sdwdate and sdwdate-gui development thread

Development
358

P

Put the exit button at he bottom of the menu.

Ideally, there should be a separator between the last vm and the exit button. Struggling with this.

1 Like
359

Merged, tested, and available from testers repository. The separation is category “perfection”. Working really, really good already. Much, much better to have an exit button.

360

We don’t need to trust qubesdb-read /name and can use an environment variable instead.

QREXEC_REMOTE_DOMAIN

I think I need to replace $1 with $QREXEC_REMOTE_DOMAIN in etc/qubes-rpc/whonix.NewStatus or something.

Probably does not work yet.

361
362
363

@madaidan

1 Like
364

Tried changing:

/usr/lib/sdwdate/url_to_unixtime mrix,

To

/usr/lib/sdwdate/url_to_unixtime mrCx,

Does not work.

audit: type=1400 audit(1577056822.492:946): apparmor=“DENIED” operation=“exec” info=“profile transition not found” error=-13 profile=“/usr/bin/sdwdate” name=“/usr/lib/sdwdate/url_to_unixtime” pid=23637 comm=“sdwdate” requested_mask=“x” denied_mask=“x” fsuid=107 ouid=0 target=“/usr/lib/sdwdate/url_to_unixtime”

1 Like
365

Cx is for child profiles which are profiles within a profile. e.g.

profile example /usr/bin/example {
  
  ...

  /usr/bin/example2 rCx,


  profile example2 /usr/bin/example2 {
    ...
  }

}

You’re looking for the Px rule which makes the program transition to a profile that’s the same name of the program, not specifically a child profile.

1 Like
366

madaidan via Whonix Forum:

Cx is for child profiles which are profiles within a profile. e.g.

profile example /usr/bin/example {
  
  ...

  /usr/bin/example2 rCx,


  profile example2 /usr/bin/example2 {
    ...
  }

}

You’re looking for the Px rule which makes the program transition to a profile that’s the same name of the program, not specifically a child profile.

Unfortunately does not work either.

Dec 23 07:26:59 work kernel: audit: type=1400
audit(1577104019.726:961): apparmor=“DENIED” operation=“exec” info=“no
new privs” error=-1 profile=“/usr/bin/sdwdate”
name=“/usr/lib/sdwdate/url_to_unixtime” pid=13236 comm=“sdwdate”
requested_mask=“x” denied_mask=“x” fsuid=107 ouid=0
target=“/usr/lib/sdwdate/url_to_unixtime”

1 Like
367

I think that might be an issue with sdwdate’s sandboxing (Systemd sandboxing fails when using a full system apparmor policy · Issue #14277 · systemd/systemd · GitHub). Try disabling it and see if it works.

1 Like
368

Could you fix these please?

Happening on sudo /usr/lib/sdwdate/restart_fresh.

Jan 14 20:51:41 host audit[22474]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/mktemp” pid=22474 comm=“sdwdate” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/mktemp”
Jan 14 20:51:41 host audit[22474]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/mktemp” pid=22474 comm=“sdwdate” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/mktemp”
Jan 14 20:51:41 host sdwdate[22472]: 2020-01-14 20:51:41 - sdwdate - INFO - create temp_dir: /tmp/tmp.mJZmHLnAca
Jan 14 20:51:41 host kernel: audit: type=1400 audit(1579035101.575:168): apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/mktemp” pid=22474 comm=“sdwdate” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/mktemp”
Jan 14 20:51:41 host kernel: audit: type=1400 audit(1579035101.575:169): apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/mktemp” pid=22474 comm=“sdwdate” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/mktemp”
Jan 14 20:51:41 host sdwdate[22472]: 2020-01-14 20:51:41 - sdwdate - INFO - Tor socks host: 127.0.0.1 Tor socks port: 9050
Jan 14 20:51:41 host sdwdate[22472]: 2020-01-14 20:51:41 - sdwdate - INFO - Running sdwdate main loop. iteration: 1 / 10000
Jan 14 20:51:41 host audit[22476]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22476 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22476]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22476 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host kernel: audit: type=1400 audit(1579035101.587:170): apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22476 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host kernel: audit: type=1400 audit(1579035101.587:171): apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22476 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22477]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22477 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22477]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22477 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22478]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22478 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22478]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22478 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host kernel: audit: type=1400 audit(1579035101.591:172): apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22477 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host kernel: audit: type=1400 audit(1579035101.591:173): apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22477 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host kernel: audit: type=1400 audit(1579035101.591:174): apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22478 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host kernel: audit: type=1400 audit(1579035101.591:175): apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22478 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22479]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22479 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22479]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22479 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22480]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22480 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22480]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22480 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host kernel: audit: type=1400 audit(1579035101.595:176): apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22479 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host kernel: audit: type=1400 audit(1579035101.595:177): apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22479 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22481]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/rm” pid=22481 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/rm”
Jan 14 20:51:41 host audit[22481]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/rm” pid=22481 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/rm”
Jan 14 20:51:41 host Tor[876]: New control connection opened.
Jan 14 20:51:41 host audit[22486]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/cat” pid=22486 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/cat”
Jan 14 20:51:41 host audit[22486]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/cat” pid=22486 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/cat”
Jan 14 20:51:41 host audit[22487]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/rm” pid=22487 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/rm”
Jan 14 20:51:41 host audit[22487]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/rm” pid=22487 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/rm”
Jan 14 20:51:41 host Tor[876]: New control connection opened.
Jan 14 20:51:41 host audit[22492]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/cat” pid=22492 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/cat”
Jan 14 20:51:41 host audit[22492]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/cat” pid=22492 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/cat”
Jan 14 20:51:41 host audit[22493]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22493 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22493]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22493 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22494]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/rm” pid=22494 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/rm”
Jan 14 20:51:41 host audit[22494]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/rm” pid=22494 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/rm”
Jan 14 20:51:41 host Tor[876]: New control connection opened.
Jan 14 20:51:41 host audit[22499]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/cat” pid=22499 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/cat”
Jan 14 20:51:41 host audit[22499]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/cat” pid=22499 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/cat”
Jan 14 20:51:41 host audit[22500]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22500 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22500]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22500 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22501]: AVC apparmor=“ALLOWED” operation=“exec” profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22501 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”
Jan 14 20:51:41 host audit[22501]: AVC apparmor=“ALLOWED” operation=“exec” info=“no new privs” error=-1 profile=“/usr/bin/sdwdate” name=“/usr/bin/date” pid=22501 comm=“te_pe_tb_check” requested_mask=“x” denied_mask=“x” fsuid=116 ouid=0 target=“/usr/bin/sdwdate//null-/usr/bin/date”

1 Like
369

https://github.com/Whonix/sdwdate/pull/23

370

Awesome. No more denied messages for now.

1 Like
371
372

sdwdate/usr/bin/url_to_unixtime at master · Kicksecure/sdwdate · GitHub wants lots of apparmor permissions. How can this be avoided? @madaidan

AVC apparmor=“DENIED” operation=“exec” profile=“/usr/bin/url_to_unixtime” name=“/usr/bin/x86_64-linux-gnu-gcc-8” comm=“url_to_unixtime” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“/usr/bin/url_to_unixtime” name=“/usr/bin/x86_64-linux-gnu-ld.bfd” comm=“url_to_unixtime” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“/usr/bin/url_to_unixtime” name=“/usr/lib/gcc/x86_64-linux-gnu/8/collect2” comm=“gcc” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“open” profile=“/usr/bin/url_to_unixtime//null-/sbin/ldconfig” name=“/etc/ld.so.cache” comm=“ldconfig” requested_mask=“r” denied_mask=“r”

This is probably from python attempting to compile ,pyc files for optimization. That script however doesn’t need any performance optimization whatsoever. It is fine and more than fast enough even without compilation.

Attempted to disable ,pyc file creation:

  • python -B
  • environment variable PYTHONDONTWRITEBYTECODE=1
  • sys.dont_write_bytecode = True

But none of that worked.

Is there some way to add in an apparmor profile “good enough - stop reporting further denials”? I guess not as per:

1 Like
373

sdwdate need to have new design of getting its time corrected, because sdwdate can be turned off through turning off all onion connection from the Tor network itself:

And today the issue is fixed (connecting to onion v3) without a single update or manual configuration to Tor client, This shows clear instability when relying on Tor network to do always the job.

I believe I2P support should be added to the development of sdwdate either when Tor fail to connect to then switch to it or as a replacement to Tor entirely (but we dont need to go to the extreme version now as there are no signs showing the need to do that yet).

374

Not sure that is possible. I2P also needs a (somewhat?) correct clock to be able to connect to the I2P network. Maybe it’s even less tolerant to skewed clock than Tor? Therefore we have a similar bootstrap problem. System clock too slow or too fast for I2P being able to connect → sdwdate cannot cannot use I2P to fetch time from I2P eepsites.

375
376

sdwdate improvements have been implemented in git master and Whonix developers repository:

  • sdwdate can now recover, successfully set the system clock even if system clock is so slow (year 2000) or fast (year 2050) so that Tor is unable to connect.
  • The time fetching part of sdwdate (abstracted as separate script url_to_unixtime so it can be more easily confined) is now a python3 requests based implementation with the following features:
    • HTTP header fetching
    • HTTP header parsing (we need the Date: field)
    • HTTP 1.0 and HTTP 1.1 compatibility
    • TLS support
    • socks support (for Tor configuration and stream isolation)

Issue of Most Onions Down due to a Denial of Service Attack on the Tor Network / sdwdate synchronisation fails, sometimes works - #4 by Patrick has not been addressed due to lack of a concept how sdwdate could fetch time if most onions are down most of the time.

Could use some help with apparmor / seccomp / systemd / sandbox-app-launcher confinement.

//cc @madaidan

1 Like
377

This was resolved thanks to:

2 Likes