[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Question about unconfined App Armor profiles & processes & complain mode

First of all I love Whonix. Thank you for your efforts! I’ve had some odd occurrences with my sys-whonix (I’m on latest Qubes) that i’ll describe after my specific question.

When I check the apparmor status I get this: Is it expected to have this many profiles & processes in complain mode?

apparmor module is loaded.
44 profiles are loaded.
26 profiles are in enforce mode.
//*-browser/Browser/firefox
/usr/bin/hexchat
/usr/bin/man
/usr/bin/onioncircuits
/usr/bin/pidgin
/usr/bin/pidgin//sanitized_helper
/usr/bin/sdwdate
/usr/bin/systemcheck
/usr/bin/timesanitycheck
/usr/bin/tor-circuit-established-check
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/bin/totem//sanitized_helper
/usr/bin/url_to_unixtime
/usr/lib/onion-grater
/usr/libexec/systemcheck/canary
/usr/sbin/haveged
apt-cacher-ng
bootclockrandomization
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
system_tor
18 profiles are in complain mode.
/usr/bin/irssi
/usr/bin/whonix_firewall
/usr/libexec/whonix-firewall/

/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
avahi-daemon
identd
klogd
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
6 processes have profiles defined.
3 processes are in enforce mode.
/usr/bin/python3.9 (843) /usr/lib/onion-grater
/usr/sbin/haveged (511)
/usr/bin/tor (846) system_tor
3 processes are in complain mode.
/usr/bin/bash (704) /usr/libexec/whonix-firewall/**
/usr/bin/bash (723) /usr/libexec/whonix-firewall/**
/usr/bin/inotifywait (724) /usr/libexec/whonix-firewall/**
0 processes are unconfined but have a profile defined.

When I run aa-unconfined I get:

815 /usr/bin/tinyproxy not confined
820 /usr/bin/tinyproxy not confined
821 /usr/bin/tinyproxy not confined
843 /usr/bin/python3.9 (/usr/bin/python3) confined by ‘/usr/lib/onion-grater (enforce)’
846 /usr/bin/tor confined by ‘system_tor (enforce)’
1210 /usr/bin/tinyproxy not confined
1279 /usr/bin/tinyproxy not confined
1337 /usr/bin/tinyproxy not confined
1391 /usr/bin/tinyproxy not confined
1409 /usr/bin/tinyproxy not confined

I understand the concept that complain mode is there so that profiles and processes can tell you they have violations without that necessarily killing them, and you can adjust and test from there, but is this expected?

To my nonspecific question:

When I launch my sys-whonix on startup and run a whonix DVM & my KeepassXC vault (on whonix) I’ve had sys-whonix crash randomly (yes, must be hacked then… :smile: ) and when it loads back up it no longer shows keepassxc in the list when I click on the whonix lock icon (offline vault, should it even be in there?). Sometimes a dispvm that is currently running will no longer appear despite it still running and saying it is on tor.

I also had an occurance where in a DISPVM downloads were going to a mozilla folder, not .tb/tor-browser/… and when I ran ‘top’ I saw systemd-socket-. Does this strike you as just standard random bugs?

I’m sorry if this is long winded or misguided, but I love whonix and I tried to google key search terms to find out, but I’d love an explanation.

THANK YOU!!

Thank you!

Expected.

Actually difficult to know for users. Either it’s in complain mode because the profile is considered unfinished or some other reason. Whonix firewall apparmor profiles makes little sense outside of completion of development of apparmor-profile-everything. In theory, a profile might be good enough and it’s an Kicksecure, Whonix or upstream bug that it’s not in enforce mode by default. Hard to tell without being a developer and researching these things in-depth.

Seems unrelated to AppArmor.
1 question = 1 forum topic please.

systemd-socket-proxyd is expected (in Whonix source code and Whonix wiki).

Using Firefox or Tor Browser?
Separate forum topic if you like to discuss this further please.

Separate forum discussion or topic required here too.
Depends on how you noticed the crash.
Random crashes would belong to Qubes (as per What to post in this Qubes-Whonix forum and what not.).

Related to sdwdate-gui. This would require a separate forum topic and detailed instructions how to reproduce this issue so I can potentially reproduce and fix it.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]