sdwdate and sdwdate-gui development thread

Development
369

https://github.com/Whonix/sdwdate/pull/23

370

Awesome. No more denied messages for now.

1 Like
371
372

sdwdate/usr/bin/url_to_unixtime at master · Kicksecure/sdwdate · GitHub wants lots of apparmor permissions. How can this be avoided? @madaidan

AVC apparmor=“DENIED” operation=“exec” profile=“/usr/bin/url_to_unixtime” name=“/usr/bin/x86_64-linux-gnu-gcc-8” comm=“url_to_unixtime” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“/usr/bin/url_to_unixtime” name=“/usr/bin/x86_64-linux-gnu-ld.bfd” comm=“url_to_unixtime” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“/usr/bin/url_to_unixtime” name=“/usr/lib/gcc/x86_64-linux-gnu/8/collect2” comm=“gcc” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“open” profile=“/usr/bin/url_to_unixtime//null-/sbin/ldconfig” name=“/etc/ld.so.cache” comm=“ldconfig” requested_mask=“r” denied_mask=“r”

This is probably from python attempting to compile ,pyc files for optimization. That script however doesn’t need any performance optimization whatsoever. It is fine and more than fast enough even without compilation.

Attempted to disable ,pyc file creation:

  • python -B
  • environment variable PYTHONDONTWRITEBYTECODE=1
  • sys.dont_write_bytecode = True

But none of that worked.

Is there some way to add in an apparmor profile “good enough - stop reporting further denials”? I guess not as per:

1 Like
373

sdwdate need to have new design of getting its time corrected, because sdwdate can be turned off through turning off all onion connection from the Tor network itself:

And today the issue is fixed (connecting to onion v3) without a single update or manual configuration to Tor client, This shows clear instability when relying on Tor network to do always the job.

I believe I2P support should be added to the development of sdwdate either when Tor fail to connect to then switch to it or as a replacement to Tor entirely (but we dont need to go to the extreme version now as there are no signs showing the need to do that yet).

374

Not sure that is possible. I2P also needs a (somewhat?) correct clock to be able to connect to the I2P network. Maybe it’s even less tolerant to skewed clock than Tor? Therefore we have a similar bootstrap problem. System clock too slow or too fast for I2P being able to connect → sdwdate cannot cannot use I2P to fetch time from I2P eepsites.

375
376

sdwdate improvements have been implemented in git master and Whonix developers repository:

  • sdwdate can now recover, successfully set the system clock even if system clock is so slow (year 2000) or fast (year 2050) so that Tor is unable to connect.
  • The time fetching part of sdwdate (abstracted as separate script url_to_unixtime so it can be more easily confined) is now a python3 requests based implementation with the following features:
    • HTTP header fetching
    • HTTP header parsing (we need the Date: field)
    • HTTP 1.0 and HTTP 1.1 compatibility
    • TLS support
    • socks support (for Tor configuration and stream isolation)

Issue of Most Onions Down due to a Denial of Service Attack on the Tor Network / sdwdate synchronisation fails, sometimes works - #4 by Patrick has not been addressed due to lack of a concept how sdwdate could fetch time if most onions are down most of the time.

Could use some help with apparmor / seccomp / systemd / sandbox-app-launcher confinement.

//cc @madaidan

1 Like
377

This was resolved thanks to:

2 Likes
378
379

access control disabled, clients can connect from any host

That comes from this:

QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to ‘/tmp/runtime-sdwdate-gui’

See also below.

I guess don’t fix if not broken. We possibly need to redesign this for wayland anyhow. See also above.

380
381
382

sdwdate-gui wont show up in the taskbar on non-kicksecure-xfce DE like e.g Gnome

Confusing Thing: (Whonix-WS)

Permission Denied because root not used:

user@host:~$ sdwdate --verbose --debug
2022-05-31 17:05:34 - sdwdate - INFO - sdwdate started. PID: 42564
Traceback (most recent call last):
File “/usr/bin/sdwdate”, line 10, in
sdwdate.main()
File “/usr/lib/python3/dist-packages/sdwdate/sdwdate.py”, line 1018, in main
global_files()
File “/usr/lib/python3/dist-packages/sdwdate/sdwdate.py”, line 970, in global_files
Path(sdwdate_status_files_folder).mkdir(parents=True, exist_ok=True)
File “/usr/lib/python3.9/pathlib.py”, line 1312, in mkdir
self._accessor.mkdir(self, mode)
PermissionError: [Errno 13] Permission denied: ‘/home/user/sdwdate’
user@host:~$

But sdwdate should not run as root:

user@host:~$ sudo sdwdate --verbose --debug
2022-05-31 17:05:18 - sdwdate - INFO - sdwdate started. PID: 42562
2022-05-31 17:05:18 - sdwdate - ERROR - Exit error… sdwdate should not be run as root!
2022-05-31 17:05:18 - sdwdate - INFO - Exiting with exit_code ‘1’ because or reason ‘sdwdate should not be run as root.’.
2022-05-31 17:05:18 - sdwdate - INFO - sdwdate stopped by user or system.
write_status unexpected error: <class ‘NameError’>
2022-05-31 17:05:18 - sdwdate - INFO - sclockadj process not running, ok.
2022-05-31 17:05:18 - sdwdate - INFO - sleep process not running, ok.
Traceback (most recent call last):
File “/usr/bin/sdwdate”, line 10, in
sdwdate.main()
File “/usr/lib/python3/dist-packages/sdwdate/sdwdate.py”, line 1013, in main
exit_handler(exit_code, reason)
File “/usr/lib/python3/dist-packages/sdwdate/sdwdate.py”, line 116, in exit_handler
Path(sleep_long_file_path).unlink(missing_ok=True)
NameError: name ‘sleep_long_file_path’ is not defined

?

1 Like
384

4 posts were split to a new topic: sdwdate - WARNING - Clock got changed by something other than sdwdate. sleep_time_seconds: 6040 time_delta: 6043 time_passed: -3

385

https://www.kicksecure.com/wiki/Dev/sdwdate#sdwdate_linux_user_account

386
1 Like
387

Clarify more 1/10000 in sdwdate message log.

1 Like
388

Done in git.

1 Like
389

Created for it:

1 Like