Whonix AppArmor Profiles Development Discussion


Why is alias / -> /rw/, not enough?

Why is explicitly…

alias /var/lib/ -> /rw/var/lib/,
alias /var/lib/tor/ -> /rw/var/lib/tor/,

additionally required?

In doubt, could you ask upstream apparmor developer mailing list please?

I think it belongs here https://github.com/Whonix/apparmor-profile-anondist/blob/master/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist?

//cc @Algernon

These are known issues of apparmor + overlayfs. Some other examples:


Just using “alias / -> /rw/,” will still lead to denied messages in some cases. The easy workaround is to also add the denied path as an alias.
If the live mode gets tested more some more denied messages could maybe be expected.At least every denied message with “/rw/” in the path would be related to overlayfs.

1 Like

Can you please move to apparmor-profile-anondist, remove from your other two packages and reference https://bugs.launchpad.net/apparmor/+bug/888077 in the comment?

I opened some pull request for this.

1 Like

All merged.

Happening in VirtualBox during a race condition looks like.

sudo systemctl stop networking

sudo systemctl restart onion-grater


Aug 14 17:28:39 host systemd[1]: Starting Tor control port filter proxy...

Aug 14 17:28:39 host audit[18942]: AVC apparmor=“DENIED” operation=“open” profile="/usr/lib/onion-grater" name="/sys/devices/pci0000:00/0000:00:16.0/host4/port-4:0/end_device-4:0/target4:0:0/4:0:0:0/block/sda/queue/hw_sector_size" pid=18942 comm=“onion-grater” requested_mask=“r” denied_mask=“r” fsuid=114 ouid=0

Aug 14 17:28:39 host audit[18942]: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=7f470c3c61b8 a1=80000 a2=1b6 a3=20 items=1 ppid=1 pid=18942 auid=4294967295 uid=114 gid=119 euid=114 suid=114 fsuid=114 egid=119 sgid=119 fsgid=119 tty=(none) ses=4294967295 comm="onion-grater" exe="/usr/bin/python3.5" key=(null)
Aug 14 17:28:39 host audit: CWD cwd="/"
Aug 14 17:28:39 host audit: PATH item=0 name="/sys/block/sda/queue/hw_sector_size" inode=7729 dev=00:10 mode=0100444 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Aug 14 17:28:39 host audit: PROCTITLE proctitle=2F7573722F62696E2F707974686F6E33002D75002F7573722F6C69622F6F6E696F6E2D677261746572002D2D6465627567002D2D6C697374656E2D696E746572666163650065746831

Aug 14 17:28:39 host onion-grater[18942]: Traceback (most recent call last):
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 770, in <module>
Aug 14 17:28:39 host onion-grater[18942]:     main()
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 752, in main
Aug 14 17:28:39 host onion-grater[18942]:     ip_address = get_ip_address(global_args.listen_interface)
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 193, in get_ip_address
Aug 14 17:28:39 host onion-grater[18942]:     struct.pack('256s', bytes(ifname[:15], 'utf-8'))
Aug 14 17:28:39 host onion-grater[18942]: OSError: [Errno 99] Cannot assign requested address
Aug 14 17:28:39 host systemd[1]: onion-grater.service: Main process exited, code=exited, status=1/FAILURE
Aug 14 17:28:39 host systemd[1]: Failed to start Tor control port filter proxy.

whonixcheck denied message in a corner case. How to reproduce:

Add exit 0 in second line in /usr/lib/qubes-whonix/init/network-proxy-setup in whonix-gw-14 TemplateVM, shut down TempalteVM, restart sys-whonix.

sudo ifdown --force eth0
sudo ifdown --force eth1
sudo systemctl restart onion-grater

Aug 14 20:57:08 host audit[2079]: AVC apparmor=“DENIED” operation=“capable” profile="/usr/bin/whonixcheck" pid=2079 comm=“ifconfig” capability=16 capname=“sys_module”

Dunno what to do best with…

/usr/bin/spectre-meltdown-checker cux,

What I want to say there is “scrub environment, execute /usr/bin/spectre-meltdown-checker with its profile if it exists but if it doesn’t exist, execute /usr/bin/spectre-meltdown-checker unconfined”.

//cc @eyedeekay @0brand

Yay, this is coming.

You’ll probably like how fast we implemented your wish - it’s done since 8 months :wink: Nearly all abstractions in git master have a line like

#include if exists <abstractions/base.d>

This will be part of the next major release (2.14 or 3.0), therefore I’ll close this ticket as already implemented. If you think we should backport this to 2.12 and 2.13, please reopen and provide a good reason :wink:

port to /etc/apparmor.d/abstractions.d in Debian 11 bullseye

Sep 07 03:42:10 host kernel: audit: type=1400 audit(1567827730.866:126): apparmor=“DENIED” operation=“exec” profile="/**/*-browser/Browser/firefox" name="/usr/local/bin/dirname" pid=15407 comm=“firefox” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0

Not fixed. Created for it:

1 Like
1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]