Whonix AppArmor Profiles Development Discussion


VirtualBox AppArmor profile warning (Whonix 14)

From the Whonix 14 testing thread, note that the apparmor profile for VirtualBox (when installing apparmor-profiles-whonix) warns:

Warning from /etc/apparmor.d/usr/lib/virtualbox.VirtualBox (/etc/apparmor.d/usr.lib.virtualbox.VirtualBox line 50): Unconfined exec qualifer (ux) allows some dangerous environment variables to be passed to the unconfined process; ‘man 5 apparmor.d’ for details.

Probably low priority, but worthy of investigation.


From http://forums.kkkkkkkkkk63ava6.onion/t/long-wiki-edits-thread/3477/569

How about implementing this OnionShare AppArmor profile in Whonix?



Already has upstream.



I think we should remove the VirtualBox profile from apparmor-profiles-whonix. This is a very early one, and it was meant to be used in the host.

If someone feels like installing AppArmor in their host, enforce the profile and start Whonix, they are welcome.


Good idea. Done.







Why is alias / -> /rw/, not enough?

Why is explicitly…

alias /var/lib/ -> /rw/var/lib/,
alias /var/lib/tor/ -> /rw/var/lib/tor/,

additionally required?

In doubt, could you ask upstream apparmor developer mailing list please?

I think it belongs here https://github.com/Whonix/apparmor-profile-anondist/blob/master/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist?

//cc @Algernon

Whonix live mode

These are known issues of apparmor + overlayfs. Some other examples:


Just using “alias / -> /rw/,” will still lead to denied messages in some cases. The easy workaround is to also add the denied path as an alias.
If the live mode gets tested more some more denied messages could maybe be expected.At least every denied message with “/rw/” in the path would be related to overlayfs.


Can you please move to apparmor-profile-anondist, remove from your other two packages and reference https://bugs.launchpad.net/apparmor/+bug/888077 in the comment?


I opened some pull request for this.


All merged.


Happening in VirtualBox during a race condition looks like.

sudo systemctl stop networking

sudo systemctl restart onion-grater


Aug 14 17:28:39 host systemd[1]: Starting Tor control port filter proxy...

Aug 14 17:28:39 host audit[18942]: AVC apparmor=“DENIED” operation=“open” profile="/usr/lib/onion-grater" name="/sys/devices/pci0000:00/0000:00:16.0/host4/port-4:0/end_device-4:0/target4:0:0/4:0:0:0/block/sda/queue/hw_sector_size" pid=18942 comm=“onion-grater” requested_mask=“r” denied_mask=“r” fsuid=114 ouid=0

Aug 14 17:28:39 host audit[18942]: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=7f470c3c61b8 a1=80000 a2=1b6 a3=20 items=1 ppid=1 pid=18942 auid=4294967295 uid=114 gid=119 euid=114 suid=114 fsuid=114 egid=119 sgid=119 fsgid=119 tty=(none) ses=4294967295 comm="onion-grater" exe="/usr/bin/python3.5" key=(null)
Aug 14 17:28:39 host audit: CWD cwd="/"
Aug 14 17:28:39 host audit: PATH item=0 name="/sys/block/sda/queue/hw_sector_size" inode=7729 dev=00:10 mode=0100444 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Aug 14 17:28:39 host audit: PROCTITLE proctitle=2F7573722F62696E2F707974686F6E33002D75002F7573722F6C69622F6F6E696F6E2D677261746572002D2D6465627567002D2D6C697374656E2D696E746572666163650065746831

Aug 14 17:28:39 host onion-grater[18942]: Traceback (most recent call last):
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 770, in <module>
Aug 14 17:28:39 host onion-grater[18942]:     main()
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 752, in main
Aug 14 17:28:39 host onion-grater[18942]:     ip_address = get_ip_address(global_args.listen_interface)
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 193, in get_ip_address
Aug 14 17:28:39 host onion-grater[18942]:     struct.pack('256s', bytes(ifname[:15], 'utf-8'))
Aug 14 17:28:39 host onion-grater[18942]: OSError: [Errno 99] Cannot assign requested address
Aug 14 17:28:39 host systemd[1]: onion-grater.service: Main process exited, code=exited, status=1/FAILURE
Aug 14 17:28:39 host systemd[1]: Failed to start Tor control port filter proxy.

kdesudo error popup window ( sdwdate-gui )

whonixcheck denied message in a corner case. How to reproduce:

Add exit 0 in second line in /usr/lib/qubes-whonix/init/network-proxy-setup in whonix-gw-14 TemplateVM, shut down TempalteVM, restart sys-whonix.

sudo ifdown --force eth0
sudo ifdown --force eth1
sudo systemctl restart onion-grater

Aug 14 20:57:08 host audit[2079]: AVC apparmor=“DENIED” operation=“capable” profile="/usr/bin/whonixcheck" pid=2079 comm=“ifconfig” capability=16 capname=“sys_module”


Dunno what to do best with…

/usr/bin/spectre-meltdown-checker cux,

What I want to say there is “scrub environment, execute /usr/bin/spectre-meltdown-checker with its profile if it exists but if it doesn’t exist, execute /usr/bin/spectre-meltdown-checker unconfined”.




//cc @eyedeekay @0brand