Whonix AppArmor Profiles Development Discussion

Algernon · July 20, 2018, 9:48am

These are known issues of apparmor + overlayfs. Some other examples:

https://github.com/subgraph/subgraph_desktop_stretch/issues/1
https://labs.riseup.net/code/issues/9045

Just using “alias / → /rw/,” will still lead to denied messages in some cases. The easy workaround is to also add the denied path as an alias.
If the live mode gets tested more some more denied messages could maybe be expected.At least every denied message with “/rw/” in the path would be related to overlayfs.

Patrick · July 20, 2018, 10:14am

Can you please move to apparmor-profile-anondist, remove from your other two packages and reference Bug #888077 “alias rules being only partially applied” : Bugs : AppArmor in the comment?

Algernon · July 27, 2018, 1:30pm

I opened some pull request for this.

Patrick · July 27, 2018, 2:17pm

All merged.

Patrick · August 14, 2018, 7:10pm

Happening in VirtualBox during a race condition looks like.

sudo systemctl stop networking

sudo systemctl restart onion-grater

Log:

Aug 14 17:28:39 host systemd[1]: Starting Tor control port filter proxy...

Aug 14 17:28:39 host audit[18942]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/onion-grater” name=“/sys/devices/pci0000:00/0000:00:16.0/host4/port-4:0/end_device-4:0/target4:0:0/4:0:0:0/block/sda/queue/hw_sector_size” pid=18942 comm=“onion-grater” requested_mask=“r” denied_mask=“r” fsuid=114 ouid=0

Aug 14 17:28:39 host audit[18942]: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=7f470c3c61b8 a1=80000 a2=1b6 a3=20 items=1 ppid=1 pid=18942 auid=4294967295 uid=114 gid=119 euid=114 suid=114 fsuid=114 egid=119 sgid=119 fsgid=119 tty=(none) ses=4294967295 comm="onion-grater" exe="/usr/bin/python3.5" key=(null)
Aug 14 17:28:39 host audit: CWD cwd="/"
Aug 14 17:28:39 host audit: PATH item=0 name="/sys/block/sda/queue/hw_sector_size" inode=7729 dev=00:10 mode=0100444 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Aug 14 17:28:39 host audit: PROCTITLE proctitle=2F7573722F62696E2F707974686F6E33002D75002F7573722F6C69622F6F6E696F6E2D677261746572002D2D6465627567002D2D6C697374656E2D696E746572666163650065746831

Aug 14 17:28:39 host onion-grater[18942]: Traceback (most recent call last):
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 770, in <module>
Aug 14 17:28:39 host onion-grater[18942]:     main()
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 752, in main
Aug 14 17:28:39 host onion-grater[18942]:     ip_address = get_ip_address(global_args.listen_interface)
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 193, in get_ip_address
Aug 14 17:28:39 host onion-grater[18942]:     struct.pack('256s', bytes(ifname[:15], 'utf-8'))
Aug 14 17:28:39 host onion-grater[18942]: OSError: [Errno 99] Cannot assign requested address
Aug 14 17:28:39 host systemd[1]: onion-grater.service: Main process exited, code=exited, status=1/FAILURE
Aug 14 17:28:39 host systemd[1]: Failed to start Tor control port filter proxy.

Patrick · August 19, 2018, 12:39pm

whonixcheck denied message in a corner case. How to reproduce:

Add exit 0 in second line in /usr/lib/qubes-whonix/init/network-proxy-setup in whonix-gw-14 TemplateVM, shut down TempalteVM, restart sys-whonix.

sudo ifdown --force eth0
sudo ifdown --force eth1
sudo systemctl restart onion-grater

Aug 14 20:57:08 host audit[2079]: AVC apparmor=“DENIED” operation=“capable” profile=“/usr/bin/whonixcheck” pid=2079 comm=“ifconfig” capability=16 capname=“sys_module”

Patrick · September 9, 2018, 7:46pm

https://github.com/Whonix/whonixcheck/blob/master/etc/apparmor.d/usr.bin.whonixcheck#L75

Dunno what to do best with…

/usr/bin/spectre-meltdown-checker cux,

What I want to say there is “scrub environment, execute /usr/bin/spectre-meltdown-checker with its profile if it exists but if it doesn’t exist, execute /usr/bin/spectre-meltdown-checker unconfined”.

Patrick · September 9, 2018, 7:51pm

https://github.com/Whonix/whonixcheck/commit/5873f4c3bb1665a6fb92224968805f561aca87e3

Patrick · October 8, 2018, 6:16am

Patrick · November 17, 2018, 6:11am

//cc @eyedeekay @0brand

Patrick · February 2, 2019, 7:21am

github.com/Kicksecure/apparmor-profile-hexchat

Add missing perms (Py 3, XFCE4, browser, os, ...)

Kicksecure:master ← LorenzoAncora:patch-1

opened 03:45PM - 01 Feb 19 UTC

LorenzoAncora

+13 -1

Useful additions: - OS: implicit ALLOW directives to accept read-only access to… informative system files like `os-release` and `machine-id`; - Fonts: extended pattern matching; - NetworkManager and similar: implicit ALLOW directives to accept read-only access to DNS parameters; - XFCE4, snapd: implicit ALLOW directives to accept read-only access to the application list and to the MIME cache; - Firefox ESR: implicit ALLOW directives to allow direct execution (AA profile for Firefox already exists) from the About dialog; - Python 3 plugin: implicit ALLOW directives to allow the enumeration of available modules. <sub>Note: this commit was designed with GNU/Linux Debian in mind.</sub>

Patrick · August 14, 2019, 11:03am

Patrick · August 17, 2019, 7:15am

Yay, this is coming.

You’ll probably like how fast we implemented your wish - it’s done since 8 months Nearly all abstractions in git master have a line like
#include if exists <abstractions/base.d>
This will be part of the next major release (2.14 or 3.0), therefore I’ll close this ticket as already implemented. If you think we should backport this to 2.12 and 2.13, please reopen and provide a good reason

port to /etc/apparmor.d/abstractions.d in Debian 11 bullseye
https://phabricator.whonix.org/T927

Patrick · September 6, 2019, 1:29pm

Patrick · September 7, 2019, 6:09am

github.com/netblue30/firejail

libpostexecseccomp.so in /run/firejail/lib/libpostexecseccomp.so apparmor issue

opened 06:04AM - 07 Sep 19 UTC

closed 08:30PM - 09 Oct 19 UTC

adrelanos

question_old

Tor Browser 8.5.5 with firejail and https://github.com/Whonix/apparmor-profile-t…orbrowser > Sep 07 03:25:54 host kernel: audit: type=1400 audit(1567826754.074:42): apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/run/firejail/lib/libpostexecseccomp.so" pid=7879 comm="firefox.real" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Does libpostexecseccomp.so really have to reside in `/run/firejail/lib/libpostexecseccomp.so`? Ideally firejail would not cause apparmor issues. Maybe the (upcoming deepening on your apparmor version) `abstractions/base.d` would help? `abstractions/base.d` as per https://gitlab.com/apparmor/apparmor/issues/50

Sep 07 03:42:10 host kernel: audit: type=1400 audit(1567827730.866:126): apparmor=“DENIED” operation=“exec” profile=“/**/*-browser/Browser/firefox” name=“/usr/local/bin/dirname” pid=15407 comm=“firefox” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0

Not fixed. Created for it:

github.com/netblue30/firejail

/usr/local/bin/dirname apparmor issue

opened 06:08AM - 07 Sep 19 UTC

closed 03:11PM - 22 Sep 19 UTC

adrelanos

duplicate

Tor Browser 8.5.5 with firejail and https://github.com/Whonix/apparmor-profile-t…orbrowser > Sep 07 03:42:10 host kernel: audit: type=1400 audit(1567827730.866:126): apparmor="DENIED" operation="exec" profile="/**/*-browser/Browser/firefox" name="/usr/local/bin/dirname" pid=15407 comm="firefox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Does not happen without firejail. There is no such file /usr/local/bin/dirname. There are no files in /usr/local/bin. Why does firejail try to execute something form that folder? Avoidable? Could you fix that apparmor issue in a generic way somehow? Perhaps similar solution as for https://github.com/netblue30/firejail/issues/2947?

Patrick · September 21, 2019, 7:49am

Patrick · October 29, 2019, 2:39pm

Patrick · October 29, 2019, 2:39pm

Patrick · October 31, 2019, 7:03am

Patrick · November 1, 2019, 4:35pm