Already has upstream.
I think we should remove the VirtualBox profile from
apparmor-profiles-whonix. This is a very early one, and it was meant to be used in the host.
If someone feels like installing AppArmor in their host, enforce the profile and start Whonix, they are welcome.
Good idea. Done.
alias / -> /rw/, not enough?
Why is explicitly…
alias /var/lib/ -> /rw/var/lib/, alias /var/lib/tor/ -> /rw/var/lib/tor/,
In doubt, could you ask upstream apparmor developer mailing list please?
These are known issues of apparmor + overlayfs. Some other examples:
Just using “alias / -> /rw/,” will still lead to denied messages in some cases. The easy workaround is to also add the denied path as an alias.
If the live mode gets tested more some more denied messages could maybe be expected.At least every denied message with “/rw/” in the path would be related to overlayfs.
Can you please move to apparmor-profile-anondist, remove from your other two packages and reference https://bugs.launchpad.net/apparmor/+bug/888077 in the comment?
I opened some pull request for this.
Happening in VirtualBox during a race condition looks like.
sudo systemctl stop networking sudo systemctl restart onion-grater
Aug 14 17:28:39 host systemd: Starting Tor control port filter proxy...
Aug 14 17:28:39 host audit: AVC apparmor=“DENIED” operation=“open” profile="/usr/lib/onion-grater" name="/sys/devices/pci0000:00/0000:00:16.0/host4/port-4:0/end_device-4:0/target4:0:0/4:0:0:0/block/sda/queue/hw_sector_size" pid=18942 comm=“onion-grater” requested_mask=“r” denied_mask=“r” fsuid=114 ouid=0
Aug 14 17:28:39 host audit: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=7f470c3c61b8 a1=80000 a2=1b6 a3=20 items=1 ppid=1 pid=18942 auid=4294967295 uid=114 gid=119 euid=114 suid=114 fsuid=114 egid=119 sgid=119 fsgid=119 tty=(none) ses=4294967295 comm="onion-grater" exe="/usr/bin/python3.5" key=(null) Aug 14 17:28:39 host audit: CWD cwd="/" Aug 14 17:28:39 host audit: PATH item=0 name="/sys/block/sda/queue/hw_sector_size" inode=7729 dev=00:10 mode=0100444 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL Aug 14 17:28:39 host audit: PROCTITLE proctitle=2F7573722F62696E2F707974686F6E33002D75002F7573722F6C69622F6F6E696F6E2D677261746572002D2D6465627567002D2D6C697374656E2D696E746572666163650065746831
Aug 14 17:28:39 host onion-grater: Traceback (most recent call last): Aug 14 17:28:39 host onion-grater: File "/usr/lib/onion-grater", line 770, in <module> Aug 14 17:28:39 host onion-grater: main() Aug 14 17:28:39 host onion-grater: File "/usr/lib/onion-grater", line 752, in main Aug 14 17:28:39 host onion-grater: ip_address = get_ip_address(global_args.listen_interface) Aug 14 17:28:39 host onion-grater: File "/usr/lib/onion-grater", line 193, in get_ip_address Aug 14 17:28:39 host onion-grater: struct.pack('256s', bytes(ifname[:15], 'utf-8')) Aug 14 17:28:39 host onion-grater: OSError: [Errno 99] Cannot assign requested address Aug 14 17:28:39 host systemd: onion-grater.service: Main process exited, code=exited, status=1/FAILURE Aug 14 17:28:39 host systemd: Failed to start Tor control port filter proxy.
whonixcheck denied message in a corner case. How to reproduce:
exit 0 in second line in
/usr/lib/qubes-whonix/init/network-proxy-setup in whonix-gw-14 TemplateVM, shut down TempalteVM, restart sys-whonix.
sudo ifdown --force eth0 sudo ifdown --force eth1 sudo systemctl restart onion-grater
Aug 14 20:57:08 host audit: AVC apparmor=“DENIED” operation=“capable” profile="/usr/bin/whonixcheck" pid=2079 comm=“ifconfig” capability=16 capname=“sys_module”
Dunno what to do best with…
What I want to say there is “scrub environment, execute /usr/bin/spectre-meltdown-checker with its profile if it exists but if it doesn’t exist, execute /usr/bin/spectre-meltdown-checker unconfined”.
Yay, this is coming.
You’ll probably like how fast we implemented your wish - it’s done since 8 months Nearly all abstractions in git master have a line like
#include if exists <abstractions/base.d>
This will be part of the next major release (2.14 or 3.0), therefore I’ll close this ticket as already implemented. If you think we should backport this to 2.12 and 2.13, please reopen and provide a good reason
port to /etc/apparmor.d/abstractions.d in Debian 11 bullseye