Live mode breaks apparmor

zilika · June 17, 2019, 9:52am

On live mode apparmor breaks completely 0 profile loaded:

apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

On persistent mode doesn’t load all profiles, only 3 if I recall correctly.
Tested on KVM.
Any advice is welcomed if a solution is not ready.

nurmagoz · June 17, 2019, 10:07am

whonix 14 or 15?

zilika · June 17, 2019, 2:32pm

Whonix 15

nurmagoz · June 17, 2019, 2:49pm

wait for this issue to get fixed then check back again:

http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/whonix-virtualbox-15-0-0-0-7-debian-buster-based-testers-wanted/7131/27

zilika · June 19, 2019, 9:45am

After todays Whonix package update in persistent mode Apparmor works corectly, but on live mode still doesn’t work, 0 profiles loaded.

nurmagoz · June 19, 2019, 5:56pm

Confirmed! Thanks for your report

Patrick · June 20, 2019, 4:08am

Thanks, that gives a very good lead.

cat /lib/systemd/system/apparmor.service

[Unit]
Description=Load AppArmor profiles
DefaultDependencies=no
Before=sysinit.target
After=local-fs.target
After=systemd-journald-audit.socket
RequiresMountsFor=/var/cache/apparmor
AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
ConditionSecurity=apparmor
Documentation=man:apparmor(7)
Documentation=https://gitlab.com/apparmor/apparmor/wikis/home/

# Don't start this unit on the Ubuntu Live CD
ConditionPathExists=!/rofs/etc/apparmor.d

# Don't start this unit on the Debian Live CD when using overlayfs
ConditionPathExists=!/run/live/overlay/work

[Service]
Type=oneshot
ExecStart=/lib/apparmor/apparmor.systemd reload
ExecReload=/lib/apparmor/apparmor.systemd reload

# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
# from running processes (and not being able to re-apply it later).
# Upstream systemd developers refused to implement an option that allows overriding
# this behaviour, therefore we have to make ExecStop a no-op to error out on the
# safe side.
#
# If you really want to unload all AppArmor profiles, run   aa-teardown
ExecStop=/bin/true
RemainAfterExit=yes

[Install]
WantedBy=sysinit.target

Culprit being:

# Don't start this unit on the Debian Live CD when using overlayfs
ConditionPathExists=!/run/live/overlay/work

Next step, find out which component creates /run/live/overlay/work?

//cc @onion_knight @troubadour

In my next post I will suggest a potential workaround, which if working, can be applied to next package upgrade of Whonix.

Patrick · June 20, 2019, 4:11am

Potential workaround:

Boot in persistent mode.

Create folder /lib/systemd/system/apparmor.service.d.

sudo mkdir -p /lib/systemd/system/apparmor.service.d

Open file /lib/systemd/system/apparmor.service.d/30_live_mode.conf with root rights.

lxsu mousepad /lib/systemd/system/apparmor.service.d/30_live_mode.conf

Paste the following content.

[Unit]
ConditionPathExists=

Save. Reboot.

Could you try please?

zilika · June 20, 2019, 12:35pm

Pasted ConditionPathExists= in /lib/systemd/system/apparmor.service.d/30_live_mode.conf
Same as before in Live mode. Not working.

Patrick · June 20, 2019, 12:36pm

Would help if you could provide

sudo systemctl status apparmor

too

zilika · June 20, 2019, 12:38pm

user@host:~$ sudo systemctl status apparmor
Warning: The unit file, source configuration file or drop-ins of apparmor.servic
● apparmor.service - Load AppArmor profiles
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset:
  Drop-In: /lib/systemd/system/apparmor.service.d
           └─30_live_mode.conf
   Active: inactive (dead)
Condition: start condition failed at Thu 2019-06-20 12:31:10 UTC; 6min ago
           └─ ConditionPathExists=!/run/live/overlay/work was not met
     Docs: man:apparmor(7)
           https://gitlab.com/apparmor/apparmor/wikis/home/

Jun 20 12:31:10 host systemd[1]: Condition check resulted in Load AppArmor profi

Patrick · June 20, 2019, 12:43pm

Corrected by above post just now.

Live mode breaks apparmor - #8 by Patrick

Relevant fixed part:

Paste the following content.

[Unit]
ConditionPathExists=

Please try.

zilika · June 20, 2019, 12:49pm

user@host:~$ sudo systemctl status apparmor
● apparmor.service - Load AppArmor profiles
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset:
  Drop-In: /lib/systemd/system/apparmor.service.d
           └─30_live_mode.conf
   Active: active (exited) since Thu 2019-06-20 12:45:41 UTC; 23s ago
     Docs: man:apparmor(7)
           https://gitlab.com/apparmor/apparmor/wikis/home/
  Process: 387 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, sta
 Main PID: 387 (code=exited, status=0/SUCCESS)

Jun 20 12:45:41 host systemd[1]: Starting Load AppArmor profiles...
Jun 20 12:45:41 host apparmor.systemd[387]: Restarting AppArmor
Jun 20 12:45:41 host apparmor.systemd[387]: Reloading AppArmor profiles
Jun 20 12:45:41 host apparmor.systemd[387]: Skipping profile in /etc/apparmor.d/
Jun 20 12:45:41 host systemd[1]: Started Load AppArmor profiles.

It works, profiles are loaded. Thank you Patrick!

Patrick · June 20, 2019, 1:26pm