That allows blanket access to all of /sys/devices
which is far too permissive. We need to enforce fine-grained restrictions. Did you try what I mentioned above?
Looks similar to: Reboot failure on Debian 10 due to systemd confinement · Issue #72 · Kicksecure/apparmor-profile-everything · GitHub
You are not supposed to run sdwdate from the terminal. It’s not a supported use case; it’s meant to be used via the systemd service. Doing otherwise will flood the logs with bogus denial errors.
Oh no! I misread your last suggestion and fixed it:
sudo mousepad /etc/apparmor.d/tunables/init-systemd
## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
#include <tunables/global>
@{sys_pci_numbers}=[0-9,a-z][0-9,a-z][0-9,a-z][0-9,a-z]:[0-9,a-z][0-9,a-z]
@{sys_pci}=@{sys}/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/{,@{sys_pci_numbers}:*.*/}
@{dev_ttys}=/dev/tty{,S}[0-9]{,[0-9]}
I had to add the [a-z] as I noticed some pci entries had letters in them.
On reboot, apparmor throws an error:
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/apparmor.service.d
└─30_live_mode.conf
Active: failed (Result: exit-code) since Tue 2021-06-08 10:43:52 UTC; 3min 21s ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 665 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 665 (code=exited, status=1/FAILURE)
Jun 08 10:43:52 grid apparmor.systemd[665]: 'HOME' is already defined
Jun 08 10:43:52 grid apparmor.systemd[665]: AppArmor parser error for /etc/apparmor.d/bin.lsblk in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 08 10:43:52 grid apparmor.systemd[665]: 'HOME' is already defined
Jun 08 10:43:52 grid apparmor.systemd[665]: AppArmor parser error for /etc/apparmor.d/init-systemd in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 08 10:43:52 grid apparmor.systemd[665]: 'HOME' is already defined
Jun 08 10:43:52 grid apparmor.systemd[665]: AppArmor parser error for /etc/apparmor.d/usr.lib.xorg.Xorg in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 08 10:43:52 grid apparmor.systemd[665]: Error: At least one profile failed to load
Jun 08 10:43:52 grid systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Jun 08 10:43:52 grid systemd[1]: apparmor.service: Failed with result 'exit-code'.
Jun 08 10:43:52 grid systemd[1]: Failed to start Load AppArmor profiles.
~
However I am able to boot into the windows manager.
I tried sudo -u sdwdate sdwdate in terminal:
sudo -u sdwdate sdwdate
2021-06-08 10:57:20 - sdwdate - INFO - sdwdate started. PID: 2120
2021-06-08 10:57:20 - sdwdate - INFO - Tor socks host: 127.0.0.1 Tor socks port: 9050
2021-06-08 10:57:20 - sdwdate - INFO - Running sdwdate main loop. iteration: 1 / 10000
2021-06-08 10:57:20 - sdwdate - INFO - PREPARATION:
2021-06-08 10:57:20 - sdwdate - INFO - /usr/lib/helper-scripts/onion-time-pre-script: Start.
Static Time Sanity Check: Within minimum time 'Sun Jan 17 00:00:00 UTC 2021' and expiration timestamp 'Tue May 17 10:00:00 UTC 2033', ok.
Tor reports: NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"
Tor circuit: established.
Tor Consensus Time Sanity Check: Clock within consensus parameters consensus/valid-after 2021-06-08 09:00:00 and consensus/valid-until 2021-06-08 12:00:00.
Tor already reports circuit established.
/usr/lib/helper-scripts/onion-time-pre-script: END: Exiting with exit_code '0' indicating 'success'.
2021-06-08 10:57:20 - sdwdate - INFO - PREPARATION RESULT: SUCCESS.
2021-06-08 10:57:20 - sdwdate - INFO -
2021-06-08 10:57:20 - sdwdate - INFO - Initial time fetching in progress...
2021-06-08 10:57:20 - sdwdate - INFO - Running sdwdate fetch loop. iteration: 1
2021-06-08 10:57:20 - sdwdate - INFO - pool 0: pool_size: 15 url_index: 2 already_picked_number: 1 already_picked_index: [2]
2021-06-08 10:57:20 - sdwdate - INFO - pool 1: pool_size: 15 url_index: 14 already_picked_number: 1 already_picked_index: [14]
2021-06-08 10:57:20 - sdwdate - INFO - pool 2: pool_size: 15 url_index: 4 already_picked_number: 1 already_picked_index: [4]
2021-06-08 10:57:20 - sdwdate - INFO - requested urls ['http://33y6fjyhs3phzfjj.onion', 'https://www.dwnewsvdyyiamwnp.onion', 'http://rvy6qmlqfstv6rlz.onion']
remote_times.py: url_to_unixtime_command (s):
url_to_unixtime 127.0.0.1 9050 http://33y6fjyhs3phzfjj.onion 80 true
url_to_unixtime 127.0.0.1 9050 https://www.dwnewsvdyyiamwnp.onion 80 true
url_to_unixtime 127.0.0.1 9050 http://rvy6qmlqfstv6rlz.onion 80 true
remote_times.py: i: 0 | done
remote_times.py: i: 2 | done
remote_times.py: i: 1 | done
remote 0: http://33y6fjyhs3phzfjj.onion
* comment: The Guardian https://www.theguardian.com/securedrop https://web.archive.org/web/20201231075421/https://www.theguardian.com/securedrop
* took_time : 2.03 second(s)
* half_took_time: 1.01 second(s)
* replay_protection_unixtime: 1623053612
* remote_unixtime : 1623149680
* consensus/valid-after : 2021-06-08 09:00:00
* replay_protection_time : 2021-06-07 08:15:12
* remote_time : 2021-06-08 10:54:40
* consensus/valid-until : 2021-06-08 12:00:00
* time_diff_raw : -162 second(s)
* time_diff_lag_cleaned: -163.01 second(s)
* Time Replay Protection : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True
remote 1: https://www.dwnewsvdyyiamwnp.onion
* comment: https://www.dw.com https://web.archive.org/web/20210126144517/https://securityheaders.com/?q=dw.com&followRedirects=on
* took_time : 15.92 second(s)
* half_took_time: 7.96 second(s)
* replay_protection_unixtime: 1623053612
* remote_unixtime : 1623149694
* consensus/valid-after : 2021-06-08 09:00:00
* replay_protection_time : 2021-06-07 08:15:12
* remote_time : 2021-06-08 10:54:54
* consensus/valid-until : 2021-06-08 12:00:00
* time_diff_raw : -162 second(s)
* time_diff_lag_cleaned: -169.96 second(s)
* Time Replay Protection : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True
remote 2: http://rvy6qmlqfstv6rlz.onion
* comment: https://www.c3d2.de/news/20160106-c3d2-as-onionservice.html https://web.archive.org/web/20160807015616/https://www.c3d2.de/news/20160106-c3d2-as-onionservice.html
* took_time : 14.51 second(s)
* half_took_time: 7.25 second(s)
* replay_protection_unixtime: 1623053612
* remote_unixtime : 1623149692
* consensus/valid-after : 2021-06-08 09:00:00
* replay_protection_time : 2021-06-07 08:15:12
* remote_time : 2021-06-08 10:54:52
* consensus/valid-until : 2021-06-08 12:00:00
* time_diff_raw : -163 second(s)
* time_diff_lag_cleaned: -170.25 second(s)
* Time Replay Protection : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True
remote_times.py: urls_list:
['http://33y6fjyhs3phzfjj.onion', 'https://www.dwnewsvdyyiamwnp.onion', 'http://rvy6qmlqfstv6rlz.onion']
remote_times.py: status_list:
['ok', 'ok', 'ok']
remote_times.py: took_time_list:
[2.03, 15.92, 14.51]
remote_times.py: half_took_time_list:
[1.01, 7.96, 7.25]
remote_times.py: remote_unixtime_list:
[1623149680, 1623149694, 1623149692]
remote_times.py: time_diff_raw_int_list:
[-162, -162, -163]
remote_times.py: time_diff_lag_cleaned_float_list:
[-163.01, -169.96, -170.25]
2021-06-08 10:57:36 - sdwdate - INFO - returned urls "['http://33y6fjyhs3phzfjj.onion', 'https://www.dwnewsvdyyiamwnp.onion', 'http://rvy6qmlqfstv6rlz.onion']"
2021-06-08 10:57:36 - sdwdate - INFO -
2021-06-08 10:57:36 - sdwdate - INFO - failed_urls: 0 allowed_failures: 5
2021-06-08 10:57:36 - sdwdate - INFO - pool 0: http://33y6fjyhs3phzfjj.onion, web_time: 2021-06-08 10:54:40, took_time: 2.03 seconds, time_diff_raw: -162 seconds, time_diff_lag_cleaned: -163 seconds
2021-06-08 10:57:36 - sdwdate - INFO - pool 1: https://www.dwnewsvdyyiamwnp.onion, web_time: 2021-06-08 10:54:54, took_time: 15.92 seconds, time_diff_raw: -162 seconds, time_diff_lag_cleaned: -170 seconds
2021-06-08 10:57:36 - sdwdate - INFO - pool 2: http://rvy6qmlqfstv6rlz.onion, web_time: 2021-06-08 10:54:52, took_time: 14.51 seconds, time_diff_raw: -163 seconds, time_diff_lag_cleaned: -170 seconds
2021-06-08 10:57:36 - sdwdate - INFO - End fetching remote times.
2021-06-08 10:57:36 - sdwdate - INFO -
2021-06-08 10:57:36 - sdwdate - INFO - Success.
2021-06-08 10:57:36 - sdwdate - INFO - request_took_times, sorted: [2.03, 14.51, 15.92]
2021-06-08 10:57:36 - sdwdate - INFO - request_half_took_times, sorted: [1.01, 7.25, 7.96]
2021-06-08 10:57:36 - sdwdate - INFO - time_diff_raw, sorted: [-163, -162, -162]
2021-06-08 10:57:36 - sdwdate - INFO - diffs_lag_cleaned, sorted: [-170, -170, -163]
2021-06-08 10:57:36 - sdwdate - INFO - median request_took_times: +14.51
2021-06-08 10:57:36 - sdwdate - INFO - median half_request_took_times: +7.25
2021-06-08 10:57:36 - sdwdate - INFO - median raw time difference: -162.00
2021-06-08 10:57:36 - sdwdate - INFO - median lag_cleaned time difference: -170.00
2021-06-08 10:57:36 - sdwdate - INFO - Not randomizing nanoseconds.
2021-06-08 10:57:36 - sdwdate - INFO - new time difference : -162.000000000
2021-06-08 10:57:36 - sdwdate - INFO - replay_protection_unixtime: 1623053612
2021-06-08 10:57:36 - sdwdate - INFO - old_unixtime : 1623149856.979118586
2021-06-08 10:57:36 - sdwdate - INFO - new_unixtime : 1623149694.979118586
2021-06-08 10:57:36 - sdwdate - INFO - replay_protection_time : 2021-06-07 08:15:12
2021-06-08 10:57:36 - sdwdate - INFO - old_unixtime_human_readable : 2021-06-08 10:57:37
2021-06-08 10:57:36 - sdwdate - INFO - new_unixtime_human_readable : 2021-06-08 10:54:55
2021-06-08 10:57:37 - sdwdate - INFO - Instantly setting the time by using command: /bin/date --utc "+%Y-%m-%d %H:%M:%S" --set "@1623149694.979118586"
2021-06-08 10:57:37 - sdwdate - INFO - /bin/date output: 2021-06-08 10:54:54
/bin/date: cannot set date: Operation not permitted
2021-06-08 10:57:37 - sdwdate - ERROR - /bin/date returncode: 1
2021-06-08 10:57:37 - sdwdate - INFO - Exiting with exit_code '1' because or reason 'bin_date_status non-zero exit code'.
2021-06-08 10:57:37 - sdwdate - INFO - sdwdate stopped by user or system.
2021-06-08 10:57:37 - sdwdate - INFO - sclockadj process not running, ok.
2021-06-08 10:57:37 - sdwdate - INFO - sleep process not running, ok.
2021-06-08 10:57:37 - sdwdate - INFO - End.
The sdwdate-gui shows a lock with an X icon. /bin/date within the apparmor sdwdate profile is defined as /{,usr/}bin/date mrix, - Shouldn’t that allow /bin/date to work?
Running dmesg now:
[ 72.990211] audit: type=1400 audit(1623149031.430:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apt.systemd.daily" pid=682 comm="apparmor_parser"
[ 72.992791] audit: type=1400 audit(1623149031.434:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagent" pid=675 comm="apparmor_parser"
[ 72.992803] audit: type=1400 audit(1623149031.434:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagentd" pid=675 comm="apparmor_parser"
[ 72.992858] audit: type=1400 audit(1623149031.434:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/tor-circuit-established-check" pid=679 comm="apparmor_parser"
[ 72.993954] audit: type=1400 audit(1623149031.434:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/timesanitycheck" pid=678 comm="apparmor_parser"
[ 72.996106] audit: type=1400 audit(1623149031.438:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/libvirtd" pid=680 comm="apparmor_parser"
We’re getting closer!
Also, I don’t see sdwdate as a service:
sudo service --status-all
[sudo] password for user:
[ - ] apparmor
[ - ] console-setup.sh
[ + ] cron
[ - ] cryptdisks
[ - ] cryptdisks-early
[ + ] dbus
[ + ] dnsmasq
[ - ] gdomap
[ + ] haveged
[ - ] hwclock.sh
[ + ] jitterentropy-rngd
[ - ] keyboard-setup.sh
[ + ] kmod
[ + ] libvirt-guests
[ + ] libvirtd
[ + ] lightdm
[ - ] lvm2
[ - ] lvm2-lvmpolld
[ + ] networking
[ + ] openvpn
[ + ] procps
[ + ] rsyslog
[ - ] sudo
[ + ] sysfsutils
[ + ] tor
[ + ] udev
[ - ] virtlogd
[ - ] x11-common
When I go to the /etc/systemd/system/multi-user.target.wants/ folder, I realized that sdwdate.service is a broken link.
Kind: broken link
Link Target: /lib/systemd/system/sdwdate.service
Location: /etc/systemd/system/multi-user.target.wants
I wonder if this is the issue?
I tried to reinstall sdwdate:
sudo rapt reinstall sdwdate
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/114 kB of archives.
After this operation, 0 B of additional disk space will be used.
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 111637 files and directories currently installed.)
Preparing to unpack .../sdwdate_3%3a14.7-1_all.deb ...
Unpacking sdwdate (3:14.7-1) over (3:14.7-1) ...
Setting up sdwdate (3:14.7-1) ...
usermod: no changes
The user `sdwdate' is already a member of `debian-tor'.
The user `sdwdate' is already a member of `systemd-journal'.
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
Failed to get unit file state for sdwdate.service: No such file or directory
sdwdate.service is a disabled or a static unit not running, not starting it.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for rsyslog (8.1901.0-1) ...
+ shopt -s nullglob
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub
+ source /etc/default/grub
++ GRUB_DEFAULT=0
++ GRUB_TIMEOUT=5
+++ lsb_release -i -s
++ GRUB_DISTRIBUTOR=Debian
++ GRUB_CMDLINE_LINUX_DEFAULT=quiet
++ GRUB_CMDLINE_LINUX=
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_kicksecure.cfg
+ source /etc/default/grub.d/30_kicksecure.cfg
++ GRUB_DISTRIBUTOR=Kicksecure
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_screen_resolution.cfg
+ source /etc/default/grub.d/30_screen_resolution.cfg
++ command -v qubesdb-read
++ GRUB_GFXPAYLOAD_LINUX=1024x768
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_cpu_mitigations.cfg
+ source /etc/default/grub.d/40_cpu_mitigations.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_distrust_cpu.cfg
+ source /etc/default/grub.d/40_distrust_cpu.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_enable_iommu.cfg
+ source /etc/default/grub.d/40_enable_iommu.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_kernel_hardening.cfg
+ source /etc/default/grub.d/40_kernel_hardening.cfg
+++ dpkg --print-architecture
++ kpkg=linux-image-amd64
+++ dpkg-query --show '--showformat=${Version}' linux-image-amd64
dpkg-query: no packages found matching linux-image-amd64
++ kver=
++ true
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge'
++ dpkg --compare-versions '' ge 5.3
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP'
++ command -v qubesdb-read
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none'
++ dpkg --compare-versions '' ge 5.2
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy'
+++ echo quiet
+++ str_replace quiet ''
++ GRUB_CMDLINE_LINUX_DEFAULT=
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0 debugfs=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/init-select.cfg
+ source /etc/default/grub.d/init-select.cfg
+ for file_name in /boot/vmlinuz-*
+ base_name=vmlinuz-4.19.122
+ search=vmlinuz-
+ replace=
++ echo vmlinuz-4.19.122
++ str_replace vmlinuz- ''
+ version=4.19.122
+ unset search
+ unset replace
+ break
+ '[' 4.19.122 = '' ']'
+ real_grub_cfg=/boot/grub/grub.cfg
+ file_replace=/boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg
+ cp /boot/grub/grub.cfg /boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg.temp
+ search=' GNU/Linux'
+ replace=
+ str_replace ' GNU/Linux' '' /boot/grub/grub.cfg.temp
+ search=', with Linux 4.19.122'
+ replace=
+ str_replace ', with Linux 4.19.122' '' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure'\'''
+ replace='menuentry '\''PERSISTENT mode USER (For daily activities.)'\'''
+ str_replace 'menuentry '\''Kicksecure'\''' 'menuentry '\''PERSISTENT mode USER (For daily activities.)'\''' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure (recovery mode)'\'''
+ replace='menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\'''
+ str_replace 'menuentry '\''Kicksecure (recovery mode)'\''' 'menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\''' /boot/grub/grub.cfg.temp
+ test -x /usr/bin/grub-script-check
+ /usr/bin/grub-script-check /boot/grub/grub.cfg.temp
+ cp /boot/grub/grub.cfg.temp /boot/grub/grub.cfg
+ exit 0
I noticed this error:
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
Failed to get unit file state for sdwdate.service: No such file or directory
sdwdate.service is a disabled or a static unit not running, not starting it.
I tried to reinstall the service using sudo rapt reinstall --no-install-recommends kicksecure-xfce and it doesn’t reinstall it as I removed the broken file and attempted to restore it.
I tried copied and pasted the sdwdate.service from the github and chown it to root:root with a chmod 775 and attempted to reinstall swdate again:
sudo rapt reinstall sdwdate
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/114 kB of archives.
After this operation, 0 B of additional disk space will be used.
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 111637 files and directories currently installed.)
Preparing to unpack .../sdwdate_3%3a14.7-1_all.deb ...
Unpacking sdwdate (3:14.7-1) over (3:14.7-1) ...
Setting up sdwdate (3:14.7-1) ...
usermod: no changes
The user `sdwdate' is already a member of `debian-tor'.
The user `sdwdate' is already a member of `systemd-journal'.
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
Failed to get unit file state for sdwdate.service: No such file or directory
sdwdate.service is a disabled or a static unit not running, not starting it.
I wonder if an apparmor is hindering it from working?
user@grid:~$ sudo systemctl stop sdwdate
Failed to stop sdwdate.service: Unit sdwdate.service not loaded.
user@grid:~$ sudo systemctl start sdwdate
Failed to start sdwdate.service: Unit sdwdate.service not found.
Where? There are none.
Can you try the first suggestion?
Do not run sdwdate from the terminal.
It’s not that it can’t execute it; it doesn’t have the CAP_SYS_TIME capability granted by the systemd service because you ran it from the terminal.
You’re running it from the terminal and not as a service.
Disable AppArmor and completely reinstall it. Make no modifications to it and do not run it from the terminal.
I disabled apparmor with apparmor=0 in grub and reinstalled sdwdate:
sudo apt-get reinstall sdwdate
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/114 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 111637 files and directories currently installed.)
Preparing to unpack .../sdwdate_3%3a14.7-1_all.deb ...
Unpacking sdwdate (3:14.7-1) over (3:14.7-1) ...
Setting up sdwdate (3:14.7-1) ...
usermod: no changes
The user `sdwdate' is already a member of `debian-tor'.
The user `sdwdate' is already a member of `systemd-journal'.
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
Failed to get unit file state for sdwdate.service: No such file or directory
sdwdate.service is a disabled or a static unit not running, not starting it.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for rsyslog (8.1901.0-1) ...
+ shopt -s nullglob
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub
+ source /etc/default/grub
++ GRUB_DEFAULT=0
++ GRUB_TIMEOUT=5
+++ lsb_release -i -s
++ GRUB_DISTRIBUTOR=Debian
++ GRUB_CMDLINE_LINUX_DEFAULT=quiet
++ GRUB_CMDLINE_LINUX=
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_kicksecure.cfg
+ source /etc/default/grub.d/30_kicksecure.cfg
++ GRUB_DISTRIBUTOR=Kicksecure
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_screen_resolution.cfg
+ source /etc/default/grub.d/30_screen_resolution.cfg
++ command -v qubesdb-read
++ GRUB_GFXPAYLOAD_LINUX=1024x768
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_cpu_mitigations.cfg
+ source /etc/default/grub.d/40_cpu_mitigations.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_distrust_cpu.cfg
+ source /etc/default/grub.d/40_distrust_cpu.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_enable_iommu.cfg
+ source /etc/default/grub.d/40_enable_iommu.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_kernel_hardening.cfg
+ source /etc/default/grub.d/40_kernel_hardening.cfg
+++ dpkg --print-architecture
++ kpkg=linux-image-amd64
+++ dpkg-query --show '--showformat=${Version}' linux-image-amd64
dpkg-query: no packages found matching linux-image-amd64
++ kver=
++ true
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge'
++ dpkg --compare-versions '' ge 5.3
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP'
++ command -v qubesdb-read
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none'
++ dpkg --compare-versions '' ge 5.2
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy'
+++ echo quiet
+++ str_replace quiet ''
++ GRUB_CMDLINE_LINUX_DEFAULT=
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0 debugfs=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/init-select.cfg
+ source /etc/default/grub.d/init-select.cfg
+ for file_name in /boot/vmlinuz-*
+ base_name=vmlinuz-4.19.122
+ search=vmlinuz-
+ replace=
++ echo vmlinuz-4.19.122
++ str_replace vmlinuz- ''
+ version=4.19.122
+ unset search
+ unset replace
+ break
+ '[' 4.19.122 = '' ']'
+ real_grub_cfg=/boot/grub/grub.cfg
+ file_replace=/boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg
+ cp /boot/grub/grub.cfg /boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg.temp
+ search=' GNU/Linux'
+ replace=
+ str_replace ' GNU/Linux' '' /boot/grub/grub.cfg.temp
+ search=', with Linux 4.19.122'
+ replace=
+ str_replace ', with Linux 4.19.122' '' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure'\'''
+ replace='menuentry '\''PERSISTENT mode USER (For daily activities.)'\'''
+ str_replace 'menuentry '\''Kicksecure'\''' 'menuentry '\''PERSISTENT mode USER (For daily activities.)'\''' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure (recovery mode)'\'''
+ replace='menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\'''
+ str_replace 'menuentry '\''Kicksecure (recovery mode)'\''' 'menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\''' /boot/grub/grub.cfg.temp
+ test -x /usr/bin/grub-script-check
+ /usr/bin/grub-script-check /boot/grub/grub.cfg.temp
+ cp /boot/grub/grub.cfg.temp /boot/grub/grub.cfg
+ exit 0
Same deal, it does not install itself as a service. I tested this with a new Kicksecure install with everything but apparmor-profile-everything installed.
Let me try your first suggestion regarding the tunables:
## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
##include <tunables/global>
@{sys_pci_numbers}=[0-9,a-z][0-9,a-z][0-9,a-z][0-9,a-z]:[0-9,a-z][0-9,a-z]
##@{sys_pci}=@{sys}/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/{,@{sys_pci_numbers}:*.*/}
@{sys_pci}=/sys/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/{,@{sys_pci_numbers}:*.*/}
@{dev_ttys}=/dev/tty{,S}[0-9]{,[0-9]}
With reboot, the results are:
[ 22.192068] audit: type=1400 audit(1623220184.629:47): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="init-systemd" pid=744 comm="apparmor_parser"
[ 22.193898] audit: type=1400 audit(1623220184.633:48): apparmor="STATUS" operation="profile_load" profile="unconfined" name="init-systemd-debug" pid=744 comm="apparmor_parser"
[ 22.194998] audit: type=1400 audit(1623220184.633:49): apparmor="STATUS" operation="profile_load" profile="unconfined" name="init-systemd-superroot" pid=744 comm="apparmor_parser"
[ 23.494920] audit: type=1400 audit(1623220224.737:50): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/vendor" pid=901 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 23.494942] audit: type=1400 audit(1623220224.737:51): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/config" pid=901 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 23.495231] audit: type=1400 audit(1623220224.737:52): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/vendor" pid=901 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 23.495252] audit: type=1400 audit(1623220224.737:53): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/config" pid=901 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 24.141489] audit: type=1400 audit(1623220225.381:54): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/vendor" pid=938 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 24.141502] audit: type=1400 audit(1623220225.381:55): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/config" pid=938 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 24.141640] audit: type=1400 audit(1623220225.381:56): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/vendor" pid=938 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
So no go, I put it back to your second suggestion and it works:
## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
#include <tunables/global>
@{sys_pci_numbers}=[0-9,a-z][0-9,a-z][0-9,a-z][0-9,a-z]:[0-9,a-z][0-9,a-z]
@{sys_pci}=@{sys}/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/{,@{sys_pci_numbers}:*.*/}
##@{sys_pci}=/sys/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/{,@{sys_pci_numbers}:*.*/}
@{dev_ttys}=/dev/tty{,S}[0-9]{,[0-9]}
[ 20.760800] audit: type=1400 audit(1623220562.203:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagent" pid=718 comm="apparmor_parser"
[ 20.760810] audit: type=1400 audit(1623220562.203:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagentd" pid=718 comm="apparmor_parser"
[ 20.760818] audit: type=1400 audit(1623220562.203:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/timesanitycheck" pid=721 comm="apparmor_parser"
[ 20.763758] audit: type=1400 audit(1623220562.207:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apt.systemd.daily" pid=725 comm="apparmor_parser"
[ 20.766261] audit: type=1400 audit(1623220562.211:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/tor-circuit-established-check" pid=722 comm="apparmor_parser"
[ 20.776303] audit: type=1400 audit(1623220562.219:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/helper-scripts/first-boot-skel" pid=720 comm="apparmor_parser"
[ 20.776314] audit: type=1400 audit(1623220562.219:12): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/pam-abort-on-locked-password" pid=720 comm="apparmor_parser"
[ 20.776322] audit: type=1400 audit(1623220562.219:13): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/pam_only_if_login" pid=720 comm="apparmor_parser"
[ 20.776330] audit: type=1400 audit(1623220562.219:14): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/pam_tally2-info" pid=720 comm="apparmor_parser"
[ 20.776338] audit: type=1400 audit(1623220562.219:15): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/panic-on-oops" pid=720 comm="apparmor_parser"
With your second option via the tunables it does boot and lightdm works but throws up an error:
sudo systemctl status apparmor
[sudo] password for user:
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/apparmor.service.d
└─30_live_mode.conf
Active: failed (Result: exit-code) since Wed 2021-06-09 06:36:02 UTC; 27min ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 704 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 704 (code=exited, status=1/FAILURE)
Jun 09 06:36:02 tron apparmor.systemd[704]: 'HOME' is already defined
Jun 09 06:36:02 tron apparmor.systemd[704]: AppArmor parser error for /etc/apparmor.d/bin.lsblk in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 09 06:36:02 tron apparmor.systemd[704]: 'HOME' is already defined
Jun 09 06:36:02 tron apparmor.systemd[704]: AppArmor parser error for /etc/apparmor.d/init-systemd in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declare
Jun 09 06:36:02 tron apparmor.systemd[704]: 'HOME' is already defined
Jun 09 06:36:02 tron apparmor.systemd[704]: AppArmor parser error for /etc/apparmor.d/usr.lib.xorg.Xorg in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously de
Jun 09 06:36:02 tron apparmor.systemd[704]: Error: At least one profile failed to load
Jun 09 06:36:02 tron systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Jun 09 06:36:02 tron systemd[1]: apparmor.service: Failed with result 'exit-code'.
Jun 09 06:36:02 tron systemd[1]: Failed to start Load AppArmor profiles.
sdwdate is also not defined as a service:
sudo systemctl status sdwdate
Unit sdwdate.service could not be found.
sudo systemctl restart sdwdate
Failed to restart sdwdate.service: Unit sdwdate.service not found.
I’ll do some more research and experiment.
I also can’t run sudo aa-enforce init-systemd:
ERROR: Profile for /{,usr/}lib/systemd/** exists in /etc/apparmor.d/init-systemd and /etc/apparmor.d/init-systemd
Also, same error with aa-logprof
sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
ERROR: Profile for /{,usr/}lib/systemd/** exists in /etc/apparmor.d/init-systemd and /etc/apparmor.d/init-systemd
This is my aa-status:
sudo aa-status
apparmor module is loaded.
64 profiles are loaded.
45 profiles are in enforce mode.
/**/*-browser/Browser/firefox
/usr/bin/hexchat
/usr/bin/man
/usr/bin/pidgin
/usr/bin/pidgin//sanitized_helper
/usr/bin/sdwdate
/usr/bin/timesanitycheck
/usr/bin/tor-circuit-established-check
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/bin/totem//sanitized_helper
/usr/bin/url_to_unixtime
/usr/bin/xchat
/usr/lib/helper-scripts/first-boot-skel
/usr/lib/security-misc/pam-abort-on-locked-password
/usr/lib/security-misc/pam_only_if_login
/usr/lib/security-misc/pam_tally2-info
/usr/lib/security-misc/panic-on-oops
/usr/lib/security-misc/permission-lockdown
/usr/lib/security-misc/remove-system.map
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium
/usr/sbin/apt-cacher-ng
/usr/sbin/haveged
/usr/sbin/libvirtd
/usr/sbin/libvirtd//qemu_bridge_helper
apt.systemd.daily
bootclockrandomization
dbus-daemon
man_filter
man_groff
networking-aae
nvidia_modprobe
nvidia_modprobe//kmod
rsyslogd
sandbox-app-launcher
sandbox-app-launcher-wx
spice-vdagent
spice-vdagentd
system_tor
systemd-modules-load
systemd-shutdown
systemd-sysctl
virt-aa-helper
19 profiles are in complain mode.
/usr/bin/irssi
/usr/sbin/anondate-get
/usr/sbin/anondate-set
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
avahi-daemon
identd
init-systemd
klogd
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
19 processes have profiles defined.
15 processes are in enforce mode.
/home/user/.tb/tor-browser/Browser/firefox.real (1752) /**/*-browser/Browser/firefox
/home/user/.tb/tor-browser/Browser/TorBrowser/Tor/tor (1796) /**/*-browser/Browser/firefox
/home/user/.tb/tor-browser/Browser/firefox.real (1823) /**/*-browser/Browser/firefox
/home/user/.tb/tor-browser/Browser/firefox.real (1862) /**/*-browser/Browser/firefox
/home/user/.tb/tor-browser/Browser/firefox.real (1937) /**/*-browser/Browser/firefox
/usr/bin/python3.7 (1191) /usr/bin/sdwdate
/usr/bin/sleep (1986) /usr/bin/sdwdate
/usr/sbin/haveged (995)
/usr/sbin/libvirtd (1107)
/usr/bin/dbus-daemon (1003) dbus-daemon
/usr/bin/dbus-daemon (1521) dbus-daemon
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (1554) dbus-daemon
/usr/bin/dbus-daemon (1649) dbus-daemon
/usr/sbin/rsyslogd (999) rsyslogd
/usr/bin/tor (1149) system_tor
4 processes are in complain mode.
/usr/sbin/dnsmasq (1126)
/usr/sbin/dnsmasq (1284)
/usr/sbin/dnsmasq (1357)
/usr/sbin/dnsmasq (1358)
0 processes are unconfined but have a profile defined.
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service Failed to get unit file state for sdwdate.service: No such file or directory sdwdate.service is a disabled or a static unit not running, not starting it.
Therefore we need to look “inside” of /usr/bin/deb-systemd-helper
.
Could you please help debug this sdwdate AAE issue? The following needs to be done without AAE (otherwise I suppose you don’t have permission to do that).
sudo mkdir -p /etc/sdwdate_maint.d
sudoedit /etc/sdwdate_maint.d/50_user.conf
Add.
set -x
DEBDEBUG=1
export _DEB_SYSTEMD_HELPER_DEBUG=1
Save.
Then during sdwdate re-installation we should get a lot debug output.
Does file /lib/systemd/system/sdwdate.service
exist?
Is file /lib/systemd/system/sdwdate.service
readable?
cat /lib/systemd/system/sdwdate.service
ls -la /lib/systemd/system/sdwdate.service
Expected output:
-rw-r–r-- 1 root root 2794 Oct 20 2015 /lib/systemd/system/sdwdate.service
I started with a fresh Kicksecure install again and upgraded to where Secbrowser seems to be removed which is fine. TorBrowser (AnonDist) is the only available Internet app just to give context.
I installed apparmor-profile-everything and rebooted. I reinstalled sdwdate with the debug options on as stated above and here is the result:
sudo apt reinstall sdwdate
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 122 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster/main amd64 sdwdate all 3:15.6-1 [122 kB]
Fetched 122 kB in 5s (25.2 kB/s)
(Reading database ... 111602 files and directories currently installed.)
Preparing to unpack .../sdwdate_3%3a15.6-1_all.deb ...
Unpacking sdwdate (3:15.6-1) over (3:15.6-1) ...
+++ DEBDEBUG=1
+++ export _DEB_SYSTEMD_HELPER_DEBUG=1
+++ _DEB_SYSTEMD_HELPER_DEBUG=1
++ shopt -u nullglob
++ check_scripts_to_skip
++ local skip_script
+ set -e
+ rm --force /usr/lib/sdwdate/sclockadj
+ '[' upgrade = purge ']'
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/30_default -- upgrade 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/30_sdwdate_default -- upgrade 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/31_anon_dist_con_check_plugin -- upgrade 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/31_anon_dist_stream_isolation_plugin -- upgrade 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/apparmor.d/abstractions/sdwdate -- upgrade 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/apparmor.d/usr.lib.sdwdate.url_to_unixtime -- upgrade 3:15.6-1
+ '[' -d /run/systemd/system ']'
+ systemctl --system daemon-reload
+ '[' upgrade = remove ']'
+ '[' upgrade = purge ']'
+ '[' upgrade = purge ']'
+ '[' upgrade = purge ']'
Setting up sdwdate (3:15.6-1) ...
+++ DEBDEBUG=1
+++ export _DEB_SYSTEMD_HELPER_DEBUG=1
+++ _DEB_SYSTEMD_HELPER_DEBUG=1
++ shopt -u nullglob
++ check_scripts_to_skip
++ local skip_script
+ set -e
+ true '
#####################################################################
## INFO: BEGIN: sdwdate postinst configure' '3:15.6-1
#####################################################################
'
+ '[' -x /usr/lib/helper-scripts/torsocks-remove-ld-preload ']'
+ source /usr/lib/helper-scripts/torsocks-remove-ld-preload
++ : 1
++ : ''
++ '[' 1 = 1 ']'
++ set -x
++ '[' 1 = 1 ']'
++ true 'LD_PRELOAD: '
+++ echo ''
+++ sed 's/\/usr\/lib\/torsocks\/libtorsocks.so//g'
++ LD_PRELOAD=
++ '[' 1 = 1 ']'
++ true 'exit code: 0'
++ export LD_PRELOAD
++ '[' 1 = 1 ']'
++ true 'exit code: 0'
++ true 'LD_PRELOAD: '
+ case "$1" in
+ addgroup debian-tor
+ true
+ adduser --home /run/sdwdate --no-create-home --quiet --system --group sdwdate
++ getent passwd sdwdate
++ cut -d: -f6
+ sdwdate_home=/run/sdwdate
+ '[' /run/sdwdate = /nonexistent ']'
+ usermod -m -d /run/sdwdate sdwdate
usermod: no changes
+ mkdir -p /run/sdwdate
+ chown sdwdate:sdwdate /run/sdwdate
+ addgroup sdwdate debian-tor
The user `sdwdate' is already a member of `debian-tor'.
+ addgroup sdwdate systemd-journal
The user `sdwdate' is already a member of `systemd-journal'.
+ gcc /usr/lib/sdwdate/sclockadj.c -o /usr/lib/sdwdate/sclockadj -ldl -D_GNU_SOURCE -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wl,-z,relro -Wl,-z,now
+ timedatectl set-ntp false
+ rm --force /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service
+ '[' -d /lib/systemd/system/sdwdate.service.d/ ']'
++ uname -m
+ arch=x86_64
+ syscall_comment='## This file has been auto-generated by: /var/lib/dpkg/info/sdwdate.postinst
## Changes will be lost when sdwdate is upgraded.
## See file /lib/systemd/system/sdwdate.service for comments.
## Architecture: x86_64
'
+ [[ x86_64 =~ arm ]]
+ [[ x86_64 =~ aarch ]]
+ [[ x86_64 =~ ppc ]]
+ [[ x86_64 =~ x86 ]]
+ syscall_whitelist='## Default. No changes required.'
+ echo '## This file has been auto-generated by: /var/lib/dpkg/info/sdwdate.postinst
## Changes will be lost when sdwdate is upgraded.
## See file /lib/systemd/system/sdwdate.service for comments.
## Architecture: x86_64
## Default. No changes required.'
+ tee /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf
+ true 'INFO: debhelper beginning here.'
+ '[' configure = configure ']'
+ APP_PROFILE=/etc/apparmor.d/usr.bin.sdwdate
+ '[' -f /etc/apparmor.d/usr.bin.sdwdate ']'
+ LOCAL_APP_PROFILE=/etc/apparmor.d/local/usr.bin.sdwdate
+ test -e /etc/apparmor.d/local/usr.bin.sdwdate
+ aa-enabled --quiet
+ apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.sdwdate
+ '[' configure = configure ']'
+ APP_PROFILE=/etc/apparmor.d/usr.bin.url_to_unixtime
+ '[' -f /etc/apparmor.d/usr.bin.url_to_unixtime ']'
+ LOCAL_APP_PROFILE=/etc/apparmor.d/local/usr.bin.url_to_unixtime
+ test -e /etc/apparmor.d/local/usr.bin.url_to_unixtime
+ aa-enabled --quiet
+ apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.url_to_unixtime
+ which py3compile
+ py3compile -p sdwdate
+ which pypy3compile
+ '[' configure = configure ']'
+ '[' -d /run/systemd/system ']'
+ systemd-tmpfiles --create sdwdate.conf
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/30_default -- configure 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/30_sdwdate_default -- configure 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/31_anon_dist_con_check_plugin -- configure 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/31_anon_dist_stream_isolation_plugin -- configure 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/apparmor.d/abstractions/sdwdate -- configure 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/apparmor.d/usr.lib.sdwdate.url_to_unixtime -- configure 3:15.6-1
+ '[' configure = configure ']'
+ deb-systemd-helper unmask sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = unmask, scriptname = sdwdate-restart-tor-request-file-watcher.service, service_path = /lib/systemd/system/sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) rmdir_if_empty /var/lib/systemd/deb-systemd-helper-masked
(deb-systemd-helper DEBUG) rmdir(/var/lib/systemd/deb-systemd-helper-masked) failed (No such file or directory)
+ deb-systemd-helper --quiet was-enabled sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = was-enabled, scriptname = sdwdate-restart-tor-request-file-watcher.service, service_path = /lib/systemd/system/sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) Reading state file /var/lib/systemd/deb-systemd-helper-enabled/sdwdate-restart-tor-request-file-watcher.service.dsh-also
(deb-systemd-helper DEBUG) Contents: $VAR1 = [
'/etc/systemd/system/multi-user.target.wants/sdwdate-restart-tor-request-file-watcher.service'
];
(deb-systemd-helper DEBUG) All links present, considering sdwdate-restart-tor-request-file-watcher.service was-enabled.
+ deb-systemd-helper enable sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = enable, scriptname = sdwdate-restart-tor-request-file-watcher.service, service_path = /lib/systemd/system/sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) Renaming temp file /var/lib/systemd/deb-systemd-helper-enabled/.stateogZ6Q.tmp to state file /var/lib/systemd/deb-systemd-helper-enabled/sdwdate-restart-tor-request-file-watcher.service.dsh-also
+ '[' configure = configure ']'
+ deb-systemd-helper unmask sdwdate.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = unmask, scriptname = sdwdate.service, service_path = sdwdate.service
(deb-systemd-helper DEBUG) rmdir_if_empty /var/lib/systemd/deb-systemd-helper-masked
(deb-systemd-helper DEBUG) rmdir(/var/lib/systemd/deb-systemd-helper-masked) failed (No such file or directory)
+ deb-systemd-helper --quiet was-enabled sdwdate.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = was-enabled, scriptname = sdwdate.service, service_path = sdwdate.service
(deb-systemd-helper DEBUG) Reading state file /var/lib/systemd/deb-systemd-helper-enabled/sdwdate.service.dsh-also
(deb-systemd-helper DEBUG) Contents: $VAR1 = [
'/etc/systemd/system/multi-user.target.wants/sdwdate.service'
];
(deb-systemd-helper DEBUG) All links present, considering sdwdate.service was-enabled.
+ deb-systemd-helper enable sdwdate.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = enable, scriptname = sdwdate.service, service_path = sdwdate.service
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
+ true
+ '[' configure = configure ']'
+ '[' -d /run/systemd/system ']'
+ systemctl --system daemon-reload
+ '[' -n 3:15.6-1 ']'
+ _dh_action=restart
+ deb-systemd-invoke restart sdwdate-restart-tor-request-file-watcher.service sdwdate.service
Failed to get unit file state for sdwdate.service: No such file or directory
sdwdate.service is a disabled or a static unit not running, not starting it.
+ true 'INFO: Done with debhelper.'
+ true '
#####################################################################
## INFO: END : sdwdate postinst configure' '3:15.6-1
#####################################################################
'
+ exit 0
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for rsyslog (8.1901.0-1) ...
+ shopt -s nullglob
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub
+ source /etc/default/grub
++ GRUB_DEFAULT=0
++ GRUB_TIMEOUT=5
+++ lsb_release -i -s
++ GRUB_DISTRIBUTOR=Debian
++ GRUB_CMDLINE_LINUX_DEFAULT=quiet
++ GRUB_CMDLINE_LINUX=
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_apparmor.cfg
+ source /etc/default/grub.d/30_apparmor.cfg
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_kicksecure.cfg
+ source /etc/default/grub.d/30_kicksecure.cfg
++ GRUB_DISTRIBUTOR=Kicksecure
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_screen_resolution.cfg
+ source /etc/default/grub.d/30_screen_resolution.cfg
++ command -v qubesdb-read
++ GRUB_GFXPAYLOAD_LINUX=1024x768
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_cpu_mitigations.cfg
+ source /etc/default/grub.d/40_cpu_mitigations.cfg
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_distrust_cpu.cfg
+ source /etc/default/grub.d/40_distrust_cpu.cfg
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_enable_iommu.cfg
+ source /etc/default/grub.d/40_enable_iommu.cfg
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_kernel_hardening.cfg
+ source /etc/default/grub.d/40_kernel_hardening.cfg
+++ dpkg --print-architecture
++ kpkg=linux-image-amd64
+++ dpkg-query --show '--showformat=${Version}' linux-image-amd64
dpkg-query: no packages found matching linux-image-amd64
++ kver=
++ true
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge'
++ dpkg --compare-versions '' ge 5.3
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP'
++ command -v qubesdb-read
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none'
++ dpkg --compare-versions '' ge 5.2
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy'
+++ echo quiet
+++ str_replace quiet ''
++ GRUB_CMDLINE_LINUX_DEFAULT=
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0 debugfs=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/init-select.cfg
+ source /etc/default/grub.d/init-select.cfg
+ for file_name in /boot/vmlinuz-*
+ base_name=vmlinuz-4.19.122
+ search=vmlinuz-
+ replace=
++ echo vmlinuz-4.19.122
++ str_replace vmlinuz- ''
+ version=4.19.122
+ unset search
+ unset replace
+ break
+ '[' 4.19.122 = '' ']'
+ real_grub_cfg=/boot/grub/grub.cfg
+ file_replace=/boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg
+ cp /boot/grub/grub.cfg /boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg.temp
+ search=' GNU/Linux'
+ replace=
+ str_replace ' GNU/Linux' '' /boot/grub/grub.cfg.temp
+ search=', with Linux 4.19.122'
+ replace=
+ str_replace ', with Linux 4.19.122' '' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure'\'''
+ replace='menuentry '\''PERSISTENT mode USER (For daily activities.)'\'''
+ str_replace 'menuentry '\''Kicksecure'\''' 'menuentry '\''PERSISTENT mode USER (For daily activities.)'\''' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure (recovery mode)'\'''
+ replace='menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\'''
+ str_replace 'menuentry '\''Kicksecure (recovery mode)'\''' 'menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\''' /boot/grub/grub.cfg.temp
+ test -x /usr/bin/grub-script-check
+ /usr/bin/grub-script-check /boot/grub/grub.cfg.temp
+ cp /boot/grub/grub.cfg.temp /boot/grub/grub.cfg
+ exit 0
I did notice that I only had to edit sudoedit ‘/etc/apparmor.d/tunables/init-systemd’ to get LightDM to work:
## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
#include <tunables/global>
@{sys_pci_numbers}=[0-9][0-9][0-9][0-9]:[0-9][0-9]
##@{sys_pci}=/sys/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/
@{sys_pci}=@{sys}/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/
@{dev_ttys}=/dev/tty{,S}[0-9]{,[0-9]}
This is what shows via dmesg:
[ 31.786159] audit: type=1400 audit(1623327095.227:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/libvirtd" pid=719 comm="apparmor_parser"
[ 31.786171] audit: type=1400 audit(1623327095.227:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/libvirtd//qemu_bridge_helper" pid=719 comm="apparmor_parser"
[ 31.787514] audit: type=1400 audit(1623327095.227:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apt.systemd.daily" pid=721 comm="apparmor_parser"
[ 31.788844] audit: type=1400 audit(1623327095.227:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/tor-circuit-established-check" pid=718 comm="apparmor_parser"
[ 31.793385] audit: type=1400 audit(1623327095.231:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagent" pid=714 comm="apparmor_parser"
[ 31.793395] audit: type=1400 audit(1623327095.231:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagentd" pid=714 comm="apparmor_parser"
[ 31.800650] audit: type=1400 audit(1623327095.239:12): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/timesanitycheck" pid=717 comm="apparmor_parser"
[ 31.828487] audit: type=1400 audit(1623327095.267:13): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/helper-scripts/first-boot-skel" pid=716 comm="apparmor_parser"
[ 31.828502] audit: type=1400 audit(1623327095.267:14): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/pam-abort-on-locked-password" pid=716 comm="apparmor_parser"
[ 31.828515] audit: type=1400 audit(1623327095.267:15): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/pam_only_if_login" pid=716 comm="apparmor_parser"
Systemctl results:
sudo systemctl
UNIT LOAD ACTIVE SUB DESCRIPTION
sys-devices-pci0000:00-0000:00:03.0-0000:04:00.1-sound-card1.device loaded act
sys-devices-pci0000:00-0000:00:11.0-0000:05:00.0-host10-port\x2d10:0-end_devic
sys-devices-pci0000:00-0000:00:16.3-tty-ttyS1.device loaded active plugged C
sys-devices-pci0000:00-0000:00:19.0-net-eno1.device loaded active plugged 82
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-ta
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-ta
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-ta
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-ta
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-ta
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-ta
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-ta
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-ta
sys-devices-pci0000:00-0000:00:1b.0-sound-card0.device loaded active plugged
sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-s
sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-s
sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-s
sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb.d
sys-devices-pci0000:00-0000:00:1f.2-ata5-host6-target6:0:0-6:0:0:0-block-sdc.d
sys-devices-platform-serial8250-tty-ttyS2.device loaded active plugged /sys/
sys-devices-platform-serial8250-tty-ttyS3.device loaded active plugged /sys/
sys-devices-pnp0-00:03-tty-ttyS0.device loaded active plugged /sys/devices/p
sys-devices-virtual-block-dm\x2d0.device loaded active plugged /sys/devices/
lines 1-23...skipping...
UNIT LOAD ACTIVE SUB DESCRIPTION
sys-devices-pci0000:00-0000:00:03.0-0000:04:00.1-sound-card1.device loaded active plugged Cedar HDMI Audio [Radeon
sys-devices-pci0000:00-0000:00:11.0-0000:05:00.0-host10-port\x2d10:0-end_device\x2d10:0-target10:0:0-10:0:0:0-block-sr0.device loaded active plugged HL-DT-STDVD-RAM_GHA2N
sys-devices-pci0000:00-0000:00:16.3-tty-ttyS1.device loaded active plugged C600/X79 series chipset K
sys-devices-pci0000:00-0000:00:19.0-net-eno1.device loaded active plugged 82579LM Gigabit Network C
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-target1:0:0-1:0:0:0-block-sdd.device loaded active plugged Compact_Flash
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-target1:0:0-1:0:0:1-block-sde.device loaded active plugged SM_xD-Picture
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-target1:0:0-1:0:0:2-block-sdf.device loaded active plugged SD_MMC
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-target1:0:0-1:0:0:3-block-sdg.device loaded active plugged M.S._M.S.Pro_HG
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-target1:0:0-1:0:0:4-block-sdh.device loaded active plugged SD_MMC_M.S.PRO
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-target0:0:0-0:0:0:0-block-sda-sda1.device loaded active plugged SanDisk_3.2Gen1 1
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-target0:0:0-0:0:0:0-block-sda-sda2.device loaded active plugged SanDisk_3.2Gen1 2
sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-target0:0:0-0:0:0:0-block-sda.device loaded active plugged SanDisk_3.2Gen1
sys-devices-pci0000:00-0000:00:1b.0-sound-card0.device loaded active plugged C600/X79 series chipset H
sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-sdb1.device loaded active plugged Samsung_SSD_870_EVO_250GB
sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-sdb2.device loaded active plugged Samsung_SSD_870_EVO_250GB
sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-sdb5.device loaded active plugged Samsung_SSD_870_EVO_250GB
sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb.device loaded active plugged Samsung_SSD_870_EVO_250GB
sys-devices-pci0000:00-0000:00:1f.2-ata5-host6-target6:0:0-6:0:0:0-block-sdc.device loaded active plugged ST1000NM0008-2F2100
sys-devices-platform-serial8250-tty-ttyS2.device loaded active plugged /sys/devices/platform/ser
sys-devices-platform-serial8250-tty-ttyS3.device loaded active plugged /sys/devices/platform/ser
sys-devices-pnp0-00:03-tty-ttyS0.device loaded active plugged /sys/devices/pnp0/00:03/t
sys-devices-virtual-block-dm\x2d0.device loaded active plugged /sys/devices/virtual/bloc
sys-devices-virtual-net-virbr0.device loaded active plugged /sys/devices/virtual/net/
sys-devices-virtual-net-virbr0\x2dnic.device loaded active plugged /sys/devices/virtual/net/
sys-devices-virtual-net-virbr1.device loaded active plugged /sys/devices/virtual/net/
sys-devices-virtual-net-virbr1\x2dnic.device loaded active plugged /sys/devices/virtual/net/
sys-devices-virtual-net-virbr2.device loaded active plugged /sys/devices/virtual/net/
sys-devices-virtual-net-virbr2\x2dnic.device loaded active plugged /sys/devices/virtual/net/
sys-subsystem-net-devices-eno1.device loaded active plugged 82579LM Gigabit Network C
sys-subsystem-net-devices-virbr0.device loaded active plugged /sys/subsystem/net/device
sys-subsystem-net-devices-virbr0\x2dnic.device loaded active plugged /sys/subsystem/net/device
sys-subsystem-net-devices-virbr1.device loaded active plugged /sys/subsystem/net/device
sys-subsystem-net-devices-virbr1\x2dnic.device loaded active plugged /sys/subsystem/net/device
sys-subsystem-net-devices-virbr2.device loaded active plugged /sys/subsystem/net/device
sys-subsystem-net-devices-virbr2\x2dnic.device loaded active plugged /sys/subsystem/net/device
-.mount loaded active mounted /
boot.mount loaded active mounted /boot
dev-hugepages.mount loaded active mounted Huge Pages File System
dev-mqueue.mount loaded active mounted POSIX Message Queue File
run-msgcollector.mount loaded active mounted /run/msgcollector
run-user-1000.mount loaded active mounted /run/user/1000
sys-kernel-debug.mount loaded active mounted Kernel Debug File System
systemd-ask-password-console.path loaded active waiting Dispatch Password Request
systemd-ask-password-wall.path loaded active waiting Forward Password Requests
init.scope loaded active running System and Service Manage
session-2.scope loaded active running Session 2 of user user
● apparmor.service loaded failed failed Load AppArmor profiles
blk-availability.service loaded active exited Availability of block dev
bootclockrandomization.service loaded active exited Boot Clock Randomization
console-setup.service loaded active exited Set console font and keym
cron.service loaded active running Regular background progra
dbus.service loaded active running D-Bus System Message Bus
dist-skel-first-boot.service loaded active exited /home/user from /etc/skel
dnsmasq.service loaded active running dnsmasq - A lightweight D
getty@tty1.service loaded active running Getty on tty1
haveged.service loaded active running Entropy daemon using the
ifup@eno1.service loaded active exited ifup for eno1
ifupdown-pre.service loaded active exited Helper to synchronize boo
jitterentropy.service loaded active running Jitterentropy Gatherer Da
keyboard-setup.service loaded active exited Set the console keyboard
kmod-static-nodes.service loaded active exited Create list of required s
libvirt-guests.service loaded active exited Suspend/Resume Running li
libvirtd.service loaded active running Virtualization daemon
lightdm.service loaded active running Light Display Manager
lkrg-dkms.service loaded active exited Linux Kernel Runtime Guar
lvm2-monitor.service loaded active exited Monitoring of LVM2 mirror
msgcollector.service loaded active exited msgcollector
networking.service loaded active exited Raise network interfaces
openvpn.service loaded active exited OpenVPN service
polkit.service loaded active running Authorization Manager
remove-system-map.service loaded active exited Removes the System.map fi
rsyslog.service loaded active running System Logging Service
sdwdate-aae.service loaded active running Secure Distributed Web Da
sdwdate-gui-shutdown-notify.service loaded active exited Notify sdwdate-gui on gat
sdwdate-restart-tor-request-file-watcher.service loaded active running Secure Distributed Web Da
[2]+ Stopped sudo systemctl
sdwdate systemctl status:
sdwdate-aae.service - Secure Distributed Web Date
Loaded: loaded (/lib/systemd/system/sdwdate-aae.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-06-10 12:53:47 UTC; 6s ago
Docs: https://www.whonix.org/wiki/sdwdate
Main PID: 19401 (sdwdate)
Status: "Running sdwdate main loop. iteration: 1 / 10000"
Tasks: 3 (limit: 4915)
Memory: 25.3M
CGroup: /system.slice/sdwdate-aae.service
├─19401 /usr/bin/python3 -u /usr/bin/sdwdate
└─19438 /usr/bin/python3 -u /usr/bin/url_to_unixtime 127.0.0.1 9050 https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion 80 true
Jun 10 12:53:48 tron sdwdate[19401]: 2021-06-10 12:53:48 - sdwdate - INFO - pool 0: pool_size: 20 url_index: 9 already_picked_number: 1 already_picked_index: [9]
Jun 10 12:53:48 tron sdwdate[19401]: 2021-06-10 12:53:48 - sdwdate - INFO - pool 1: pool_size: 19 url_index: 0 already_picked_number: 1 already_picked_index: [0]
Jun 10 12:53:48 tron sdwdate[19401]: 2021-06-10 12:53:48 - sdwdate - INFO - pool 2: pool_size: 24 url_index: 8 already_picked_number: 1 already_picked_index: [8]
Jun 10 12:53:48 tron sdwdate[19401]: 2021-06-10 12:53:48 - sdwdate - INFO - requested urls ['http://potatoynwcg34xyodol6p6hvi5e4xelxdeowsl5t2daxywepub32y7yd.onion', 'https://duckduckgogg42xj
Jun 10 12:53:48 tron sdwdate[19401]: remote_times.py: url_to_unixtime_command (s):
Jun 10 12:53:48 tron sdwdate[19401]: url_to_unixtime 127.0.0.1 9050 http://potatoynwcg34xyodol6p6hvi5e4xelxdeowsl5t2daxywepub32y7yd.onion 80 true
Jun 10 12:53:48 tron sdwdate[19401]: url_to_unixtime 127.0.0.1 9050 https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion 80 true
Jun 10 12:53:48 tron sdwdate[19401]: url_to_unixtime 127.0.0.1 9050 http://3gtoclri7h6xrtjjapfezcerj4dqf3fwfk3jmhrhz25i5pyprmz47gad.onion 80 true
Jun 10 12:53:49 tron sdwdate[19401]: remote_times.py: i: 0 | done
Jun 10 12:53:50 tron sdwdate[19401]: remote_times.py: i: 2 | done
Seems to be running, however, I have waited quite a bit to see if it completes but it ends there at remote_times.py.
I do see sdwdate-gui going back and fourth between the X and fetching icons and the log is still blank. Is sdwdate-gui part of the sdwdate apparmor profile or that needs to be added as well, it could just be a permission issue.
I ran the commands stated by Patrick above:
cat /lib/systemd/system/sdwdate.service
cat: /lib/systemd/system/sdwdate.service: No such file or directory
ls -la /lib/systemd/system/sdwdate.service
ls: cannot access '/lib/systemd/system/sdwdate.service': No such file or directory
I added -aae to the commands:
ls -la /lib/systemd/system/sdwdate-aae.service
-rw-r--r-- 1 root root 1836 Oct 21 2015 /lib/systemd/system/sdwdate-aae.service
cat /lib/systemd/system/sdwdate-aae.service
## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
[Unit]
Description=Secure Distributed Web Date
Documentation=https://www.whonix.org/wiki/sdwdate
ConditionPathExists=!/run/qubes/this-is-templatevm
ConditionPathExists=/usr/bin/sdwdate
## systemd-nspawn does not allow clock to be changed inside the container.
## Quote https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html
## The host’s network interfaces and the system clock may not be changed from within the container.
## https://forums.whonix.org/t/bootclockrandomization-always-moving-clock-plus-or-5-seconds/2200/10
ConditionVirtualization=!systemd-nspawn
After=network.target
Wants=network.target
After=rinetd.service
After=bootclockrandomization.service
After=tor.service
After=tor@default.service
Conflicts=systemd-timesyncd.service
[Service]
Type=notify
User=sdwdate
Group=sdwdate
ExecStart=/usr/bin/sdwdate
SuccessExitStatus=143
TimeoutSec=30
WatchdogSec=200m
Restart=always
# Hardening.
# no_new_privs blocks transitions to sdwdate's AppArmor profile.
#AmbientCapabilities=CAP_SYS_TIME
#CapabilityBoundingSet=CAP_SYS_TIME
ProtectSystem=strict
ReadWriteDirectories=/run/sdwdate/
ProtectHome=true
#ProtectKernelTunables=true
#ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateMounts=true
#PrivateDevices=true
#MemoryDenyWriteExecute=true
#NoNewPrivileges=true
#RestrictRealtime=true
#SystemCallArchitectures=native
#RestrictNamespaces=true
#RestrictAddressFamilies=AF_UNIX AF_INET
# Broken. Need list of syscalls. Alternative below.
#SystemCallFilter=@clock @ipc @signal
# Blacklist certain syscalls. A whitelist would be stronger.
#SystemCallFilter=~@mount @cpu-emulation @debug @keyring @module @obsolete @raw-io
[Install]
WantedBy=multi-user.target
Ran sudo -u sdwdate sdwdate recommended by Patrick:
2021-06-10 13:05:33 - sdwdate - INFO - sdwdate started. PID: 25860
2021-06-10 13:05:33 - sdwdate - INFO - Tor socks host: 127.0.0.1 Tor socks port: 9050
2021-06-10 13:05:33 - sdwdate - INFO - Running sdwdate main loop. iteration: 1 / 10000
2021-06-10 13:05:34 - sdwdate - INFO - PREPARATION:
2021-06-10 13:05:34 - sdwdate - INFO - /usr/lib/helper-scripts/onion-time-pre-script: Start.
Static Time Sanity Check: Within minimum time 'Sun Jan 17 00:00:00 UTC 2021' and expiration timestamp 'Tue May 17 10:00:00 UTC 2033', ok.
Tor reports: NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"
Tor circuit: established.
Tor Consensus Time Sanity Check: Clock within consensus parameters consensus/valid-after 2021-06-10 11:00:00 and consensus/valid-until 2021-06-10 14:00:00.
Tor already reports circuit established.
/usr/lib/helper-scripts/onion-time-pre-script: END: Exiting with exit_code '0' indicating 'success'.
2021-06-10 13:05:34 - sdwdate - INFO - PREPARATION RESULT: SUCCESS.
2021-06-10 13:05:34 - sdwdate - INFO -
2021-06-10 13:05:34 - sdwdate - INFO - Initial time fetching in progress...
2021-06-10 13:05:34 - sdwdate - INFO - Running sdwdate fetch loop. iteration: 1
2021-06-10 13:05:34 - sdwdate - INFO - pool 0: pool_size: 20 url_index: 8 already_picked_number: 1 already_picked_index: [8]
2021-06-10 13:05:34 - sdwdate - INFO - pool 1: pool_size: 19 url_index: 13 already_picked_number: 1 already_picked_index: [13]
2021-06-10 13:05:34 - sdwdate - INFO - pool 2: pool_size: 24 url_index: 16 already_picked_number: 1 already_picked_index: [16]
2021-06-10 13:05:34 - sdwdate - INFO - requested urls ['http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion']
remote_times.py: url_to_unixtime_command (s):
url_to_unixtime 127.0.0.1 9050 http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion 80 true
url_to_unixtime 127.0.0.1 9050 http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion 80 true
url_to_unixtime 127.0.0.1 9050 http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion 80 true
remote_times.py: i: 2 | done
remote_times.py: i: 1 | done
remote_times.py: i: 0 | done
remote 0: http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion
* comment: https://web.archive.org/web/20210604180615/https://blockchair.com/
* took_time : 1.83 second(s)
* half_took_time: 0.92 second(s)
* replay_protection_unixtime: 1623315644
* remote_unixtime : 1623330348
* consensus/valid-after : 2021-06-10 11:00:00
* replay_protection_time : 2021-06-10 09:02:24
* remote_time : 2021-06-10 13:05:48
* consensus/valid-until : 2021-06-10 14:00:00
* time_diff_raw : 12 second(s)
* time_diff_lag_cleaned: 11.08 second(s)
* Time Replay Protection : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True
remote 1: http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion
* comment: https://web.archive.org/web/20201231233846/https://theintercept.com/source/ https://theintercept.com/source/ The Intercept(securedrop)
* took_time : 1.28 second(s)
* half_took_time: 0.64 second(s)
* replay_protection_unixtime: 1623315644
* remote_unixtime : 1623330348
* consensus/valid-after : 2021-06-10 11:00:00
* replay_protection_time : 2021-06-10 09:02:24
* remote_time : 2021-06-10 13:05:48
* consensus/valid-until : 2021-06-10 14:00:00
* time_diff_raw : 13 second(s)
* time_diff_lag_cleaned: 12.36 second(s)
* Time Replay Protection : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True
remote 2: http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion
* comment: https://web.archive.org/web/20201231233846/https://theintercept.com/source/ https://theintercept.com/source/ The Intercept(securedrop)
* took_time : 0.97 second(s)
* half_took_time: 0.48 second(s)
* replay_protection_unixtime: 1623315644
* remote_unixtime : 1623330348
* consensus/valid-after : 2021-06-10 11:00:00
* replay_protection_time : 2021-06-10 09:02:24
* remote_time : 2021-06-10 13:05:48
* consensus/valid-until : 2021-06-10 14:00:00
* time_diff_raw : 13 second(s)
* time_diff_lag_cleaned: 12.52 second(s)
* Time Replay Protection : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True
remote_times.py: urls_list:
['http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion']
remote_times.py: status_list:
['ok', 'ok', 'ok']
remote_times.py: took_time_list:
[1.83, 1.28, 0.97]
remote_times.py: half_took_time_list:
[0.92, 0.64, 0.48]
remote_times.py: remote_unixtime_list:
[1623330348, 1623330348, 1623330348]
remote_times.py: time_diff_raw_int_list:
[12, 13, 13]
remote_times.py: time_diff_lag_cleaned_float_list:
[11.08, 12.36, 12.52]
2021-06-10 13:05:36 - sdwdate - INFO - returned urls "['http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion']"
2021-06-10 13:05:36 - sdwdate - INFO -
2021-06-10 13:05:36 - sdwdate - INFO - failed_urls: 0 allowed_failures: 7
2021-06-10 13:05:36 - sdwdate - INFO - pool 0: http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion, web_time: 2021-06-10 13:05:48, took_time: 1.83 seconds, time_diff_raw: 12 seconds, time_diff_lag_cleaned: 11 seconds
2021-06-10 13:05:36 - sdwdate - INFO - pool 1: http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion, web_time: 2021-06-10 13:05:48, took_time: 0.97 seconds, time_diff_raw: 13 seconds, time_diff_lag_cleaned: 13 seconds
2021-06-10 13:05:36 - sdwdate - INFO - pool 2: http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion, web_time: 2021-06-10 13:05:48, took_time: 0.97 seconds, time_diff_raw: 13 seconds, time_diff_lag_cleaned: 13 seconds
2021-06-10 13:05:36 - sdwdate - INFO - End fetching remote times.
2021-06-10 13:05:36 - sdwdate - INFO -
2021-06-10 13:05:36 - sdwdate - INFO - Success.
2021-06-10 13:05:36 - sdwdate - INFO - request_took_times, sorted: [0.97, 1.83]
2021-06-10 13:05:36 - sdwdate - INFO - request_half_took_times, sorted: [0.48, 0.92]
2021-06-10 13:05:36 - sdwdate - INFO - time_diff_raw, sorted: [12, 13, 13]
2021-06-10 13:05:36 - sdwdate - INFO - diffs_lag_cleaned, sorted: [11, 13, 13]
2021-06-10 13:05:36 - sdwdate - INFO - median request_took_times: +1.83
2021-06-10 13:05:36 - sdwdate - INFO - median half_request_took_times: +0.92
2021-06-10 13:05:36 - sdwdate - INFO - median raw time difference: +13.00
2021-06-10 13:05:36 - sdwdate - INFO - median lag_cleaned time difference: +13.00
2021-06-10 13:05:36 - sdwdate - INFO - Not randomizing nanoseconds.
2021-06-10 13:05:36 - sdwdate - INFO - new time difference : +13.000000000
2021-06-10 13:05:36 - sdwdate - INFO - replay_protection_unixtime: 1623315644
2021-06-10 13:05:36 - sdwdate - INFO - old_unixtime : 1623330336.384205580
2021-06-10 13:05:36 - sdwdate - INFO - new_unixtime : 1623330349.384205580
2021-06-10 13:05:36 - sdwdate - INFO - replay_protection_time : 2021-06-10 09:02:24
2021-06-10 13:05:36 - sdwdate - INFO - old_unixtime_human_readable : 2021-06-10 13:05:36
2021-06-10 13:05:36 - sdwdate - INFO - new_unixtime_human_readable : 2021-06-10 13:05:49
2021-06-10 13:05:36 - sdwdate - INFO - Instantly setting the time by using command: /bin/date --utc "+%Y-%m-%d %H:%M:%S" --set "@1623330349.384205580"
2021-06-10 13:05:36 - sdwdate - INFO - /bin/date output: 2021-06-10 13:05:49
/bin/date: cannot set date: Operation not permitted
2021-06-10 13:05:36 - sdwdate - ERROR - /bin/date returncode: 1
2021-06-10 13:05:36 - sdwdate - INFO - Exiting with exit_code '1' because or reason 'bin_date_status non-zero exit code'.
2021-06-10 13:05:36 - sdwdate - INFO - sdwdate stopped by user or system.
2021-06-10 13:05:36 - sdwdate - INFO - sclockadj process not running, ok.
2021-06-10 13:05:36 - sdwdate - INFO - sleep process not running, ok.
2021-06-10 13:05:36 - sdwdate - INFO - End.
Apparmor Systemctl Status:
sudo systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/apparmor.service.d
└─30_live_mode.conf
Active: failed (Result: exit-code) since Thu 2021-06-10 12:11:35 UTC; 58min ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 673 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 673 (code=exited, status=1/FAILURE)
Jun 10 12:11:35 tron apparmor.systemd[673]: 'HOME' is already defined
Jun 10 12:11:35 tron apparmor.systemd[673]: AppArmor parser error for /etc/apparmor.d/bin.lsblk in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 10 12:11:35 tron apparmor.systemd[673]: 'HOME' is already defined
Jun 10 12:11:35 tron apparmor.systemd[673]: AppArmor parser error for /etc/apparmor.d/init-systemd in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 10 12:11:35 tron apparmor.systemd[673]: 'HOME' is already defined
Jun 10 12:11:35 tron apparmor.systemd[673]: AppArmor parser error for /etc/apparmor.d/usr.lib.xorg.Xorg in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 10 12:11:35 tron apparmor.systemd[673]: Error: At least one profile failed to load
Jun 10 12:11:35 tron systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Jun 10 12:11:35 tron systemd[1]: apparmor.service: Failed with result 'exit-code'.
Jun 10 12:11:35 tron systemd[1]: Failed to start Load AppArmor profiles.
(deb-systemd-helper DEBUG) action = enable, scriptname = sdwdate.service, service_path = sdwdate.service
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
/lib/systemd/system/sdwdate.service
by sdwdate
vs
/lib/systemd/system/sdwdate-aae.service
by apparmor-profile-everything
That is the issue.
Known issue if it can be called that. AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy - #419 by madaidan
But since it got forgotten and confused all of us, a better implementation is desirable.
Best to add any error messages as comment in the source code so it can at least be remembered when grepping the source code.
Was introduced here: Disable sdwdate systemd sandboxing and onion-grater apparmor profile by madaidan · Pull Request #61 · Kicksecure/apparmor-profile-everything · GitHub
→
So I wanted to start fresh and get a working KickSecure OS with apparmor-profile-everything installed. These are the denials I was getting that the current tunables file doesn’t cover:
[ 22.280856] audit: type=1400 audit(1623499968.580:50): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:03.0/0000:04:00.0/device" pid=907 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 22.280865] audit: type=1400 audit(1623499968.580:51): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:03.0/0000:04:00.0/config" pid=907 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 40.560695] audit: type=1400 audit(1623504580.364:54): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:1c.4/0000:07:00.0/vendor" pid=926 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 40.560705] audit: type=1400 audit(1623504580.364:55): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:1c.4/0000:07:00.0/config" pid=926 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 22.280856] audit: type=1400 audit(1623499968.580:50): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:03.0/0000:04:00.0/device" pid=907 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 22.280865] audit: type=1400 audit(1623499968.580:51): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:03.0/0000:04:00.0/config" pid=907 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 30.775452] audit: type=1400 audit(1623505210.815:50): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:ff/0000:ff:08.0/vendor" pid=924 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 30.775465] audit: type=1400 audit(1623505210.815:51): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:ff/0000:ff:08.0/config" pid=924 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
You’ll notice that some of the denials will come up with letters or will be shorter. What would the formatting be in the tunables file to cover all the denials above?
I just put this below to accept all devices while I experiment with a format that covers all the denials above:
@{sys_pci}=@{sys}/devices/***
I know we need to be more exact in profiling but I do not know the proper format to cover all denials above at the moment.
I receive these denials after reboot with the tunables being open stated above:
[ 40.000564] audit: type=1400 audit(1623508340.150:50): apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/power/state" pid=855 comm="systemd-logind" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 40.002620] audit: type=1400 audit(1623508340.150:51): apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/power/state" pid=855 comm="systemd-logind" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 40.004911] audit: type=1400 audit(1623508340.154:52): apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/power/state" pid=855 comm="systemd-logind" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 41.379437] audit: type=1400 audit(1623508341.526:53): apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/sessions/c1.ref" pid=864 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
[ 47.146480] audit: type=1400 audit(1623508347.294:54): apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/sessions/2.ref" pid=864 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
[ 51.904417] audit: type=1400 audit(1623508352.054:55): apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/sessions/c1.ref" pid=864 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
[ 61.126246] audit: type=1400 audit(1623508361.274:56): apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/sessions/4.ref" pid=864 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
[ 61.440903] audit: type=1400 audit(1623508361.590:57): apparmor="DENIED" operation="open" profile="init-systemd" name="/dev/tty1" pid=1597 comm="systemd-logind" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=1000
[ 61.441274] audit: type=1400 audit(1623508361.590:58): apparmor="DENIED" operation="open" profile="init-systemd" name="/dev/tty1" pid=1597 comm="systemd-logind" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=1000
I add the appropriate rules and reboot, I received more denials:
[ 39.465316] audit: type=1400 audit(1623509004.387:50): apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/class/" pid=777 comm="systemd-logind" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 39.467232] audit: type=1400 audit(1623509004.387:51): apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/inhibit/2.ref" pid=783 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
[ 40.071626] audit: type=1400 audit(1623509004.991:52): apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/class/" pid=1407 comm="systemd-logind" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Rebooted a few more times and received these denials:
[ 45.442349] audit: type=1400 audit(1623511909.736:50): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1117 comm="systemd" requested_mask="receive" denied_mask="receive" signal=term peer="init-systemd"
[ 45.442658] audit: type=1400 audit(1623511909.736:51): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1117 comm="systemd" requested_mask="receive" denied_mask="receive" signal=kill peer="init-systemd"
[ 45.442858] audit: type=1400 audit(1623511909.736:52): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1117 comm="systemd" requested_mask="receive" denied_mask="receive" signal=term peer="init-systemd"
[ 45.443116] audit: type=1400 audit(1623511909.736:53): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1117 comm="systemd" requested_mask="receive" denied_mask="receive" signal=kill peer="init-systemd"
[ 55.699934] audit: type=1400 audit(1623512307.187:50): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1155 comm="systemd" requested_mask="receive" denied_mask="receive" signal=cont peer="init-systemd"
So I added these rules to sudoedit: /etc/apparmor.d/local/usr.bin.dbus-daemon:
signal receive set=term,
signal receive set=kill,
signal receive set=cont,
Reboot again and no denials, just unconfirms:
[ 17.633417] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
[ 17.673161] audit: type=1400 audit(1623512443.087:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="systemd-shutdown" pid=407 comm="apparmor_parser"
[ 17.679815] audit: type=1400 audit(1623512443.095:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="systemd-modules-load" pid=410 comm="apparmor_parser"
[ 17.686095] audit: type=1400 audit(1623512443.103:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="systemd-sysctl" pid=413 comm="apparmor_parser"
[ 17.696987] audit: type=1400 audit(1623512443.111:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="init-systemd" pid=418 comm="apparmor_parser"
[ 18.479313] systemd[1]: Inserted module 'autofs4'
[ 21.733464] audit: type=1400 audit(1623512447.147:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="rapt" pid=675 comm="apparmor_parser"
[ 21.736810] audit: type=1400 audit(1623512447.151:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apt.systemd.daily" pid=676 comm="apparmor_parser"
[ 21.739125] audit: type=1400 audit(1623512447.155:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagent" pid=669 comm="apparmor_parser"
[ 21.739135] audit: type=1400 audit(1623512447.155:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagentd" pid=669 comm="apparmor_parser"
[ 21.741598] audit: type=1400 audit(1623512447.155:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/timesanitycheck" pid=672 comm="apparmor_parser"
[ 21.745149] audit: type=1400 audit(1623512447.159:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/tor-circuit-established-check" pid=673 comm="apparmor_parser"
As for sdwdate, I wanted to sudo aa-complain /usr/bin/sdwdate, however, I receive this error:
sudo aa-complain /usr/bin/sdwdate
ERROR: Profile for /{,usr/}lib/systemd/** exists in /etc/apparmor.d/init-systemd and /etc/apparmor.d/init-systemd
How do I fix this where I can aa-complain sdwdate for now while the profile is being fixed?
Also, there is a boot error after installing apparmor-profile-everything for the first time:
Warning from stdin (line 1): config file '/etc/apparmor/parser.conf not found
Also, there is a kernel denial that dmesg doesn’t log pertaining to sdwdate:
Jun 9 17:00:41 grid kernel: [ 113.311127] audit: type=1400 audit(1623258041.017:25): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/sdwdate" name="/usr/sbin/anondate-get" pid=1265 comm="onion-time-pre-" requested_mask="x" denied_mask="x" fsuid=107 ouid=0 target="unconfined"
Jun 9 17:00:43 grid kernel: [ 116.025624] audit: type=1400 audit(1623258043.729:26): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/sdwdate" name="/usr/sbin/anondate-get" pid=1314 comm="onion-time-pre-" requested_mask="x" denied_mask="x" fsuid=107 ouid=0 target="unconfined"
Jun 9 17:00:47 grid kernel: [ 119.742970] audit: type=1400 audit(1623258047.449:27): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/sdwdate" name="/usr/sbin/anondate-get" pid=1415 comm="onion-time-pre-" requested_mask="x" denied_mask="x" fsuid=107 ouid=0 target="unconfined"
Jun 9 17:00:52 grid kernel: [ 124.465162] audit: type=1400 audit(1623258052.169:28): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/sdwdate" name="/usr/sbin/anondate-get" pid=1541 comm="onion-time-pre-" requested_mask="x" denied_mask="x" fsuid=107 ouid=0 target="unconfined"
Jun 9 17:00:57 grid kernel: [ 130.178889] audit: type=1400 audit(1623258057.885:29): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/sdwdate" name="/usr/sbin/anondate-get" pid=1589 comm="onion-time-pre-" requested_mask="x" denied_mask="x" fsuid=107 ouid=0 target="unconfined"
I’m going to experiment some more, hopefully this helps! Also reboot hangs on a dash blinking, I believe this was addressed somewhere here.
Thanks,
sudobash
These are very different from the previous denials. Try:
@{sys_pci}=@{sys}/devices/pci*:*/*:*:*.*/{,*:*:*.*/}
Most of these should already be fixed by Fix various denial errors · Kicksecure/apparmor-profile-everything@ded4058 · GitHub
This is because there are 3 separate policies defined in /etc/apparmor.d/init-systemd
which are selectively enabled, depending on the boot mode (normal, aadebug or superroot). You can simply edit that file and comment out the aadebug and superroot profiles for now.
This is the same issue with no_new_privs
that the custom sdwdate-aae.service
works around by disabling all the systemd sandboxing options that imply NoNewPrivileges=true
.
Is this apparmor-profile-everything dead? These are the denieds via aa-status when apparmor-profile-everything is installed on a new Whonix workstation using an AMD GPU. Any script to add these dynamically?
AVC apparmor=“DENIED” operation=“capable” profile=“/usr/sbin/cupsd” comm=“cupsd” capability=12 capname=“net_admin”
AVC apparmor=“DENIED” operation=“capable” profile=“/usr/sbin/cups-browsed” comm=“cups-browsed” capability=23 capname=“sys_nice”
AVC apparmor=“DENIED” operation=“capable” profile=“libvirtd” comm=“rpc-worker” capability=39 capname=“bpf”
AVC apparmor=“DENIED” operation=“capable” profile=“libvirtd” comm=“rpc-worker” capability=38 capname=“perfmon”
AVC apparmor=“DENIED” operation=“open” profile=“/usr/bin/tor-circuit-established-check” name=“/dev/tty” comm=“ps” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“/usr/bin/systemcheck” name=“/sys/devices/virtual/dmi/id/board_vendor” comm=“systemd-detect-” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“//*-browser/Browser/firefox" name=“/sys/kernel/mm/transparent_hugepage/hpage_pmd_size” comm=“obfs4proxy” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile="//-browser/Browser/firefox" name=“/proc/sys/net/core/somaxconn” comm=“obfs4proxy” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile="/**/-browser/Browser/firefox” name=“/” comm=706F6F6C2D546F722042726F777365 requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name=“/usr/share/dbus-1/system.conf” comm=“dbus-daemon” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“/usr/libexec/helper-scripts/first-boot-skel” name=“/usr/libexec/helper-scripts/first-boot-skel” comm=“first-boot-skel” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“capable” profile=“rsyslogd” comm=“rsyslogd” capability=12 capname=“net_admin”
AVC apparmor=“DENIED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/sudo” comm=“sdwdate” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“open” profile=“/usr/bin/sdwdate” name=“/usr/bin/sudo” comm=“sdwdate” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/virtual/block/dm-1/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/virtual/block/dm-1/dm/name” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/host9/target9:0:0/9:0:0:3/block/sdf/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/host9/target9:0:0/9:0:0:3/block/sdf/dev” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/host9/target9:0:0/9:0:0:1/block/sdd/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/host9/target9:0:0/9:0:0:1/block/sdd/dev” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1f.2/ata5/host5/target5:0:0/5:0:0:0/block/sdb/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1f.2/ata5/host5/target5:0:0/5:0:0:0/block/sdb/dev” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/host9/target9:0:0/9:0:0:4/block/sdg/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/host9/target9:0:0/9:0:0:4/block/sdg/dev” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/virtual/block/dm-0/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/virtual/block/dm-0/dm/name” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/host9/target9:0:0/9:0:0:2/block/sde/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/host9/target9:0:0/9:0:0:2/block/sde/dev” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/host9/target9:0:0/9:0:0:0/block/sdc/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/host9/target9:0:0/9:0:0:0/block/sdc/dev” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1f.2/ata3/host3/target3:0:0/3:0:0:0/type” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/dev/block/” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.2/3-1.2:1.0/host9/target9:0:0/9:0:0:3/block/sdf/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.2/3-1.2:1.0/host9/target9:0:0/9:0:0:3/block/sdf/dev” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.2/3-1.2:1.0/host9/target9:0:0/9:0:0:1/block/sdd/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.2/3-1.2:1.0/host9/target9:0:0/9:0:0:1/block/sdd/dev” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.2/3-1.2:1.0/host9/target9:0:0/9:0:0:4/block/sdg/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.2/3-1.2:1.0/host9/target9:0:0/9:0:0:4/block/sdg/dev” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.2/3-1.2:1.0/host9/target9:0:0/9:0:0:2/block/sde/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.2/3-1.2:1.0/host9/target9:0:0/9:0:0:2/block/sde/dev” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.2/3-1.2:1.0/host9/target9:0:0/9:0:0:0/block/sdc/hidden” comm=“lsblk” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“lsblk” name=“/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.2/3-1.2:1.0/host9/target9:0:0/9:0:0:0/block/sdc/dev” comm=“lsblk” requested_mask=“r” denied_mask=“r”
Will probably not being worked on soon unless a contributor steps up.
I’ll debug and see. This is from installing Kicksecure as-is with new Kernel version 6 used. I installed profile-everything and received these denieds.
When I aa-complain dbus-daemon, I can boot and get into XFCE4. I can use KVM to use Whonix and that is my only intention of using Kicksecure as a host.
Just install KVM and secure everything to have KVM running as fast and as secure as possible. I like this design of profiling everything and it’s just dbus that is ever so dynamic.