanks,
sudobash