Whonix AppArmor Profiles Development Discussion

HexChat profile GitHub - Kicksecure/apparmor-profile-hexchat: AppArmor profile for HexChat IRC - https://www.kicksecure.com/wiki/AppArmor - for better security (hardening). upstreaming to either Debian and/or HexChat upstream failed as neither upstream uses AppArmor. References:

I noticed hexchat is having trouble with current profiles. Wouldn’t make any connections without a rule added to abstractions/xchat-based for /etc/resolv.conf.anondist r,.

There’s also some DENIED entries for /etc/hosts, but didn’t seem to effect functionality yet. Not sure if this one is intentional since not explicitly denied.


Is there a better place to report these? Phabricator? Not familiar with it, but I made an account that’s waiting on approval.

2 Likes

https://github.com/Whonix/apparmor-profile-xchat/blob/master/etc/apparmor.d/abstractions/xchat-based should only need the references without .anondist because of:

https://github.com/Whonix/apparmor-profile-xchat/blob/master/etc/apparmor.d/abstractions/xchat-based is missing:

  • /etc/resolv.conf r,
  • /etc/hosts r,

Could you try please and send a pull request?

Got extensive feedback for hexchat apparmor profile.

Message #23 received at 951331@bugs.debian.org (full text, mbox, reply):

From: Seth Arnold seth.arnold@canonical.com
To: 951331@bugs.debian.org
Subject: hexchat apparmor profile
Date: Sat, 29 Feb 2020 04:30:59 +0000
[Message part 1 (text/plain, inline)]

Hello Mattia, Patrick,

Thanks so much for proposing an AppArmor profile for HexChat.

I’ve got a few comments; I’ll paste in the entire ‘main’ block of the
profile, and add my comments inline.:

## Copyright (C) 2014 troubadour <trobador@riseup.net>
## Copyright (C) 2014 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/fonts>
   #include <abstractions/kde>
   #include <abstractions/gnome>
   #include <abstractions/X>
   #include <abstractions/audio>

This should also #include <abstractions/nameservice>

   deny @{PROC}/** r,

   @{HOME}/ r,
   @{HOME}/.config/** rwk,
   @{HOME}/.xchat2/ r,
   @{HOME}/.xchat2/** rwixk,
   @{HOME}/.config/ r,
   @{HOME}/.config/hexchat/ r,
   @{HOME}/.config/hexchat/** rwixk,
   @{HOME}/.kde/share/config/gtkrc-2.0 r,
   @{HOME}/.kde/share/config/oxygenrc r,
   @{HOME}/.*/lib/python*/** r,

   /bin/grep rix,
   /bin/uname rix,
   /bin/mkdir rix,
   /bin/rm rix,

   /usr/bin/grep rix,
   /usr/bin/uname rix,
   /usr/bin/mkdir rix,
   /usr/bin/rm rix,

   /dev/tty rwix,
   /dev/null rw,

   /etc/passwd r,
   /etc/group r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/resolv.conf r,
   /etc/gai.conf r,
   /etc/nsswitch.conf r,

The lines between /etc/passwd and /etc/nsswitch.conf could be removed with
abstractions/nameservice added.

   /etc/ld.so.cache r,
   /etc/machine-id r,
   /etc/os-release r,
   /etc/xdg/xfce4/helpers.rc r,
   /etc/xfce4/defaults.list r,
   /etc/python*/sitecustomize.py r,

   /lib/*-linux-gnu/** mr,

This line is very broad – and overlaps with a lot of the libraries listed
in abstractions/base – if you found any libraries that are DENIED because
they don’t match a rule already in abstractions/base, it would be best to
list them with a specific rule.

   /usr/bin/xchat rix,
   /usr/bin/xdg-open rix,
   /usr/bin/dbus-send rix,
   /usr/bin/xprop  rix,
   /usr/bin/exo-open rix,
   /usr/bin/sensible-browser rix,
   /usr/bin/zenity rix,
   /usr/bin/torbrowser rix,
   /usr/bin/basename rix,
   /usr/bin/kde4-config rix,
   /usr/bin/aplay rix,

I’m really worried about these. I can appreciate trying to provide a
profile that lets people click on links as usual, but actually running
these applications in hexchat’s profile will lead to bugs.

This also means the hexchat profile may need to be much wider, just to
accomodate these other programs.

   /usr/lib/*-linux-gnu/** mrix,

This line is also very broad – and shouldn’t be needed with
abstractions/base.

   /usr/lib/xchat/plugins/* mr,
   /usr/lib/perl*/** mr,
   /var/lib/snapd/desktop/applications/ r,

Granting permission to read this directory without permission to read the
*.desktop files is a bit wasted. What happens if this is denied?

   ## The Ux permission is too dangerous to be enabled by default.
   #/usr/lib/firefox-esr/firefox* Ux,

   /usr/lib/python*/lib-dynload/*.so mr,

   /usr/local/lib/python*/dist-packages/ r,
   /usr/local/lib/python*/dist-packages/* r,

   /usr/share/icons/** r,
   /usr/share/enchant/* r,
   /usr/share/myspell/dicts/ r,
   /usr/share/hunspell/ r,
   /usr/share/hunspell/* r,
   /usr/share/ca-certificates/** r,
   /usr/share/xfce4/helpers/* r,
   /usr/share/xfce4/applications/ r,
   /usr/share/xfce4/applications/mimeinfo.cache r,
   /usr/share/zenity/* r,
   /usr/share/fontconfig/** r,
   /usr/share/poppler/cMap/ r,
   /usr/share/poppler/cMap/** r,
   /usr/share/perl*/** mr,
   /usr/share/tcltk/tcl8.5/* r,
   /usr/share/pyshared/* r,
   /usr/share/aspell/ r,
   /usr/share/aspell/** r,

   /var/lib/aspell/* r,

   /run/*/resolv.conf r,

This shouldn’t be needed with abstractions/nameservice added.

I know that the helper applications is a difficult point here. The more
secure option is to prevent them from being used. The friendliest option
is to use PUx execution rules to either launch them confined, if the user
has profiles for them, or unconfined, if the user doesn’t have profiles.

But having an unconfined way out of the profile drastically reduces the
value of the profile.

Desktop applications are difficult to confine because many users want to
use them to do everything. Other users don’t mind some restrictions for
security gains. And it’s very hard to provide one profile for both.

It may not make sense to enable the profile by default. I’d rather have
the tighter profile, without helper applications, but that may not reflect
what most users would actually want.

Thanks

Help welcome!

I am considering to remove the following apparmor profiles from Whonix source folder /packages, mark these profiles as deprecated…

apparmor-profile-gwenview

  • image viewer
  • we don’t ship it for a long time anymore

apparmor-profile-okular:

apparmor-profile-virtualbox

  • I don’t think apparmor can do much to confine a kernel module / virtualizer.
  • It was never really ready.
  • Doubt many / any are using it.

No one really up to maintain any of these as far as I know.

Do you use gwenview?

Anyone using gwenview?

https://twitter.com/Whonix/status/1246457563077459968

Yeah, but I’m open to better alternatives

1 Like

HulaHoop via Whonix Forum:

Yeah, but I’m open to better alternatives

We already install ristretto by default.

1 Like

This was done.

OK great then pull the trigger on gwenview. An image viewer is a pretty big deal for a default app selection.

2 Likes

aa-logprof might be a superb time saver. See:
Fix Profiles

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951331#23

The hexchat profile is now rather minimal.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951331#44

Current TB Apparmor profile show this:

root@host:~# /usr/sbin/apparmor-info -b
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/sys/bus/pci/devices/" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/1510/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/1595/cgroup" comm=46532042726F6B65722031353935 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/sys/bus/" comm=4950444C204261636B67726F756E64 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/sys/class/" comm=4950444C204261636B67726F756E64 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/2969/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/3032/cgroup" comm=46532042726F6B65722033303332 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/3740/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/3790/cgroup" comm=46532042726F6B65722033373930 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/4834/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/4886/cgroup" comm=46532042726F6B65722034383836 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/5690/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/5741/cgroup" comm=46532042726F6B65722035373431 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/6982/cgroup" comm=46532042726F6B65722036393832 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/7151/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/7202/cgroup" comm=46532042726F6B65722037323032 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/8126/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/8224/cgroup" comm=46532042726F6B65722038323234 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/8795/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/8845/cgroup" comm=46532042726F6B65722038383435 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/9628/cgroup" comm=46532042726F6B65722039363238 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/9807/cgroup" comm=46532042726F6B65722039383037 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/10148/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/10222/cgroup" comm=46532042726F6B6572203130323232 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/10618/cgroup" comm=46532042726F6B6572203130363138 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/10844/cgroup" comm=46532042726F6B6572203130383434 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/11662/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/11733/cgroup" comm=46532042726F6B6572203131373333 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/13758/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/13822/cgroup" comm=46532042726F6B6572203133383232 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/15356/cgroup" comm=46532042726F6B6572203135333536 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/15401/cgroup" comm=46532042726F6B6572203135343031 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/15462/cgroup" comm=46532042726F6B6572203135343632 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/22540/cgroup" comm=46532042726F6B6572203232353430 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/22859/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/22934/cgroup" comm=46532042726F6B6572203232393334 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/23224/cgroup" comm=46532042726F6B6572203233323234 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/23742/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/23794/cgroup" comm=46532042726F6B6572203233373934 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/52008/cgroup" comm=46532042726F6B6572203532303038 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/52842/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/52914/cgroup" comm=46532042726F6B6572203532393134 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/55673/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/55734/cgroup" comm=46532042726F6B6572203535373334 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/55996/cgroup" comm=46532042726F6B6572203535393936 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/57663/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/57712/cgroup" comm=46532042726F6B6572203537373132 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/58295/cgroup" comm=46532042726F6B6572203538323935 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/58705/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/58755/cgroup" comm=46532042726F6B6572203538373535 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/59049/cgroup" comm=46532042726F6B6572203539303439 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/61692/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/61763/cgroup" comm=46532042726F6B6572203631373633 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/62397/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/62446/cgroup" comm=46532042726F6B6572203632343436 requested_mask="r" denied_mask="r"
root@host:~#

similar to this:

1 Like

Following:

This is the Apparmor profile after changes:

# Last Modified: Sun Jun  5 17:30:59 2022
#include <tunables/global>

## Copyright (C) 2014 troubadour <trobador@riseup.net>
## Copyright (C) 2014 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.


/**/*-browser/Browser/firefox flags=(attach_disconnected) {
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/gnome>
  #include <abstractions/kde>
  #include <abstractions/totem>
  #include <abstractions/user-download>
  #include <abstractions/user-tmp>
  #include <local/home.tor-browser.firefox>

  capability sys_admin,
  capability sys_chroot,
  capability sys_ptrace,

  deny /etc/fstab r,
  deny /etc/group r,
  deny /etc/host.conf r,
  deny /etc/hosts r,
  deny /etc/mailcap r,
  deny /etc/nsswitch.conf r,
  deny /etc/passwd r,
  deny /etc/resolv.conf r,
  deny /etc/udev/udev.conf r,
  deny /run/udev/** r,
  deny /sys/devices/** r,
  deny /var/lib/dbus/machine-id r,
  deny @{PROC}/@{pid}/cmdline r,
  deny @{PROC}/@{pid}/mountinfo r,
  deny @{PROC}/@{pid}/net/arp r,
  deny @{PROC}/@{pid}/net/route r,
  deny @{PROC}/@{pid}/stat r,
  deny @{PROC}/@{pid}/task/ r,
  deny @{PROC}/@{pid}/task/** r,
  deny @{PROC}/sys/kernel/random/uuid r,
  deny @{PROC}/sys/vm/overcommit_memory r,

  /bin/dash rix,
  /bin/ps rix,
  /dev/dri/** r,
  /dev/shm/org.chromium.* rwk,
  /dev/shm/org.mozilla.ipc.* rwk,
  /dev/vboxuser rw,
  /etc/dconf/** r,
  /etc/debian_version r,
  /etc/ld.so.conf r,
  /etc/ld.so.conf.d/* r,
  /etc/mime.types r,
  /etc/wildmidi/wildmidi.cfg r, # gstreamer
  /etc/xfce4/defaults.list r,
  /run/**/**/dconf/ rw,
  /run/**/**/dconf/** rw,
  /run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock rw,
  /run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock rw,
  /run/firejail/lib/libpostexecseccomp.so mr,
  /run/resolvconf/resolv.conf r,
  /tmp/MozUpdater/bgupdate/updater rix,
  /usr/bin/apt-cache rix,
  /usr/bin/dash rix,
  /usr/bin/dirname rix,
  /usr/bin/kde4-config rix,
  /usr/bin/lsb_release rix,
  /usr/bin/ps rix,
  /usr/bin/pulseaudio rix,
  /usr/lib/*-linux-gnu/** mrix,
  /usr/lib/python*/lib-dynload/* mr,
  /usr/local/lib/python*/dist-packages/ r,
  /usr/local/lib/python*/dist-packages/** r,
  /usr/share/applications/** rk,
  /usr/share/doc/homepage/** r,
  /usr/share/fontconfig/conf.avail/* r,
  /usr/share/libthai/** r,
  /usr/share/mime/** r,
  /usr/share/poppler/cMap/** r,
  /usr/share/tb-profile-i2p/** r,
  /usr/share/themes/** r,
  /usr/share/xul-ext/foxyproxy-standard/** r,
  /var/cache/fontconfig/ rk,
  @{HOME}/ r,
  @{HOME}/* r,
  @{HOME}/.kde/share/config/* r,
  @{PROC}/*/environ r,
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pid}/gid_map rw,
  @{PROC}/@{pid}/setgroups rw,
  @{PROC}/@{pid}/status r,
  @{PROC}/@{pid}/uid_map rw,
  owner /**/*-browser/** mrwlkix,
  owner /proc/*/cgroup r,

}
1 Like
1 Like