[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

sdwdate AppArmor profile broken on Bookworm

Morphing Debian Bookworm to Kicksecure (tested on ppc64el, but I expect amd64 to work the same way) results in sdwdate hitting this AppArmor failure:

AVC apparmor="DENIED" operation="create" profile="/usr/bin/sdwdate" pid=1225 comm="url_to_unixtime" family="inet" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"

Checking whether networking is enabled for sdwdate's AppArmor profile indicates that it is not:

$ /usr/sbin/apparmor_parser -p /etc/apparmor.d/usr.bin.sdwdate | grep network
## {{{ whonix-[gw|ws]-network-conf
## {{{ kicksecure-network-conf

Checking other profiles indicates that it is enabled there:

$ /usr/sbin/apparmor_parser -p /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin | grep network
## {{{ whonix-[gw|ws]-network-conf
## {{{ kicksecure-network-conf
  # to vast speed increases when working with network-based lookups.
  # TCP/UDP network access
  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
  network netlink raw,
  network bluetooth,
$ /usr/sbin/apparmor_parser -p /etc/apparmor.d/system_tor | grep network
## {{{ whonix-[gw|ws]-network-conf
## {{{ kicksecure-network-conf
  # to vast speed increases when working with network-based lookups.
  # TCP/UDP network access
  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
  network netlink raw,
  network tcp,
  network udp,

AppArmor is Deny by Default for all confined processes, so omitting the network rules is expected to result in no network access, which explains why sdwdate is failing. So why does this only happen in Bookworm but not Bullseye? It appears that Debian (I guess due to kernel-related reasons?) does not support the network rules until AppArmor v3.0. Bookworm is the first Debian suite that is at least v3.0. Hence why this bug in sdwdate's AppArmor profile never got noticed.

I’m happy to open a PR to fix this (seems all that’s needed is to add network inet stream, to /etc/apparmor.d/abstractions/url_to_unixtime, but I’m open to putting that rule somewhere else if you prefer). But, since this involved some pretty heavy debugging/research to figure out this fix, I’m posting my findings here first for peer review purposes so that it’s hopefully easy to determine whether I’m on the right track.

Related minor questions: should I add inet6 as well in case sdwdate users are trying to access Tor’s SOCKS port via IPv6? Should I add dgram as future-proofing for when Tor supports SOCKS over QUIC?

1 Like

Btw apparmor-info might be handy.

If that works, that is a great solution! Analyzing this bug is very much appreciated!

Yes, please. I guess having these issues by the time when this happens would be quite a lot time so better getting this done now seems more efficient.

PR submitted: AppArmor: explicitly allow network access by JeremyRand · Pull Request #38 · Whonix/sdwdate · GitHub

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]