Morphing Debian Bookworm to Kicksecure (tested on ppc64el, but I expect amd64 to work the same way) results in sdwdate hitting this AppArmor failure:
AVC apparmor="DENIED" operation="create" profile="/usr/bin/sdwdate" pid=1225 comm="url_to_unixtime" family="inet" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Checking whether networking is enabled for sdwdate’s AppArmor profile indicates that it is not:
$ /usr/sbin/apparmor_parser -p /etc/apparmor.d/usr.bin.sdwdate | grep network
## {{{ whonix-[gw|ws]-network-conf
## {{{ kicksecure-network-conf
Checking other profiles indicates that it is enabled there:
$ /usr/sbin/apparmor_parser -p /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin | grep network
## {{{ whonix-[gw|ws]-network-conf
## {{{ kicksecure-network-conf
# to vast speed increases when working with network-based lookups.
# TCP/UDP network access
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
network bluetooth,
$ /usr/sbin/apparmor_parser -p /etc/apparmor.d/system_tor | grep network
## {{{ whonix-[gw|ws]-network-conf
## {{{ kicksecure-network-conf
# to vast speed increases when working with network-based lookups.
# TCP/UDP network access
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
network tcp,
network udp,
AppArmor is Deny by Default for all confined processes, so omitting the network rules is expected to result in no network access, which explains why sdwdate is failing. So why does this only happen in Bookworm but not Bullseye? It appears that Debian (I guess due to kernel-related reasons?) does not support the network rules until AppArmor v3.0. Bookworm is the first Debian suite that is at least v3.0. Hence why this bug in sdwdate’s AppArmor profile never got noticed.
I’m happy to open a PR to fix this (seems all that’s needed is to add network inet stream, to /etc/apparmor.d/abstractions/url_to_unixtime, but I’m open to putting that rule somewhere else if you prefer). But, since this involved some pretty heavy debugging/research to figure out this fix, I’m posting my findings here first for peer review purposes so that it’s hopefully easy to determine whether I’m on the right track.
Related minor questions: should I add inet6 as well in case sdwdate users are trying to access Tor’s SOCKS port via IPv6? Should I add dgram as future-proofing for when Tor supports SOCKS over QUIC?