[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Full System AppArmor Policy - Testers Wanted!


2 Likes

That allows blanket access to all of /sys/devices which is far too permissive. We need to enforce fine-grained restrictions. Did you try what I mentioned above?

Looks similar to: Reboot failure on Debian 10 due to systemd confinement · Issue #72 · Whonix/apparmor-profile-everything · GitHub

You are not supposed to run sdwdate from the terminal. It’s not a supported use case; it’s meant to be used via the systemd service. Doing otherwise will flood the logs with bogus denial errors.

1 Like
2 Likes

Oh no! I misread your last suggestion and fixed it:

sudo mousepad /etc/apparmor.d/tunables/init-systemd

## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

#include <tunables/global>

@{sys_pci_numbers}=[0-9,a-z][0-9,a-z][0-9,a-z][0-9,a-z]:[0-9,a-z][0-9,a-z]
@{sys_pci}=@{sys}/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/{,@{sys_pci_numbers}:*.*/}
@{dev_ttys}=/dev/tty{,S}[0-9]{,[0-9]}

I had to add the [a-z] as I noticed some pci entries had letters in them.

On reboot, apparmor throws an error:

● apparmor.service - Load AppArmor profiles
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/apparmor.service.d
           └─30_live_mode.conf
   Active: failed (Result: exit-code) since Tue 2021-06-08 10:43:52 UTC; 3min 21s ago
     Docs: man:apparmor(7)
           https://gitlab.com/apparmor/apparmor/wikis/home/
  Process: 665 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
 Main PID: 665 (code=exited, status=1/FAILURE)

Jun 08 10:43:52 grid apparmor.systemd[665]: 'HOME' is already defined
Jun 08 10:43:52 grid apparmor.systemd[665]: AppArmor parser error for /etc/apparmor.d/bin.lsblk in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 08 10:43:52 grid apparmor.systemd[665]: 'HOME' is already defined
Jun 08 10:43:52 grid apparmor.systemd[665]: AppArmor parser error for /etc/apparmor.d/init-systemd in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 08 10:43:52 grid apparmor.systemd[665]: 'HOME' is already defined
Jun 08 10:43:52 grid apparmor.systemd[665]: AppArmor parser error for /etc/apparmor.d/usr.lib.xorg.Xorg in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 08 10:43:52 grid apparmor.systemd[665]: Error: At least one profile failed to load
Jun 08 10:43:52 grid systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Jun 08 10:43:52 grid systemd[1]: apparmor.service: Failed with result 'exit-code'.
Jun 08 10:43:52 grid systemd[1]: Failed to start Load AppArmor profiles.
~

However I am able to boot into the windows manager.

I tried sudo -u sdwdate sdwdate in terminal:

sudo -u sdwdate sdwdate
2021-06-08 10:57:20 - sdwdate - INFO - sdwdate started. PID: 2120
2021-06-08 10:57:20 - sdwdate - INFO - Tor socks host: 127.0.0.1 Tor socks port: 9050
2021-06-08 10:57:20 - sdwdate - INFO - Running sdwdate main loop. iteration: 1 / 10000
2021-06-08 10:57:20 - sdwdate - INFO - PREPARATION:
2021-06-08 10:57:20 - sdwdate - INFO - /usr/lib/helper-scripts/onion-time-pre-script: Start.
Static Time Sanity Check: Within minimum time 'Sun Jan 17 00:00:00 UTC 2021' and expiration timestamp 'Tue May 17 10:00:00 UTC 2033', ok.
Tor reports: NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"
Tor circuit: established.
Tor Consensus Time Sanity Check: Clock within consensus parameters consensus/valid-after 2021-06-08 09:00:00 and consensus/valid-until 2021-06-08 12:00:00.
Tor already reports circuit established.
/usr/lib/helper-scripts/onion-time-pre-script: END: Exiting with exit_code '0' indicating 'success'.
2021-06-08 10:57:20 - sdwdate - INFO - PREPARATION RESULT: SUCCESS.
2021-06-08 10:57:20 - sdwdate - INFO - 

2021-06-08 10:57:20 - sdwdate - INFO - Initial time fetching in progress...
2021-06-08 10:57:20 - sdwdate - INFO - Running sdwdate fetch loop. iteration: 1
2021-06-08 10:57:20 - sdwdate - INFO - pool 0: pool_size: 15 url_index: 2 already_picked_number: 1 already_picked_index: [2]
2021-06-08 10:57:20 - sdwdate - INFO - pool 1: pool_size: 15 url_index: 14 already_picked_number: 1 already_picked_index: [14]
2021-06-08 10:57:20 - sdwdate - INFO - pool 2: pool_size: 15 url_index: 4 already_picked_number: 1 already_picked_index: [4]
2021-06-08 10:57:20 - sdwdate - INFO - requested urls ['http://33y6fjyhs3phzfjj.onion', 'https://www.dwnewsvdyyiamwnp.onion', 'http://rvy6qmlqfstv6rlz.onion']
remote_times.py: url_to_unixtime_command (s):
url_to_unixtime 127.0.0.1 9050 http://33y6fjyhs3phzfjj.onion 80 true
url_to_unixtime 127.0.0.1 9050 https://www.dwnewsvdyyiamwnp.onion 80 true
url_to_unixtime 127.0.0.1 9050 http://rvy6qmlqfstv6rlz.onion 80 true

remote_times.py: i: 0 | done
remote_times.py: i: 2 | done
remote_times.py: i: 1 | done
remote 0: http://33y6fjyhs3phzfjj.onion
* comment: The Guardian	https://www.theguardian.com/securedrop	https://web.archive.org/web/20201231075421/https://www.theguardian.com/securedrop
* took_time     : 2.03 second(s)
* half_took_time: 1.01 second(s)
* replay_protection_unixtime: 1623053612
* remote_unixtime           : 1623149680
* consensus/valid-after           : 2021-06-08 09:00:00
* replay_protection_time          : 2021-06-07 08:15:12
* remote_time                     : 2021-06-08 10:54:40
* consensus/valid-until           : 2021-06-08 12:00:00
* time_diff_raw        : -162 second(s)
* time_diff_lag_cleaned: -163.01 second(s)
* Time Replay Protection         : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True

remote 1: https://www.dwnewsvdyyiamwnp.onion
* comment: https://www.dw.com	https://web.archive.org/web/20210126144517/https://securityheaders.com/?q=dw.com&followRedirects=on
* took_time     : 15.92 second(s)
* half_took_time: 7.96 second(s)
* replay_protection_unixtime: 1623053612
* remote_unixtime           : 1623149694
* consensus/valid-after           : 2021-06-08 09:00:00
* replay_protection_time          : 2021-06-07 08:15:12
* remote_time                     : 2021-06-08 10:54:54
* consensus/valid-until           : 2021-06-08 12:00:00
* time_diff_raw        : -162 second(s)
* time_diff_lag_cleaned: -169.96 second(s)
* Time Replay Protection         : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True

remote 2: http://rvy6qmlqfstv6rlz.onion
* comment: https://www.c3d2.de/news/20160106-c3d2-as-onionservice.html	https://web.archive.org/web/20160807015616/https://www.c3d2.de/news/20160106-c3d2-as-onionservice.html
* took_time     : 14.51 second(s)
* half_took_time: 7.25 second(s)
* replay_protection_unixtime: 1623053612
* remote_unixtime           : 1623149692
* consensus/valid-after           : 2021-06-08 09:00:00
* replay_protection_time          : 2021-06-07 08:15:12
* remote_time                     : 2021-06-08 10:54:52
* consensus/valid-until           : 2021-06-08 12:00:00
* time_diff_raw        : -163 second(s)
* time_diff_lag_cleaned: -170.25 second(s)
* Time Replay Protection         : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True

remote_times.py: urls_list:
['http://33y6fjyhs3phzfjj.onion', 'https://www.dwnewsvdyyiamwnp.onion', 'http://rvy6qmlqfstv6rlz.onion']
remote_times.py: status_list:
['ok', 'ok', 'ok']
remote_times.py: took_time_list:
[2.03, 15.92, 14.51]
remote_times.py: half_took_time_list:
[1.01, 7.96, 7.25]
remote_times.py: remote_unixtime_list:
[1623149680, 1623149694, 1623149692]
remote_times.py: time_diff_raw_int_list:
[-162, -162, -163]
remote_times.py: time_diff_lag_cleaned_float_list:
[-163.01, -169.96, -170.25]
2021-06-08 10:57:36 - sdwdate - INFO - returned urls "['http://33y6fjyhs3phzfjj.onion', 'https://www.dwnewsvdyyiamwnp.onion', 'http://rvy6qmlqfstv6rlz.onion']"
2021-06-08 10:57:36 - sdwdate - INFO - 
2021-06-08 10:57:36 - sdwdate - INFO - failed_urls: 0 allowed_failures: 5
2021-06-08 10:57:36 - sdwdate - INFO - pool 0: http://33y6fjyhs3phzfjj.onion, web_time: 2021-06-08 10:54:40, took_time: 2.03 seconds, time_diff_raw: -162 seconds, time_diff_lag_cleaned: -163 seconds
2021-06-08 10:57:36 - sdwdate - INFO - pool 1: https://www.dwnewsvdyyiamwnp.onion, web_time: 2021-06-08 10:54:54, took_time: 15.92 seconds, time_diff_raw: -162 seconds, time_diff_lag_cleaned: -170 seconds
2021-06-08 10:57:36 - sdwdate - INFO - pool 2: http://rvy6qmlqfstv6rlz.onion, web_time: 2021-06-08 10:54:52, took_time: 14.51 seconds, time_diff_raw: -163 seconds, time_diff_lag_cleaned: -170 seconds
2021-06-08 10:57:36 - sdwdate - INFO - End fetching remote times.
2021-06-08 10:57:36 - sdwdate - INFO - 
2021-06-08 10:57:36 - sdwdate - INFO - Success.
2021-06-08 10:57:36 - sdwdate - INFO -      request_took_times, sorted: [2.03, 14.51, 15.92]
2021-06-08 10:57:36 - sdwdate - INFO - request_half_took_times, sorted: [1.01, 7.25, 7.96]
2021-06-08 10:57:36 - sdwdate - INFO -           time_diff_raw, sorted: [-163, -162, -162]
2021-06-08 10:57:36 - sdwdate - INFO -       diffs_lag_cleaned, sorted: [-170, -170, -163]
2021-06-08 10:57:36 - sdwdate - INFO - median          request_took_times: +14.51
2021-06-08 10:57:36 - sdwdate - INFO - median     half_request_took_times: +7.25
2021-06-08 10:57:36 - sdwdate - INFO - median         raw time difference: -162.00
2021-06-08 10:57:36 - sdwdate - INFO - median lag_cleaned time difference: -170.00
2021-06-08 10:57:36 - sdwdate - INFO - Not randomizing nanoseconds.
2021-06-08 10:57:36 - sdwdate - INFO - new time difference               : -162.000000000
2021-06-08 10:57:36 - sdwdate - INFO - replay_protection_unixtime: 1623053612
2021-06-08 10:57:36 - sdwdate - INFO - old_unixtime              : 1623149856.979118586
2021-06-08 10:57:36 - sdwdate - INFO - new_unixtime              : 1623149694.979118586
2021-06-08 10:57:36 - sdwdate - INFO - replay_protection_time          : 2021-06-07 08:15:12
2021-06-08 10:57:36 - sdwdate - INFO - old_unixtime_human_readable     : 2021-06-08 10:57:37
2021-06-08 10:57:36 - sdwdate - INFO - new_unixtime_human_readable     : 2021-06-08 10:54:55
2021-06-08 10:57:37 - sdwdate - INFO - Instantly setting the time by using command: /bin/date --utc "+%Y-%m-%d %H:%M:%S" --set "@1623149694.979118586"
2021-06-08 10:57:37 - sdwdate - INFO - /bin/date output: 2021-06-08 10:54:54
 /bin/date: cannot set date: Operation not permitted
2021-06-08 10:57:37 - sdwdate - ERROR - /bin/date returncode: 1
2021-06-08 10:57:37 - sdwdate - INFO - Exiting with exit_code '1' because or reason 'bin_date_status non-zero exit code'.
2021-06-08 10:57:37 - sdwdate - INFO - sdwdate stopped by user or system.
2021-06-08 10:57:37 - sdwdate - INFO - sclockadj process not running, ok.
2021-06-08 10:57:37 - sdwdate - INFO - sleep process not running, ok.
2021-06-08 10:57:37 - sdwdate - INFO - End.

The sdwdate-gui shows a lock with an X icon. /bin/date within the apparmor sdwdate profile is defined as /{,usr/}bin/date mrix, - Shouldn’t that allow /bin/date to work?

Running dmesg now:

[   72.990211] audit: type=1400 audit(1623149031.430:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apt.systemd.daily" pid=682 comm="apparmor_parser"
[   72.992791] audit: type=1400 audit(1623149031.434:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagent" pid=675 comm="apparmor_parser"
[   72.992803] audit: type=1400 audit(1623149031.434:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagentd" pid=675 comm="apparmor_parser"
[   72.992858] audit: type=1400 audit(1623149031.434:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/tor-circuit-established-check" pid=679 comm="apparmor_parser"
[   72.993954] audit: type=1400 audit(1623149031.434:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/timesanitycheck" pid=678 comm="apparmor_parser"
[   72.996106] audit: type=1400 audit(1623149031.438:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/libvirtd" pid=680 comm="apparmor_parser"

We’re getting closer!

Also, I don’t see sdwdate as a service:

sudo service --status-all
[sudo] password for user:                
 [ - ]  apparmor
 [ - ]  console-setup.sh
 [ + ]  cron
 [ - ]  cryptdisks
 [ - ]  cryptdisks-early
 [ + ]  dbus
 [ + ]  dnsmasq
 [ - ]  gdomap
 [ + ]  haveged
 [ - ]  hwclock.sh
 [ + ]  jitterentropy-rngd
 [ - ]  keyboard-setup.sh
 [ + ]  kmod
 [ + ]  libvirt-guests
 [ + ]  libvirtd
 [ + ]  lightdm
 [ - ]  lvm2
 [ - ]  lvm2-lvmpolld
 [ + ]  networking
 [ + ]  openvpn
 [ + ]  procps
 [ + ]  rsyslog
 [ - ]  sudo
 [ + ]  sysfsutils
 [ + ]  tor
 [ + ]  udev
 [ - ]  virtlogd
 [ - ]  x11-common

When I go to the /etc/systemd/system/multi-user.target.wants/ folder, I realized that sdwdate.service is a broken link.

Kind: broken link
Link Target: /lib/systemd/system/sdwdate.service
Location: /etc/systemd/system/multi-user.target.wants

I wonder if this is the issue?

I tried to reinstall sdwdate:

sudo rapt reinstall sdwdate
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/114 kB of archives.
After this operation, 0 B of additional disk space will be used.
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 111637 files and directories currently installed.)
Preparing to unpack .../sdwdate_3%3a14.7-1_all.deb ...
Unpacking sdwdate (3:14.7-1) over (3:14.7-1) ...
Setting up sdwdate (3:14.7-1) ...
usermod: no changes
The user `sdwdate' is already a member of `debian-tor'.
The user `sdwdate' is already a member of `systemd-journal'.
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
Failed to get unit file state for sdwdate.service: No such file or directory
sdwdate.service is a disabled or a static unit not running, not starting it.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for rsyslog (8.1901.0-1) ...
+ shopt -s nullglob
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub
+ source /etc/default/grub
++ GRUB_DEFAULT=0
++ GRUB_TIMEOUT=5
+++ lsb_release -i -s
++ GRUB_DISTRIBUTOR=Debian
++ GRUB_CMDLINE_LINUX_DEFAULT=quiet
++ GRUB_CMDLINE_LINUX=
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_kicksecure.cfg
+ source /etc/default/grub.d/30_kicksecure.cfg
++ GRUB_DISTRIBUTOR=Kicksecure
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_screen_resolution.cfg
+ source /etc/default/grub.d/30_screen_resolution.cfg
++ command -v qubesdb-read
++ GRUB_GFXPAYLOAD_LINUX=1024x768
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_cpu_mitigations.cfg
+ source /etc/default/grub.d/40_cpu_mitigations.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_distrust_cpu.cfg
+ source /etc/default/grub.d/40_distrust_cpu.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_enable_iommu.cfg
+ source /etc/default/grub.d/40_enable_iommu.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_kernel_hardening.cfg
+ source /etc/default/grub.d/40_kernel_hardening.cfg
+++ dpkg --print-architecture
++ kpkg=linux-image-amd64
+++ dpkg-query --show '--showformat=${Version}' linux-image-amd64
dpkg-query: no packages found matching linux-image-amd64
++ kver=
++ true
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge'
++ dpkg --compare-versions '' ge 5.3
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP'
++ command -v qubesdb-read
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none'
++ dpkg --compare-versions '' ge 5.2
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy'
+++ echo quiet
+++ str_replace quiet ''
++ GRUB_CMDLINE_LINUX_DEFAULT=
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0 debugfs=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/init-select.cfg
+ source /etc/default/grub.d/init-select.cfg
+ for file_name in /boot/vmlinuz-*
+ base_name=vmlinuz-4.19.122
+ search=vmlinuz-
+ replace=
++ echo vmlinuz-4.19.122
++ str_replace vmlinuz- ''
+ version=4.19.122
+ unset search
+ unset replace
+ break
+ '[' 4.19.122 = '' ']'
+ real_grub_cfg=/boot/grub/grub.cfg
+ file_replace=/boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg
+ cp /boot/grub/grub.cfg /boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg.temp
+ search=' GNU/Linux'
+ replace=
+ str_replace ' GNU/Linux' '' /boot/grub/grub.cfg.temp
+ search=', with Linux 4.19.122'
+ replace=
+ str_replace ', with Linux 4.19.122' '' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure'\'''
+ replace='menuentry '\''PERSISTENT mode USER (For daily activities.)'\'''
+ str_replace 'menuentry '\''Kicksecure'\''' 'menuentry '\''PERSISTENT mode USER (For daily activities.)'\''' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure (recovery mode)'\'''
+ replace='menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\'''
+ str_replace 'menuentry '\''Kicksecure (recovery mode)'\''' 'menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\''' /boot/grub/grub.cfg.temp
+ test -x /usr/bin/grub-script-check
+ /usr/bin/grub-script-check /boot/grub/grub.cfg.temp
+ cp /boot/grub/grub.cfg.temp /boot/grub/grub.cfg
+ exit 0

I noticed this error:

/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
Failed to get unit file state for sdwdate.service: No such file or directory
sdwdate.service is a disabled or a static unit not running, not starting it.

I tried to reinstall the service using sudo rapt reinstall --no-install-recommends kicksecure-xfce and it doesn’t reinstall it as I removed the broken file and attempted to restore it.

I tried copied and pasted the sdwdate.service from the github and chown it to root:root with a chmod 775 and attempted to reinstall swdate again:

sudo rapt reinstall sdwdate
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/114 kB of archives.
After this operation, 0 B of additional disk space will be used.
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 111637 files and directories currently installed.)
Preparing to unpack .../sdwdate_3%3a14.7-1_all.deb ...
Unpacking sdwdate (3:14.7-1) over (3:14.7-1) ...
Setting up sdwdate (3:14.7-1) ...
usermod: no changes
The user `sdwdate' is already a member of `debian-tor'.
The user `sdwdate' is already a member of `systemd-journal'.
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
Failed to get unit file state for sdwdate.service: No such file or directory
sdwdate.service is a disabled or a static unit not running, not starting it.

I wonder if an apparmor is hindering it from working?

user@grid:~$ sudo systemctl stop sdwdate
Failed to stop sdwdate.service: Unit sdwdate.service not loaded.
user@grid:~$ sudo systemctl start sdwdate
Failed to start sdwdate.service: Unit sdwdate.service not found.
1 Like

Where? There are none.

Can you try the first suggestion?

Do not run sdwdate from the terminal.

It’s not that it can’t execute it; it doesn’t have the CAP_SYS_TIME capability granted by the systemd service because you ran it from the terminal.

You’re running it from the terminal and not as a service.

Disable AppArmor and completely reinstall it. Make no modifications to it and do not run it from the terminal.

2 Likes

I disabled apparmor with apparmor=0 in grub and reinstalled sdwdate:

sudo apt-get reinstall sdwdate
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/114 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 111637 files and directories currently installed.)
Preparing to unpack .../sdwdate_3%3a14.7-1_all.deb ...
Unpacking sdwdate (3:14.7-1) over (3:14.7-1) ...
Setting up sdwdate (3:14.7-1) ...
usermod: no changes
The user `sdwdate' is already a member of `debian-tor'.
The user `sdwdate' is already a member of `systemd-journal'.
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
Failed to get unit file state for sdwdate.service: No such file or directory
sdwdate.service is a disabled or a static unit not running, not starting it.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for rsyslog (8.1901.0-1) ...
+ shopt -s nullglob
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub
+ source /etc/default/grub
++ GRUB_DEFAULT=0
++ GRUB_TIMEOUT=5
+++ lsb_release -i -s
++ GRUB_DISTRIBUTOR=Debian
++ GRUB_CMDLINE_LINUX_DEFAULT=quiet
++ GRUB_CMDLINE_LINUX=
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_kicksecure.cfg
+ source /etc/default/grub.d/30_kicksecure.cfg
++ GRUB_DISTRIBUTOR=Kicksecure
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_screen_resolution.cfg
+ source /etc/default/grub.d/30_screen_resolution.cfg
++ command -v qubesdb-read
++ GRUB_GFXPAYLOAD_LINUX=1024x768
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_cpu_mitigations.cfg
+ source /etc/default/grub.d/40_cpu_mitigations.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_distrust_cpu.cfg
+ source /etc/default/grub.d/40_distrust_cpu.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_enable_iommu.cfg
+ source /etc/default/grub.d/40_enable_iommu.cfg
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_kernel_hardening.cfg
+ source /etc/default/grub.d/40_kernel_hardening.cfg
+++ dpkg --print-architecture
++ kpkg=linux-image-amd64
+++ dpkg-query --show '--showformat=${Version}' linux-image-amd64
dpkg-query: no packages found matching linux-image-amd64
++ kver=
++ true
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge'
++ dpkg --compare-versions '' ge 5.3
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP'
++ command -v qubesdb-read
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none'
++ dpkg --compare-versions '' ge 5.2
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy'
+++ echo quiet
+++ str_replace quiet ''
++ GRUB_CMDLINE_LINUX_DEFAULT=
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0'
++ GRUB_CMDLINE_LINUX=' spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0 debugfs=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/init-select.cfg
+ source /etc/default/grub.d/init-select.cfg
+ for file_name in /boot/vmlinuz-*
+ base_name=vmlinuz-4.19.122
+ search=vmlinuz-
+ replace=
++ echo vmlinuz-4.19.122
++ str_replace vmlinuz- ''
+ version=4.19.122
+ unset search
+ unset replace
+ break
+ '[' 4.19.122 = '' ']'
+ real_grub_cfg=/boot/grub/grub.cfg
+ file_replace=/boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg
+ cp /boot/grub/grub.cfg /boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg.temp
+ search=' GNU/Linux'
+ replace=
+ str_replace ' GNU/Linux' '' /boot/grub/grub.cfg.temp
+ search=', with Linux 4.19.122'
+ replace=
+ str_replace ', with Linux 4.19.122' '' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure'\'''
+ replace='menuentry '\''PERSISTENT mode USER (For daily activities.)'\'''
+ str_replace 'menuentry '\''Kicksecure'\''' 'menuentry '\''PERSISTENT mode USER (For daily activities.)'\''' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure (recovery mode)'\'''
+ replace='menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\'''
+ str_replace 'menuentry '\''Kicksecure (recovery mode)'\''' 'menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\''' /boot/grub/grub.cfg.temp
+ test -x /usr/bin/grub-script-check
+ /usr/bin/grub-script-check /boot/grub/grub.cfg.temp
+ cp /boot/grub/grub.cfg.temp /boot/grub/grub.cfg
+ exit 0

Same deal, it does not install itself as a service. I tested this with a new Kicksecure install with everything but apparmor-profile-everything installed.

Let me try your first suggestion regarding the tunables:

## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

##include <tunables/global>

@{sys_pci_numbers}=[0-9,a-z][0-9,a-z][0-9,a-z][0-9,a-z]:[0-9,a-z][0-9,a-z]
##@{sys_pci}=@{sys}/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/{,@{sys_pci_numbers}:*.*/}
@{sys_pci}=/sys/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/{,@{sys_pci_numbers}:*.*/}
@{dev_ttys}=/dev/tty{,S}[0-9]{,[0-9]}

With reboot, the results are:

[   22.192068] audit: type=1400 audit(1623220184.629:47): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="init-systemd" pid=744 comm="apparmor_parser"
[   22.193898] audit: type=1400 audit(1623220184.633:48): apparmor="STATUS" operation="profile_load" profile="unconfined" name="init-systemd-debug" pid=744 comm="apparmor_parser"
[   22.194998] audit: type=1400 audit(1623220184.633:49): apparmor="STATUS" operation="profile_load" profile="unconfined" name="init-systemd-superroot" pid=744 comm="apparmor_parser"
[   23.494920] audit: type=1400 audit(1623220224.737:50): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/vendor" pid=901 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   23.494942] audit: type=1400 audit(1623220224.737:51): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/config" pid=901 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   23.495231] audit: type=1400 audit(1623220224.737:52): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/vendor" pid=901 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   23.495252] audit: type=1400 audit(1623220224.737:53): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/config" pid=901 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   24.141489] audit: type=1400 audit(1623220225.381:54): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/vendor" pid=938 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   24.141502] audit: type=1400 audit(1623220225.381:55): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/config" pid=938 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   24.141640] audit: type=1400 audit(1623220225.381:56): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:00.0/vendor" pid=938 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

So no go, I put it back to your second suggestion and it works:

## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

#include <tunables/global>

@{sys_pci_numbers}=[0-9,a-z][0-9,a-z][0-9,a-z][0-9,a-z]:[0-9,a-z][0-9,a-z]
@{sys_pci}=@{sys}/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/{,@{sys_pci_numbers}:*.*/}
##@{sys_pci}=/sys/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/{,@{sys_pci_numbers}:*.*/}
@{dev_ttys}=/dev/tty{,S}[0-9]{,[0-9]}

[       20.760800] audit: type=1400 audit(1623220562.203:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagent" pid=718 comm="apparmor_parser"
    [   20.760810] audit: type=1400 audit(1623220562.203:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagentd" pid=718 comm="apparmor_parser"
    [   20.760818] audit: type=1400 audit(1623220562.203:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/timesanitycheck" pid=721 comm="apparmor_parser"
    [   20.763758] audit: type=1400 audit(1623220562.207:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apt.systemd.daily" pid=725 comm="apparmor_parser"
    [   20.766261] audit: type=1400 audit(1623220562.211:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/tor-circuit-established-check" pid=722 comm="apparmor_parser"
    [   20.776303] audit: type=1400 audit(1623220562.219:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/helper-scripts/first-boot-skel" pid=720 comm="apparmor_parser"
    [   20.776314] audit: type=1400 audit(1623220562.219:12): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/pam-abort-on-locked-password" pid=720 comm="apparmor_parser"
    [   20.776322] audit: type=1400 audit(1623220562.219:13): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/pam_only_if_login" pid=720 comm="apparmor_parser"
    [   20.776330] audit: type=1400 audit(1623220562.219:14): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/pam_tally2-info" pid=720 comm="apparmor_parser"
    [   20.776338] audit: type=1400 audit(1623220562.219:15): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/panic-on-oops" pid=720 comm="apparmor_parser"

With your second option via the tunables it does boot and lightdm works but throws up an error:

sudo systemctl status apparmor
[sudo] password for user:                
● apparmor.service - Load AppArmor profiles
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/apparmor.service.d
           └─30_live_mode.conf
   Active: failed (Result: exit-code) since Wed 2021-06-09 06:36:02 UTC; 27min ago
     Docs: man:apparmor(7)
           https://gitlab.com/apparmor/apparmor/wikis/home/
  Process: 704 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
 Main PID: 704 (code=exited, status=1/FAILURE)

Jun 09 06:36:02 tron apparmor.systemd[704]: 'HOME' is already defined
Jun 09 06:36:02 tron apparmor.systemd[704]: AppArmor parser error for /etc/apparmor.d/bin.lsblk in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 09 06:36:02 tron apparmor.systemd[704]: 'HOME' is already defined
Jun 09 06:36:02 tron apparmor.systemd[704]: AppArmor parser error for /etc/apparmor.d/init-systemd in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declare
Jun 09 06:36:02 tron apparmor.systemd[704]: 'HOME' is already defined
Jun 09 06:36:02 tron apparmor.systemd[704]: AppArmor parser error for /etc/apparmor.d/usr.lib.xorg.Xorg in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously de
Jun 09 06:36:02 tron apparmor.systemd[704]: Error: At least one profile failed to load
Jun 09 06:36:02 tron systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Jun 09 06:36:02 tron systemd[1]: apparmor.service: Failed with result 'exit-code'.
Jun 09 06:36:02 tron systemd[1]: Failed to start Load AppArmor profiles.

sdwdate is also not defined as a service:

sudo systemctl status sdwdate
Unit sdwdate.service could not be found.
sudo systemctl restart sdwdate
Failed to restart sdwdate.service: Unit sdwdate.service not found.

I’ll do some more research and experiment.

I also can’t run sudo aa-enforce init-systemd:

ERROR: Profile for /{,usr/}lib/systemd/** exists in /etc/apparmor.d/init-systemd and /etc/apparmor.d/init-systemd

Also, same error with aa-logprof

sudo aa-logprof 
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.

ERROR: Profile for /{,usr/}lib/systemd/** exists in /etc/apparmor.d/init-systemd and /etc/apparmor.d/init-systemd

This is my aa-status:

sudo aa-status
apparmor module is loaded.
64 profiles are loaded.
45 profiles are in enforce mode.
   /**/*-browser/Browser/firefox
   /usr/bin/hexchat
   /usr/bin/man
   /usr/bin/pidgin
   /usr/bin/pidgin//sanitized_helper
   /usr/bin/sdwdate
   /usr/bin/timesanitycheck
   /usr/bin/tor-circuit-established-check
   /usr/bin/totem
   /usr/bin/totem-audio-preview
   /usr/bin/totem-video-thumbnailer
   /usr/bin/totem//sanitized_helper
   /usr/bin/url_to_unixtime
   /usr/bin/xchat
   /usr/lib/helper-scripts/first-boot-skel
   /usr/lib/security-misc/pam-abort-on-locked-password
   /usr/lib/security-misc/pam_only_if_login
   /usr/lib/security-misc/pam_tally2-info
   /usr/lib/security-misc/panic-on-oops
   /usr/lib/security-misc/permission-lockdown
   /usr/lib/security-misc/remove-system.map
   /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
   /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium
   /usr/sbin/apt-cacher-ng
   /usr/sbin/haveged
   /usr/sbin/libvirtd
   /usr/sbin/libvirtd//qemu_bridge_helper
   apt.systemd.daily
   bootclockrandomization
   dbus-daemon
   man_filter
   man_groff
   networking-aae
   nvidia_modprobe
   nvidia_modprobe//kmod
   rsyslogd
   sandbox-app-launcher
   sandbox-app-launcher-wx
   spice-vdagent
   spice-vdagentd
   system_tor
   systemd-modules-load
   systemd-shutdown
   systemd-sysctl
   virt-aa-helper
19 profiles are in complain mode.
   /usr/bin/irssi
   /usr/sbin/anondate-get
   /usr/sbin/anondate-set
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   identd
   init-systemd
   klogd
   mdnsd
   nmbd
   nscd
   ping
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
19 processes have profiles defined.
15 processes are in enforce mode.
   /home/user/.tb/tor-browser/Browser/firefox.real (1752) /**/*-browser/Browser/firefox
   /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/tor (1796) /**/*-browser/Browser/firefox
   /home/user/.tb/tor-browser/Browser/firefox.real (1823) /**/*-browser/Browser/firefox
   /home/user/.tb/tor-browser/Browser/firefox.real (1862) /**/*-browser/Browser/firefox
   /home/user/.tb/tor-browser/Browser/firefox.real (1937) /**/*-browser/Browser/firefox
   /usr/bin/python3.7 (1191) /usr/bin/sdwdate
   /usr/bin/sleep (1986) /usr/bin/sdwdate
   /usr/sbin/haveged (995) 
   /usr/sbin/libvirtd (1107) 
   /usr/bin/dbus-daemon (1003) dbus-daemon
   /usr/bin/dbus-daemon (1521) dbus-daemon
   /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (1554) dbus-daemon
   /usr/bin/dbus-daemon (1649) dbus-daemon
   /usr/sbin/rsyslogd (999) rsyslogd
   /usr/bin/tor (1149) system_tor
4 processes are in complain mode.
   /usr/sbin/dnsmasq (1126) 
   /usr/sbin/dnsmasq (1284) 
   /usr/sbin/dnsmasq (1357) 
   /usr/sbin/dnsmasq (1358) 
0 processes are unconfined but have a profile defined.
2 Likes
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
Failed to get unit file state for sdwdate.service: No such file or directory
sdwdate.service is a disabled or a static unit not running, not starting it.

Therefore we need to look “inside” of /usr/bin/deb-systemd-helper.

Could you please help debug this sdwdate AAE issue? The following needs to be done without AAE (otherwise I suppose you don’t have permission to do that).

sudo mkdir -p /etc/sdwdate_maint.d
sudoedit /etc/sdwdate_maint.d/50_user.conf

Add.

set -x
DEBDEBUG=1
export _DEB_SYSTEMD_HELPER_DEBUG=1

Save.

Then during sdwdate re-installation we should get a lot debug output.

Does file /lib/systemd/system/sdwdate.service exist?
Is file /lib/systemd/system/sdwdate.service readable?

cat /lib/systemd/system/sdwdate.service

ls -la /lib/systemd/system/sdwdate.service

Expected output:

-rw-r–r-- 1 root root 2794 Oct 20 2015 /lib/systemd/system/sdwdate.service

2 Likes

I started with a fresh Kicksecure install again and upgraded to where Secbrowser seems to be removed which is fine. TorBrowser (AnonDist) is the only available Internet app just to give context.

I installed apparmor-profile-everything and rebooted. I reinstalled sdwdate with the debug options on as stated above and here is the result:

sudo apt reinstall sdwdate
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 122 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster/main amd64 sdwdate all 3:15.6-1 [122 kB]
Fetched 122 kB in 5s (25.2 kB/s)  
(Reading database ... 111602 files and directories currently installed.)
Preparing to unpack .../sdwdate_3%3a15.6-1_all.deb ...
Unpacking sdwdate (3:15.6-1) over (3:15.6-1) ...
+++ DEBDEBUG=1
+++ export _DEB_SYSTEMD_HELPER_DEBUG=1
+++ _DEB_SYSTEMD_HELPER_DEBUG=1
++ shopt -u nullglob
++ check_scripts_to_skip
++ local skip_script
+ set -e
+ rm --force /usr/lib/sdwdate/sclockadj
+ '[' upgrade = purge ']'
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/30_default -- upgrade 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/30_sdwdate_default -- upgrade 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/31_anon_dist_con_check_plugin -- upgrade 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/31_anon_dist_stream_isolation_plugin -- upgrade 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/apparmor.d/abstractions/sdwdate -- upgrade 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/apparmor.d/usr.lib.sdwdate.url_to_unixtime -- upgrade 3:15.6-1
+ '[' -d /run/systemd/system ']'
+ systemctl --system daemon-reload
+ '[' upgrade = remove ']'
+ '[' upgrade = purge ']'
+ '[' upgrade = purge ']'
+ '[' upgrade = purge ']'
Setting up sdwdate (3:15.6-1) ...
+++ DEBDEBUG=1
+++ export _DEB_SYSTEMD_HELPER_DEBUG=1
+++ _DEB_SYSTEMD_HELPER_DEBUG=1
++ shopt -u nullglob
++ check_scripts_to_skip
++ local skip_script
+ set -e
+ true '
#####################################################################
## INFO: BEGIN: sdwdate postinst configure' '3:15.6-1
#####################################################################
'
+ '[' -x /usr/lib/helper-scripts/torsocks-remove-ld-preload ']'
+ source /usr/lib/helper-scripts/torsocks-remove-ld-preload
++ : 1
++ : ''
++ '[' 1 = 1 ']'
++ set -x
++ '[' 1 = 1 ']'
++ true 'LD_PRELOAD: '
+++ echo ''
+++ sed 's/\/usr\/lib\/torsocks\/libtorsocks.so//g'
++ LD_PRELOAD=
++ '[' 1 = 1 ']'
++ true 'exit code: 0'
++ export LD_PRELOAD
++ '[' 1 = 1 ']'
++ true 'exit code: 0'
++ true 'LD_PRELOAD: '
+ case "$1" in
+ addgroup debian-tor
+ true
+ adduser --home /run/sdwdate --no-create-home --quiet --system --group sdwdate
++ getent passwd sdwdate
++ cut -d: -f6
+ sdwdate_home=/run/sdwdate
+ '[' /run/sdwdate = /nonexistent ']'
+ usermod -m -d /run/sdwdate sdwdate
usermod: no changes
+ mkdir -p /run/sdwdate
+ chown sdwdate:sdwdate /run/sdwdate
+ addgroup sdwdate debian-tor
The user `sdwdate' is already a member of `debian-tor'.
+ addgroup sdwdate systemd-journal
The user `sdwdate' is already a member of `systemd-journal'.
+ gcc /usr/lib/sdwdate/sclockadj.c -o /usr/lib/sdwdate/sclockadj -ldl -D_GNU_SOURCE -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wl,-z,relro -Wl,-z,now
+ timedatectl set-ntp false
+ rm --force /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service
+ '[' -d /lib/systemd/system/sdwdate.service.d/ ']'
++ uname -m
+ arch=x86_64
+ syscall_comment='## This file has been auto-generated by: /var/lib/dpkg/info/sdwdate.postinst
## Changes will be lost when sdwdate is upgraded.
## See file /lib/systemd/system/sdwdate.service for comments.
## Architecture: x86_64
'
+ [[ x86_64 =~ arm ]]
+ [[ x86_64 =~ aarch ]]
+ [[ x86_64 =~ ppc ]]
+ [[ x86_64 =~ x86 ]]
+ syscall_whitelist='## Default. No changes required.'
+ echo '## This file has been auto-generated by: /var/lib/dpkg/info/sdwdate.postinst
## Changes will be lost when sdwdate is upgraded.
## See file /lib/systemd/system/sdwdate.service for comments.
## Architecture: x86_64

## Default. No changes required.'
+ tee /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf
+ true 'INFO: debhelper beginning here.'
+ '[' configure = configure ']'
+ APP_PROFILE=/etc/apparmor.d/usr.bin.sdwdate
+ '[' -f /etc/apparmor.d/usr.bin.sdwdate ']'
+ LOCAL_APP_PROFILE=/etc/apparmor.d/local/usr.bin.sdwdate
+ test -e /etc/apparmor.d/local/usr.bin.sdwdate
+ aa-enabled --quiet
+ apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.sdwdate
+ '[' configure = configure ']'
+ APP_PROFILE=/etc/apparmor.d/usr.bin.url_to_unixtime
+ '[' -f /etc/apparmor.d/usr.bin.url_to_unixtime ']'
+ LOCAL_APP_PROFILE=/etc/apparmor.d/local/usr.bin.url_to_unixtime
+ test -e /etc/apparmor.d/local/usr.bin.url_to_unixtime
+ aa-enabled --quiet
+ apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.url_to_unixtime
+ which py3compile
+ py3compile -p sdwdate
+ which pypy3compile
+ '[' configure = configure ']'
+ '[' -d /run/systemd/system ']'
+ systemd-tmpfiles --create sdwdate.conf
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/30_default -- configure 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/30_sdwdate_default -- configure 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/31_anon_dist_con_check_plugin -- configure 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/sdwdate.d/31_anon_dist_stream_isolation_plugin -- configure 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/apparmor.d/abstractions/sdwdate -- configure 3:15.6-1
+ dpkg-maintscript-helper rm_conffile /etc/apparmor.d/usr.lib.sdwdate.url_to_unixtime -- configure 3:15.6-1
+ '[' configure = configure ']'
+ deb-systemd-helper unmask sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = unmask, scriptname = sdwdate-restart-tor-request-file-watcher.service, service_path = /lib/systemd/system/sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) rmdir_if_empty /var/lib/systemd/deb-systemd-helper-masked
(deb-systemd-helper DEBUG) rmdir(/var/lib/systemd/deb-systemd-helper-masked) failed (No such file or directory)
+ deb-systemd-helper --quiet was-enabled sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = was-enabled, scriptname = sdwdate-restart-tor-request-file-watcher.service, service_path = /lib/systemd/system/sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) Reading state file /var/lib/systemd/deb-systemd-helper-enabled/sdwdate-restart-tor-request-file-watcher.service.dsh-also
(deb-systemd-helper DEBUG) Contents: $VAR1 = [
          '/etc/systemd/system/multi-user.target.wants/sdwdate-restart-tor-request-file-watcher.service'
        ];

(deb-systemd-helper DEBUG) All links present, considering sdwdate-restart-tor-request-file-watcher.service was-enabled.
+ deb-systemd-helper enable sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = enable, scriptname = sdwdate-restart-tor-request-file-watcher.service, service_path = /lib/systemd/system/sdwdate-restart-tor-request-file-watcher.service
(deb-systemd-helper DEBUG) Renaming temp file /var/lib/systemd/deb-systemd-helper-enabled/.stateogZ6Q.tmp to state file /var/lib/systemd/deb-systemd-helper-enabled/sdwdate-restart-tor-request-file-watcher.service.dsh-also
+ '[' configure = configure ']'
+ deb-systemd-helper unmask sdwdate.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = unmask, scriptname = sdwdate.service, service_path = sdwdate.service
(deb-systemd-helper DEBUG) rmdir_if_empty /var/lib/systemd/deb-systemd-helper-masked
(deb-systemd-helper DEBUG) rmdir(/var/lib/systemd/deb-systemd-helper-masked) failed (No such file or directory)
+ deb-systemd-helper --quiet was-enabled sdwdate.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = was-enabled, scriptname = sdwdate.service, service_path = sdwdate.service
(deb-systemd-helper DEBUG) Reading state file /var/lib/systemd/deb-systemd-helper-enabled/sdwdate.service.dsh-also
(deb-systemd-helper DEBUG) Contents: $VAR1 = [
          '/etc/systemd/system/multi-user.target.wants/sdwdate.service'
        ];

(deb-systemd-helper DEBUG) All links present, considering sdwdate.service was-enabled.
+ deb-systemd-helper enable sdwdate.service
(deb-systemd-helper DEBUG) is purge = no
(deb-systemd-helper DEBUG) action = enable, scriptname = sdwdate.service, service_path = sdwdate.service
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service
+ true
+ '[' configure = configure ']'
+ '[' -d /run/systemd/system ']'
+ systemctl --system daemon-reload
+ '[' -n 3:15.6-1 ']'
+ _dh_action=restart
+ deb-systemd-invoke restart sdwdate-restart-tor-request-file-watcher.service sdwdate.service
Failed to get unit file state for sdwdate.service: No such file or directory
sdwdate.service is a disabled or a static unit not running, not starting it.
+ true 'INFO: Done with debhelper.'
+ true '
#####################################################################
## INFO: END  : sdwdate postinst configure' '3:15.6-1
#####################################################################
'
+ exit 0
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for rsyslog (8.1901.0-1) ...
+ shopt -s nullglob
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub
+ source /etc/default/grub
++ GRUB_DEFAULT=0
++ GRUB_TIMEOUT=5
+++ lsb_release -i -s
++ GRUB_DISTRIBUTOR=Debian
++ GRUB_CMDLINE_LINUX_DEFAULT=quiet
++ GRUB_CMDLINE_LINUX=
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_apparmor.cfg
+ source /etc/default/grub.d/30_apparmor.cfg
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_kicksecure.cfg
+ source /etc/default/grub.d/30_kicksecure.cfg
++ GRUB_DISTRIBUTOR=Kicksecure
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/30_screen_resolution.cfg
+ source /etc/default/grub.d/30_screen_resolution.cfg
++ command -v qubesdb-read
++ GRUB_GFXPAYLOAD_LINUX=1024x768
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_cpu_mitigations.cfg
+ source /etc/default/grub.d/40_cpu_mitigations.cfg
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_distrust_cpu.cfg
+ source /etc/default/grub.d/40_distrust_cpu.cfg
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_enable_iommu.cfg
+ source /etc/default/grub.d/40_enable_iommu.cfg
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/40_kernel_hardening.cfg
+ source /etc/default/grub.d/40_kernel_hardening.cfg
+++ dpkg --print-architecture
++ kpkg=linux-image-amd64
+++ dpkg-query --show '--showformat=${Version}' linux-image-amd64
dpkg-query: no packages found matching linux-image-amd64
++ kver=
++ true
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge'
++ dpkg --compare-versions '' ge 5.3
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP'
++ command -v qubesdb-read
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none'
++ dpkg --compare-versions '' ge 5.2
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy'
+++ echo quiet
+++ str_replace quiet ''
++ GRUB_CMDLINE_LINUX_DEFAULT=
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0'
++ GRUB_CMDLINE_LINUX=' apparmor=1 security=apparmor spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet loglevel=0 debugfs=off'
+ for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
+ test -f /etc/default/grub.d/init-select.cfg
+ source /etc/default/grub.d/init-select.cfg
+ for file_name in /boot/vmlinuz-*
+ base_name=vmlinuz-4.19.122
+ search=vmlinuz-
+ replace=
++ echo vmlinuz-4.19.122
++ str_replace vmlinuz- ''
+ version=4.19.122
+ unset search
+ unset replace
+ break
+ '[' 4.19.122 = '' ']'
+ real_grub_cfg=/boot/grub/grub.cfg
+ file_replace=/boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg
+ cp /boot/grub/grub.cfg /boot/grub/grub.cfg.temp
+ test -w /boot/grub/grub.cfg.temp
+ search=' GNU/Linux'
+ replace=
+ str_replace ' GNU/Linux' '' /boot/grub/grub.cfg.temp
+ search=', with Linux 4.19.122'
+ replace=
+ str_replace ', with Linux 4.19.122' '' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure'\'''
+ replace='menuentry '\''PERSISTENT mode USER (For daily activities.)'\'''
+ str_replace 'menuentry '\''Kicksecure'\''' 'menuentry '\''PERSISTENT mode USER (For daily activities.)'\''' /boot/grub/grub.cfg.temp
+ search='menuentry '\''Kicksecure (recovery mode)'\'''
+ replace='menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\'''
+ str_replace 'menuentry '\''Kicksecure (recovery mode)'\''' 'menuentry '\''Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'\''' /boot/grub/grub.cfg.temp
+ test -x /usr/bin/grub-script-check
+ /usr/bin/grub-script-check /boot/grub/grub.cfg.temp
+ cp /boot/grub/grub.cfg.temp /boot/grub/grub.cfg
+ exit 0

I did notice that I only had to edit sudoedit ‘/etc/apparmor.d/tunables/init-systemd’ to get LightDM to work:

## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

#include <tunables/global>

@{sys_pci_numbers}=[0-9][0-9][0-9][0-9]:[0-9][0-9]
##@{sys_pci}=/sys/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/
@{sys_pci}=@{sys}/devices/pci@{sys_pci_numbers}/@{sys_pci_numbers}:*.*/
@{dev_ttys}=/dev/tty{,S}[0-9]{,[0-9]}

This is what shows via dmesg:

[   31.786159] audit: type=1400 audit(1623327095.227:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/libvirtd" pid=719 comm="apparmor_parser"
[   31.786171] audit: type=1400 audit(1623327095.227:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/libvirtd//qemu_bridge_helper" pid=719 comm="apparmor_parser"
[   31.787514] audit: type=1400 audit(1623327095.227:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apt.systemd.daily" pid=721 comm="apparmor_parser"
[   31.788844] audit: type=1400 audit(1623327095.227:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/tor-circuit-established-check" pid=718 comm="apparmor_parser"
[   31.793385] audit: type=1400 audit(1623327095.231:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagent" pid=714 comm="apparmor_parser"
[   31.793395] audit: type=1400 audit(1623327095.231:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagentd" pid=714 comm="apparmor_parser"
[   31.800650] audit: type=1400 audit(1623327095.239:12): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/timesanitycheck" pid=717 comm="apparmor_parser"
[   31.828487] audit: type=1400 audit(1623327095.267:13): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/helper-scripts/first-boot-skel" pid=716 comm="apparmor_parser"
[   31.828502] audit: type=1400 audit(1623327095.267:14): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/pam-abort-on-locked-password" pid=716 comm="apparmor_parser"
[   31.828515] audit: type=1400 audit(1623327095.267:15): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/security-misc/pam_only_if_login" pid=716 comm="apparmor_parser"

Systemctl results:

sudo systemctl
  UNIT                        LOAD   ACTIVE SUB       DESCRIPTION              
  sys-devices-pci0000:00-0000:00:03.0-0000:04:00.1-sound-card1.device loaded act
  sys-devices-pci0000:00-0000:00:11.0-0000:05:00.0-host10-port\x2d10:0-end_devic
  sys-devices-pci0000:00-0000:00:16.3-tty-ttyS1.device loaded active plugged   C
  sys-devices-pci0000:00-0000:00:19.0-net-eno1.device loaded active plugged   82
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-ta
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-ta
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-ta
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-ta
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-ta
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-ta
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-ta
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-ta
  sys-devices-pci0000:00-0000:00:1b.0-sound-card0.device loaded active plugged  
  sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-s
  sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-s
  sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-s
  sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb.d
  sys-devices-pci0000:00-0000:00:1f.2-ata5-host6-target6:0:0-6:0:0:0-block-sdc.d
  sys-devices-platform-serial8250-tty-ttyS2.device loaded active plugged   /sys/
  sys-devices-platform-serial8250-tty-ttyS3.device loaded active plugged   /sys/
  sys-devices-pnp0-00:03-tty-ttyS0.device loaded active plugged   /sys/devices/p
  sys-devices-virtual-block-dm\x2d0.device loaded active plugged   /sys/devices/
lines 1-23...skipping...
  UNIT                        LOAD   ACTIVE SUB       DESCRIPTION              
  sys-devices-pci0000:00-0000:00:03.0-0000:04:00.1-sound-card1.device loaded active plugged   Cedar HDMI Audio [Radeon 
  sys-devices-pci0000:00-0000:00:11.0-0000:05:00.0-host10-port\x2d10:0-end_device\x2d10:0-target10:0:0-10:0:0:0-block-sr0.device loaded active plugged   HL-DT-STDVD-RAM_GHA2N    
  sys-devices-pci0000:00-0000:00:16.3-tty-ttyS1.device loaded active plugged   C600/X79 series chipset K
  sys-devices-pci0000:00-0000:00:19.0-net-eno1.device loaded active plugged   82579LM Gigabit Network C
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-target1:0:0-1:0:0:0-block-sdd.device loaded active plugged   Compact_Flash            
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-target1:0:0-1:0:0:1-block-sde.device loaded active plugged   SM_xD-Picture            
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-target1:0:0-1:0:0:2-block-sdf.device loaded active plugged   SD_MMC                   
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-target1:0:0-1:0:0:3-block-sdg.device loaded active plugged   M.S._M.S.Pro_HG          
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.2-1\x2d1.2:1.0-host1-target1:0:0-1:0:0:4-block-sdh.device loaded active plugged   SD_MMC_M.S.PRO           
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-target0:0:0-0:0:0:0-block-sda-sda1.device loaded active plugged   SanDisk_3.2Gen1 1        
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-target0:0:0-0:0:0:0-block-sda-sda2.device loaded active plugged   SanDisk_3.2Gen1 2        
  sys-devices-pci0000:00-0000:00:1a.0-usb1-1\x2d1-1\x2d1.4-1\x2d1.4:1.0-host0-target0:0:0-0:0:0:0-block-sda.device loaded active plugged   SanDisk_3.2Gen1          
  sys-devices-pci0000:00-0000:00:1b.0-sound-card0.device loaded active plugged   C600/X79 series chipset H
  sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-sdb1.device loaded active plugged   Samsung_SSD_870_EVO_250GB
  sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-sdb2.device loaded active plugged   Samsung_SSD_870_EVO_250GB
  sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb-sdb5.device loaded active plugged   Samsung_SSD_870_EVO_250GB
  sys-devices-pci0000:00-0000:00:1f.2-ata3-host4-target4:0:0-4:0:0:0-block-sdb.device loaded active plugged   Samsung_SSD_870_EVO_250GB
  sys-devices-pci0000:00-0000:00:1f.2-ata5-host6-target6:0:0-6:0:0:0-block-sdc.device loaded active plugged   ST1000NM0008-2F2100      
  sys-devices-platform-serial8250-tty-ttyS2.device loaded active plugged   /sys/devices/platform/ser
  sys-devices-platform-serial8250-tty-ttyS3.device loaded active plugged   /sys/devices/platform/ser
  sys-devices-pnp0-00:03-tty-ttyS0.device loaded active plugged   /sys/devices/pnp0/00:03/t
  sys-devices-virtual-block-dm\x2d0.device loaded active plugged   /sys/devices/virtual/bloc
  sys-devices-virtual-net-virbr0.device loaded active plugged   /sys/devices/virtual/net/
  sys-devices-virtual-net-virbr0\x2dnic.device loaded active plugged   /sys/devices/virtual/net/
  sys-devices-virtual-net-virbr1.device loaded active plugged   /sys/devices/virtual/net/
  sys-devices-virtual-net-virbr1\x2dnic.device loaded active plugged   /sys/devices/virtual/net/
  sys-devices-virtual-net-virbr2.device loaded active plugged   /sys/devices/virtual/net/
  sys-devices-virtual-net-virbr2\x2dnic.device loaded active plugged   /sys/devices/virtual/net/
  sys-subsystem-net-devices-eno1.device loaded active plugged   82579LM Gigabit Network C
  sys-subsystem-net-devices-virbr0.device loaded active plugged   /sys/subsystem/net/device
  sys-subsystem-net-devices-virbr0\x2dnic.device loaded active plugged   /sys/subsystem/net/device
  sys-subsystem-net-devices-virbr1.device loaded active plugged   /sys/subsystem/net/device
  sys-subsystem-net-devices-virbr1\x2dnic.device loaded active plugged   /sys/subsystem/net/device
  sys-subsystem-net-devices-virbr2.device loaded active plugged   /sys/subsystem/net/device
  sys-subsystem-net-devices-virbr2\x2dnic.device loaded active plugged   /sys/subsystem/net/device
  -.mount                     loaded active mounted   /                        
  boot.mount                  loaded active mounted   /boot                    
  dev-hugepages.mount         loaded active mounted   Huge Pages File System   
  dev-mqueue.mount            loaded active mounted   POSIX Message Queue File 
  run-msgcollector.mount      loaded active mounted   /run/msgcollector        
  run-user-1000.mount         loaded active mounted   /run/user/1000           
  sys-kernel-debug.mount      loaded active mounted   Kernel Debug File System 
  systemd-ask-password-console.path loaded active waiting   Dispatch Password Request
  systemd-ask-password-wall.path loaded active waiting   Forward Password Requests
  init.scope                  loaded active running   System and Service Manage
  session-2.scope             loaded active running   Session 2 of user user   
● apparmor.service            loaded failed failed    Load AppArmor profiles   
  blk-availability.service    loaded active exited    Availability of block dev
  bootclockrandomization.service loaded active exited    Boot Clock Randomization 
  console-setup.service       loaded active exited    Set console font and keym
  cron.service                loaded active running   Regular background progra
  dbus.service                loaded active running   D-Bus System Message Bus 
  dist-skel-first-boot.service loaded active exited    /home/user from /etc/skel
  dnsmasq.service             loaded active running   dnsmasq - A lightweight D
  getty@tty1.service          loaded active running   Getty on tty1            
  haveged.service             loaded active running   Entropy daemon using the 
  ifup@eno1.service           loaded active exited    ifup for eno1            
  ifupdown-pre.service        loaded active exited    Helper to synchronize boo
  jitterentropy.service       loaded active running   Jitterentropy Gatherer Da
  keyboard-setup.service      loaded active exited    Set the console keyboard 
  kmod-static-nodes.service   loaded active exited    Create list of required s
  libvirt-guests.service      loaded active exited    Suspend/Resume Running li
  libvirtd.service            loaded active running   Virtualization daemon    
  lightdm.service             loaded active running   Light Display Manager    
  lkrg-dkms.service           loaded active exited    Linux Kernel Runtime Guar
  lvm2-monitor.service        loaded active exited    Monitoring of LVM2 mirror
  msgcollector.service        loaded active exited    msgcollector             
  networking.service          loaded active exited    Raise network interfaces 
  openvpn.service             loaded active exited    OpenVPN service          
  polkit.service              loaded active running   Authorization Manager    
  remove-system-map.service   loaded active exited    Removes the System.map fi
  rsyslog.service             loaded active running   System Logging Service   
  sdwdate-aae.service         loaded active running   Secure Distributed Web Da
  sdwdate-gui-shutdown-notify.service loaded active exited    Notify sdwdate-gui on gat
  sdwdate-restart-tor-request-file-watcher.service loaded active running   Secure Distributed Web Da

[2]+  Stopped                 sudo systemctl

sdwdate systemctl status:

sdwdate-aae.service - Secure Distributed Web Date
   Loaded: loaded (/lib/systemd/system/sdwdate-aae.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2021-06-10 12:53:47 UTC; 6s ago
     Docs: https://www.whonix.org/wiki/sdwdate
 Main PID: 19401 (sdwdate)
   Status: "Running sdwdate main loop. iteration: 1 / 10000"
    Tasks: 3 (limit: 4915)
   Memory: 25.3M
   CGroup: /system.slice/sdwdate-aae.service
           ├─19401 /usr/bin/python3 -u /usr/bin/sdwdate
           └─19438 /usr/bin/python3 -u /usr/bin/url_to_unixtime 127.0.0.1 9050 https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion 80 true

Jun 10 12:53:48 tron sdwdate[19401]: 2021-06-10 12:53:48 - sdwdate - INFO - pool 0: pool_size: 20 url_index: 9 already_picked_number: 1 already_picked_index: [9]
Jun 10 12:53:48 tron sdwdate[19401]: 2021-06-10 12:53:48 - sdwdate - INFO - pool 1: pool_size: 19 url_index: 0 already_picked_number: 1 already_picked_index: [0]
Jun 10 12:53:48 tron sdwdate[19401]: 2021-06-10 12:53:48 - sdwdate - INFO - pool 2: pool_size: 24 url_index: 8 already_picked_number: 1 already_picked_index: [8]
Jun 10 12:53:48 tron sdwdate[19401]: 2021-06-10 12:53:48 - sdwdate - INFO - requested urls ['http://potatoynwcg34xyodol6p6hvi5e4xelxdeowsl5t2daxywepub32y7yd.onion', 'https://duckduckgogg42xj
Jun 10 12:53:48 tron sdwdate[19401]: remote_times.py: url_to_unixtime_command (s):
Jun 10 12:53:48 tron sdwdate[19401]: url_to_unixtime 127.0.0.1 9050 http://potatoynwcg34xyodol6p6hvi5e4xelxdeowsl5t2daxywepub32y7yd.onion 80 true
Jun 10 12:53:48 tron sdwdate[19401]: url_to_unixtime 127.0.0.1 9050 https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion 80 true
Jun 10 12:53:48 tron sdwdate[19401]: url_to_unixtime 127.0.0.1 9050 http://3gtoclri7h6xrtjjapfezcerj4dqf3fwfk3jmhrhz25i5pyprmz47gad.onion 80 true
Jun 10 12:53:49 tron sdwdate[19401]: remote_times.py: i: 0 | done
Jun 10 12:53:50 tron sdwdate[19401]: remote_times.py: i: 2 | done

Seems to be running, however, I have waited quite a bit to see if it completes but it ends there at remote_times.py.

I do see sdwdate-gui going back and fourth between the X and fetching icons and the log is still blank. Is sdwdate-gui part of the sdwdate apparmor profile or that needs to be added as well, it could just be a permission issue.

I ran the commands stated by Patrick above:

cat /lib/systemd/system/sdwdate.service
cat: /lib/systemd/system/sdwdate.service: No such file or directory

ls -la /lib/systemd/system/sdwdate.service
ls: cannot access '/lib/systemd/system/sdwdate.service': No such file or directory

I added -aae to the commands:

 ls -la /lib/systemd/system/sdwdate-aae.service
-rw-r--r-- 1 root root 1836 Oct 21  2015 /lib/systemd/system/sdwdate-aae.service

cat /lib/systemd/system/sdwdate-aae.service
## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

[Unit]
Description=Secure Distributed Web Date
Documentation=https://www.whonix.org/wiki/sdwdate
ConditionPathExists=!/run/qubes/this-is-templatevm
ConditionPathExists=/usr/bin/sdwdate

## systemd-nspawn does not allow clock to be changed inside the container.
## Quote https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html
## The host’s network interfaces and the system clock may not be changed from within the container.
## https://forums.whonix.org/t/bootclockrandomization-always-moving-clock-plus-or-5-seconds/2200/10
ConditionVirtualization=!systemd-nspawn

After=network.target
Wants=network.target

After=rinetd.service
After=bootclockrandomization.service
After=tor.service
After=tor@default.service

Conflicts=systemd-timesyncd.service

[Service]
Type=notify
User=sdwdate
Group=sdwdate
ExecStart=/usr/bin/sdwdate
SuccessExitStatus=143
TimeoutSec=30
WatchdogSec=200m
Restart=always

# Hardening.
# no_new_privs blocks transitions to sdwdate's AppArmor profile.
#AmbientCapabilities=CAP_SYS_TIME
#CapabilityBoundingSet=CAP_SYS_TIME
ProtectSystem=strict
ReadWriteDirectories=/run/sdwdate/
ProtectHome=true
#ProtectKernelTunables=true
#ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateMounts=true
#PrivateDevices=true
#MemoryDenyWriteExecute=true
#NoNewPrivileges=true
#RestrictRealtime=true
#SystemCallArchitectures=native
#RestrictNamespaces=true
#RestrictAddressFamilies=AF_UNIX AF_INET

# Broken. Need list of syscalls. Alternative below.
#SystemCallFilter=@clock @ipc @signal

# Blacklist certain syscalls. A whitelist would be stronger.
#SystemCallFilter=~@mount @cpu-emulation @debug @keyring @module @obsolete @raw-io

[Install]
WantedBy=multi-user.target

Ran sudo -u sdwdate sdwdate recommended by Patrick:

2021-06-10 13:05:33 - sdwdate - INFO - sdwdate started. PID: 25860
2021-06-10 13:05:33 - sdwdate - INFO - Tor socks host: 127.0.0.1 Tor socks port: 9050
2021-06-10 13:05:33 - sdwdate - INFO - Running sdwdate main loop. iteration: 1 / 10000
2021-06-10 13:05:34 - sdwdate - INFO - PREPARATION:
2021-06-10 13:05:34 - sdwdate - INFO - /usr/lib/helper-scripts/onion-time-pre-script: Start.
Static Time Sanity Check: Within minimum time 'Sun Jan 17 00:00:00 UTC 2021' and expiration timestamp 'Tue May 17 10:00:00 UTC 2033', ok.
Tor reports: NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"
Tor circuit: established.
Tor Consensus Time Sanity Check: Clock within consensus parameters consensus/valid-after 2021-06-10 11:00:00 and consensus/valid-until 2021-06-10 14:00:00.
Tor already reports circuit established.
/usr/lib/helper-scripts/onion-time-pre-script: END: Exiting with exit_code '0' indicating 'success'.
2021-06-10 13:05:34 - sdwdate - INFO - PREPARATION RESULT: SUCCESS.
2021-06-10 13:05:34 - sdwdate - INFO - 

2021-06-10 13:05:34 - sdwdate - INFO - Initial time fetching in progress...
2021-06-10 13:05:34 - sdwdate - INFO - Running sdwdate fetch loop. iteration: 1
2021-06-10 13:05:34 - sdwdate - INFO - pool 0: pool_size: 20 url_index: 8 already_picked_number: 1 already_picked_index: [8]
2021-06-10 13:05:34 - sdwdate - INFO - pool 1: pool_size: 19 url_index: 13 already_picked_number: 1 already_picked_index: [13]
2021-06-10 13:05:34 - sdwdate - INFO - pool 2: pool_size: 24 url_index: 16 already_picked_number: 1 already_picked_index: [16]
2021-06-10 13:05:34 - sdwdate - INFO - requested urls ['http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion']
remote_times.py: url_to_unixtime_command (s):
url_to_unixtime 127.0.0.1 9050 http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion 80 true
url_to_unixtime 127.0.0.1 9050 http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion 80 true
url_to_unixtime 127.0.0.1 9050 http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion 80 true

remote_times.py: i: 2 | done
remote_times.py: i: 1 | done
remote_times.py: i: 0 | done
remote 0: http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion
* comment: https://web.archive.org/web/20210604180615/https://blockchair.com/
* took_time     : 1.83 second(s)
* half_took_time: 0.92 second(s)
* replay_protection_unixtime: 1623315644
* remote_unixtime           : 1623330348
* consensus/valid-after           : 2021-06-10 11:00:00
* replay_protection_time          : 2021-06-10 09:02:24
* remote_time                     : 2021-06-10 13:05:48
* consensus/valid-until           : 2021-06-10 14:00:00
* time_diff_raw        : 12 second(s)
* time_diff_lag_cleaned: 11.08 second(s)
* Time Replay Protection         : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True

remote 1: http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion
* comment: https://web.archive.org/web/20201231233846/https://theintercept.com/source/ https://theintercept.com/source/ The Intercept(securedrop)
* took_time     : 1.28 second(s)
* half_took_time: 0.64 second(s)
* replay_protection_unixtime: 1623315644
* remote_unixtime           : 1623330348
* consensus/valid-after           : 2021-06-10 11:00:00
* replay_protection_time          : 2021-06-10 09:02:24
* remote_time                     : 2021-06-10 13:05:48
* consensus/valid-until           : 2021-06-10 14:00:00
* time_diff_raw        : 13 second(s)
* time_diff_lag_cleaned: 12.36 second(s)
* Time Replay Protection         : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True

remote 2: http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion
* comment: https://web.archive.org/web/20201231233846/https://theintercept.com/source/ https://theintercept.com/source/ The Intercept(securedrop)
* took_time     : 0.97 second(s)
* half_took_time: 0.48 second(s)
* replay_protection_unixtime: 1623315644
* remote_unixtime           : 1623330348
* consensus/valid-after           : 2021-06-10 11:00:00
* replay_protection_time          : 2021-06-10 09:02:24
* remote_time                     : 2021-06-10 13:05:48
* consensus/valid-until           : 2021-06-10 14:00:00
* time_diff_raw        : 13 second(s)
* time_diff_lag_cleaned: 12.52 second(s)
* Time Replay Protection         : sane
* Tor Consensus Time Sanity Check: sane
* remote_status: True

remote_times.py: urls_list:
['http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion']
remote_times.py: status_list:
['ok', 'ok', 'ok']
remote_times.py: took_time_list:
[1.83, 1.28, 0.97]
remote_times.py: half_took_time_list:
[0.92, 0.64, 0.48]
remote_times.py: remote_unixtime_list:
[1623330348, 1623330348, 1623330348]
remote_times.py: time_diff_raw_int_list:
[12, 13, 13]
remote_times.py: time_diff_lag_cleaned_float_list:
[11.08, 12.36, 12.52]
2021-06-10 13:05:36 - sdwdate - INFO - returned urls "['http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion', 'http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion']"
2021-06-10 13:05:36 - sdwdate - INFO - 
2021-06-10 13:05:36 - sdwdate - INFO - failed_urls: 0 allowed_failures: 7
2021-06-10 13:05:36 - sdwdate - INFO - pool 0: http://blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion, web_time: 2021-06-10 13:05:48, took_time: 1.83 seconds, time_diff_raw: 12 seconds, time_diff_lag_cleaned: 11 seconds
2021-06-10 13:05:36 - sdwdate - INFO - pool 1: http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion, web_time: 2021-06-10 13:05:48, took_time: 0.97 seconds, time_diff_raw: 13 seconds, time_diff_lag_cleaned: 13 seconds
2021-06-10 13:05:36 - sdwdate - INFO - pool 2: http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion, web_time: 2021-06-10 13:05:48, took_time: 0.97 seconds, time_diff_raw: 13 seconds, time_diff_lag_cleaned: 13 seconds
2021-06-10 13:05:36 - sdwdate - INFO - End fetching remote times.
2021-06-10 13:05:36 - sdwdate - INFO - 
2021-06-10 13:05:36 - sdwdate - INFO - Success.
2021-06-10 13:05:36 - sdwdate - INFO -      request_took_times, sorted: [0.97, 1.83]
2021-06-10 13:05:36 - sdwdate - INFO - request_half_took_times, sorted: [0.48, 0.92]
2021-06-10 13:05:36 - sdwdate - INFO -           time_diff_raw, sorted: [12, 13, 13]
2021-06-10 13:05:36 - sdwdate - INFO -       diffs_lag_cleaned, sorted: [11, 13, 13]
2021-06-10 13:05:36 - sdwdate - INFO - median          request_took_times: +1.83
2021-06-10 13:05:36 - sdwdate - INFO - median     half_request_took_times: +0.92
2021-06-10 13:05:36 - sdwdate - INFO - median         raw time difference: +13.00
2021-06-10 13:05:36 - sdwdate - INFO - median lag_cleaned time difference: +13.00
2021-06-10 13:05:36 - sdwdate - INFO - Not randomizing nanoseconds.
2021-06-10 13:05:36 - sdwdate - INFO - new time difference               : +13.000000000
2021-06-10 13:05:36 - sdwdate - INFO - replay_protection_unixtime: 1623315644
2021-06-10 13:05:36 - sdwdate - INFO - old_unixtime              : 1623330336.384205580
2021-06-10 13:05:36 - sdwdate - INFO - new_unixtime              : 1623330349.384205580
2021-06-10 13:05:36 - sdwdate - INFO - replay_protection_time          : 2021-06-10 09:02:24
2021-06-10 13:05:36 - sdwdate - INFO - old_unixtime_human_readable     : 2021-06-10 13:05:36
2021-06-10 13:05:36 - sdwdate - INFO - new_unixtime_human_readable     : 2021-06-10 13:05:49
2021-06-10 13:05:36 - sdwdate - INFO - Instantly setting the time by using command: /bin/date --utc "+%Y-%m-%d %H:%M:%S" --set "@1623330349.384205580"
2021-06-10 13:05:36 - sdwdate - INFO - /bin/date output: 2021-06-10 13:05:49
 /bin/date: cannot set date: Operation not permitted
2021-06-10 13:05:36 - sdwdate - ERROR - /bin/date returncode: 1
2021-06-10 13:05:36 - sdwdate - INFO - Exiting with exit_code '1' because or reason 'bin_date_status non-zero exit code'.
2021-06-10 13:05:36 - sdwdate - INFO - sdwdate stopped by user or system.
2021-06-10 13:05:36 - sdwdate - INFO - sclockadj process not running, ok.
2021-06-10 13:05:36 - sdwdate - INFO - sleep process not running, ok.
2021-06-10 13:05:36 - sdwdate - INFO - End.

Apparmor Systemctl Status:

sudo systemctl status apparmor
● apparmor.service - Load AppArmor profiles
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/apparmor.service.d
           └─30_live_mode.conf
   Active: failed (Result: exit-code) since Thu 2021-06-10 12:11:35 UTC; 58min ago
     Docs: man:apparmor(7)
           https://gitlab.com/apparmor/apparmor/wikis/home/
  Process: 673 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
 Main PID: 673 (code=exited, status=1/FAILURE)

Jun 10 12:11:35 tron apparmor.systemd[673]: 'HOME' is already defined
Jun 10 12:11:35 tron apparmor.systemd[673]: AppArmor parser error for /etc/apparmor.d/bin.lsblk in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 10 12:11:35 tron apparmor.systemd[673]: 'HOME' is already defined
Jun 10 12:11:35 tron apparmor.systemd[673]: AppArmor parser error for /etc/apparmor.d/init-systemd in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 10 12:11:35 tron apparmor.systemd[673]: 'HOME' is already defined
Jun 10 12:11:35 tron apparmor.systemd[673]: AppArmor parser error for /etc/apparmor.d/usr.lib.xorg.Xorg in /etc/apparmor.d/tunables/home at line 21: variable @{HOME} was previously declared
Jun 10 12:11:35 tron apparmor.systemd[673]: Error: At least one profile failed to load
Jun 10 12:11:35 tron systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Jun 10 12:11:35 tron systemd[1]: apparmor.service: Failed with result 'exit-code'.
Jun 10 12:11:35 tron systemd[1]: Failed to start Load AppArmor profiles.
2 Likes
(deb-systemd-helper DEBUG) action = enable, scriptname = sdwdate.service, service_path = sdwdate.service
/usr/bin/deb-systemd-helper: error: unable to read sdwdate.service

/lib/systemd/system/sdwdate.service by sdwdate
vs
/lib/systemd/system/sdwdate-aae.service by apparmor-profile-everything

That is the issue.

2 Likes

Known issue if it can be called that. AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy - #419 by madaidan

But since it got forgotten and confused all of us, a better implementation is desirable.

Best to add any error messages as comment in the source code so it can at least be remembered when grepping the source code.

Was introduced here: Disable sdwdate systemd sandboxing and onion-grater apparmor profile by madaidan · Pull Request #61 · Whonix/apparmor-profile-everything · GitHub

2 Likes

So I wanted to start fresh and get a working KickSecure OS with apparmor-profile-everything installed. These are the denials I was getting that the current tunables file doesn’t cover:

[   22.280856] audit: type=1400 audit(1623499968.580:50): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:03.0/0000:04:00.0/device" pid=907 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   22.280865] audit: type=1400 audit(1623499968.580:51): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:03.0/0000:04:00.0/config" pid=907 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   40.560695] audit: type=1400 audit(1623504580.364:54): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:1c.4/0000:07:00.0/vendor" pid=926 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   40.560705] audit: type=1400 audit(1623504580.364:55): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:1c.4/0000:07:00.0/config" pid=926 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   22.280856] audit: type=1400 audit(1623499968.580:50): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:03.0/0000:04:00.0/device" pid=907 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   22.280865] audit: type=1400 audit(1623499968.580:51): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:03.0/0000:04:00.0/config" pid=907 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   30.775452] audit: type=1400 audit(1623505210.815:50): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:ff/0000:ff:08.0/vendor" pid=924 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   30.775465] audit: type=1400 audit(1623505210.815:51): apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:ff/0000:ff:08.0/config" pid=924 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

You’ll notice that some of the denials will come up with letters or will be shorter. What would the formatting be in the tunables file to cover all the denials above?

I just put this below to accept all devices while I experiment with a format that covers all the denials above:

@{sys_pci}=@{sys}/devices/***

I know we need to be more exact in profiling but I do not know the proper format to cover all denials above at the moment.

I receive these denials after reboot with the tunables being open stated above:

[   40.000564] audit: type=1400 audit(1623508340.150:50): apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/power/state" pid=855 comm="systemd-logind" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   40.002620] audit: type=1400 audit(1623508340.150:51): apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/power/state" pid=855 comm="systemd-logind" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   40.004911] audit: type=1400 audit(1623508340.154:52): apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/power/state" pid=855 comm="systemd-logind" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   41.379437] audit: type=1400 audit(1623508341.526:53): apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/sessions/c1.ref" pid=864 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
[   47.146480] audit: type=1400 audit(1623508347.294:54): apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/sessions/2.ref" pid=864 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
[   51.904417] audit: type=1400 audit(1623508352.054:55): apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/sessions/c1.ref" pid=864 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
[   61.126246] audit: type=1400 audit(1623508361.274:56): apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/sessions/4.ref" pid=864 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
[   61.440903] audit: type=1400 audit(1623508361.590:57): apparmor="DENIED" operation="open" profile="init-systemd" name="/dev/tty1" pid=1597 comm="systemd-logind" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=1000
[   61.441274] audit: type=1400 audit(1623508361.590:58): apparmor="DENIED" operation="open" profile="init-systemd" name="/dev/tty1" pid=1597 comm="systemd-logind" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=1000

I add the appropriate rules and reboot, I received more denials:

[   39.465316] audit: type=1400 audit(1623509004.387:50): apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/class/" pid=777 comm="systemd-logind" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[   39.467232] audit: type=1400 audit(1623509004.387:51): apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/inhibit/2.ref" pid=783 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
[   40.071626] audit: type=1400 audit(1623509004.991:52): apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/class/" pid=1407 comm="systemd-logind" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Rebooted a few more times and received these denials:

[   45.442349] audit: type=1400 audit(1623511909.736:50): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1117 comm="systemd" requested_mask="receive" denied_mask="receive" signal=term peer="init-systemd"
[   45.442658] audit: type=1400 audit(1623511909.736:51): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1117 comm="systemd" requested_mask="receive" denied_mask="receive" signal=kill peer="init-systemd"
[   45.442858] audit: type=1400 audit(1623511909.736:52): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1117 comm="systemd" requested_mask="receive" denied_mask="receive" signal=term peer="init-systemd"
[   45.443116] audit: type=1400 audit(1623511909.736:53): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1117 comm="systemd" requested_mask="receive" denied_mask="receive" signal=kill peer="init-systemd"
[   55.699934] audit: type=1400 audit(1623512307.187:50): apparmor="DENIED" operation="signal" profile="dbus-daemon" pid=1155 comm="systemd" requested_mask="receive" denied_mask="receive" signal=cont peer="init-systemd"

So I added these rules to sudoedit: /etc/apparmor.d/local/usr.bin.dbus-daemon:

signal receive set=term,
signal receive set=kill,
signal receive set=cont,

Reboot again and no denials, just unconfirms:

[   17.633417] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
[   17.673161] audit: type=1400 audit(1623512443.087:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="systemd-shutdown" pid=407 comm="apparmor_parser"
[   17.679815] audit: type=1400 audit(1623512443.095:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="systemd-modules-load" pid=410 comm="apparmor_parser"
[   17.686095] audit: type=1400 audit(1623512443.103:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="systemd-sysctl" pid=413 comm="apparmor_parser"
[   17.696987] audit: type=1400 audit(1623512443.111:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="init-systemd" pid=418 comm="apparmor_parser"
[   18.479313] systemd[1]: Inserted module 'autofs4'
[   21.733464] audit: type=1400 audit(1623512447.147:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="rapt" pid=675 comm="apparmor_parser"
[   21.736810] audit: type=1400 audit(1623512447.151:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apt.systemd.daily" pid=676 comm="apparmor_parser"
[   21.739125] audit: type=1400 audit(1623512447.155:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagent" pid=669 comm="apparmor_parser"
[   21.739135] audit: type=1400 audit(1623512447.155:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="spice-vdagentd" pid=669 comm="apparmor_parser"
[   21.741598] audit: type=1400 audit(1623512447.155:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/timesanitycheck" pid=672 comm="apparmor_parser"
[   21.745149] audit: type=1400 audit(1623512447.159:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/tor-circuit-established-check" pid=673 comm="apparmor_parser"

As for sdwdate, I wanted to sudo aa-complain /usr/bin/sdwdate, however, I receive this error:

sudo aa-complain  /usr/bin/sdwdate
ERROR: Profile for /{,usr/}lib/systemd/** exists in /etc/apparmor.d/init-systemd and /etc/apparmor.d/init-systemd

How do I fix this where I can aa-complain sdwdate for now while the profile is being fixed?

Also, there is a boot error after installing apparmor-profile-everything for the first time:

Warning from stdin (line 1): config file '/etc/apparmor/parser.conf not found

Also, there is a kernel denial that dmesg doesn’t log pertaining to sdwdate:

Jun  9 17:00:41 grid kernel: [  113.311127] audit: type=1400 audit(1623258041.017:25): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/sdwdate" name="/usr/sbin/anondate-get" pid=1265 comm="onion-time-pre-" requested_mask="x" denied_mask="x" fsuid=107 ouid=0 target="unconfined"
Jun  9 17:00:43 grid kernel: [  116.025624] audit: type=1400 audit(1623258043.729:26): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/sdwdate" name="/usr/sbin/anondate-get" pid=1314 comm="onion-time-pre-" requested_mask="x" denied_mask="x" fsuid=107 ouid=0 target="unconfined"
Jun  9 17:00:47 grid kernel: [  119.742970] audit: type=1400 audit(1623258047.449:27): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/sdwdate" name="/usr/sbin/anondate-get" pid=1415 comm="onion-time-pre-" requested_mask="x" denied_mask="x" fsuid=107 ouid=0 target="unconfined"
Jun  9 17:00:52 grid kernel: [  124.465162] audit: type=1400 audit(1623258052.169:28): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/sdwdate" name="/usr/sbin/anondate-get" pid=1541 comm="onion-time-pre-" requested_mask="x" denied_mask="x" fsuid=107 ouid=0 target="unconfined"
Jun  9 17:00:57 grid kernel: [  130.178889] audit: type=1400 audit(1623258057.885:29): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/sdwdate" name="/usr/sbin/anondate-get" pid=1589 comm="onion-time-pre-" requested_mask="x" denied_mask="x" fsuid=107 ouid=0 target="unconfined"

I’m going to experiment some more, hopefully this helps! Also reboot hangs on a dash blinking, I believe this was addressed somewhere here.

Thanks,
sudobash

2 Likes

These are very different from the previous denials. Try:

@{sys_pci}=@{sys}/devices/pci*:*/*:*:*.*/{,*:*:*.*/}

Most of these should already be fixed by Fix various denial errors · Whonix/apparmor-profile-everything@ded4058 · GitHub

This is because there are 3 separate policies defined in /etc/apparmor.d/init-systemd which are selectively enabled, depending on the boot mode (normal, aadebug or superroot). You can simply edit that file and comment out the aadebug and superroot profiles for now.

This is the same issue with no_new_privs that the custom sdwdate-aae.service works around by disabling all the systemd sandboxing options that imply NoNewPrivileges=true.

2 Likes
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]