Whonix AppArmor Profiles Development Discussion

Since you referred it in qubes-devel, I have updated AppArmor to reflect the changes after apparmor-profile-anondist.

Added an “Updates” heading.

In theory, we’d need to advice using the forked abstractions/base. Otherwise instructions to confine Tor Browser for Whonix users are incomplete. Depends on what we want to focus.

Some templates have been edited/created by me. I found out how to use variables in wiki templates. Quite simple.

Please have a glimpse at the wiki source code of:

Just by replacing package name, the others could be documented as well.

Since all Whonix packages are build in a similar way, we could easily make a build documentation page for every package. If that’s worth it. I am not sure. Since build instructions are very similar for different packages, I am not sure it’s worth it.

In theory, we'd need to advice using the forked abstractions/base. Otherwise instructions to confine Tor Browser for Whonix users are incomplete. Depends on what we want to focus.

Actually, we need to advise the Whonix users to install apparmor-profile-anondist prior to apparmor-profile-torbrowser. The Tor Browser profile will not work in Whonix as is. The same will apply to the upcoming profiles, except sdwdate, timesync and whonixcheck, as they deal with the core of Whonix.

There should be no problem with non anonymous distributions (Debian, Qubes…).

Please have a glimpse at the wiki source code of: https://www.whonix.org/wiki/Dev/Build_Documentation/apparmor-profile-torbrowser

Just by replacing package name, the others could be documented as well.

Tried it, it’s magic! Then it could become more generic, https://www.whonix.org/wiki/Dev/Build_Documentation/package-installation or something like that. The user has only to change the name in three commands , ‘git clone’, ‘cd’ and ‘dpkg -i’. Seems reasonably affordable for a user who has gone as far as building a package.

I have just tried the profile in the host (Debian wheezy) and there is a (big?) problem. When starting Tor, there is a message from Tor Launcher: “Tor unexpetedly exited”, without AppArmor messages or anything in the logs. I have the same problem when I install LightDM in Whonix. That could be tricky.

Actually, we need to advise the Whonix users to install apparmor-profile-anondist prior to apparmor-profile-torbrowser.
Yes.
The Tor Browser profile will not work in Whonix as is.
Yes.
The same will apply to the upcoming profiles,
Yes.
except sdwdate, timesync and whonixcheck, as they deal with the core of Whonix.
By the way those will become standalone packages as well. Work is in progress. I think that comes handy, especially when sdwdate/timesync eventually are uploaded to Debian. Secure time sync on the host is important and at the moment we don't have anything we can advice.
Tried it, it's magic! Then it could become more generic, https://www.whonix.org/wiki/Dev/Build_Documentation/package-installation or something like that. The user has only to change the name in three commands , 'git clone', 'cd' and 'dpkg -i'.
Hm. The template with the variables by the way is: https://www.whonix.org/wiki/Template:Build_Documentation_Build_Package It's a good idea. Like a small menu on the top of that page, where you can choose the package name and then instructions change. No idea how to make such a menu. Template variables are as far I understand replaced when the parser runs. When the user views the page, the parser is already done. Maybe it could be implemented using raw html. Hopefully implementing such a feature won't depend on javascript. Perhaps we find out over time, eventually when a web dev supports us.
Seems reasonably affordable for a user who has gone as far as building a package.
I agree. Even https://www.whonix.org/wiki/Template:Build_Documentation_Build_Package#Get_Build_Dependncies should suffice. For most other packages/projects, there is not nearly as much documentation available. You're left pretty much alone figuring out how to build it using rudimentary instructions.

[quote=“troubadour, post:204, topic:108”][quote author=troubadour link=topic=97.msg1942#msg1942 date=1399665692]
There should be no problem with non anonymous distributions (Debian, Qubes…).
[/quote]

I have just tried the profile in the host (Debian wheezy) and there is a (big?) problem. When starting Tor, there is a message from Tor Launcher: “Tor unexpetedly exited”, without AppArmor messages or anything in the logs. I have the same problem when I install LightDM in Whonix. That could be tricky.[/quote]
I guess making the profile work on Debian would require testing and extending the profile on Debian. The decision is up to you. You could also wait for testers, let them post denied messages and then just fix it as they come in.

As for LightDM, well, I guess there will be a few other things, when installed in conjunction with an apparmor profile showing apparmor denied messages. Eventually some abstraction is missing? (rhetoric question)

Hi Patrick and Troubadour, is there any plans to ship the next major Whonix release with Apparmor enabled out of the box? I think this would go a long way for protection of the entire userbase.

TAILS has this on their long term goals on their roadmap but we here have a head start :slight_smile:

Let’s hope we get packaging done (very likely at current rate of progress) and these profiles ready for easier testing in Whonix 9 as simple as “sudo apt-get install apparmor-profile-*”. When to install them by default is a difficult question, not sure discussing this is premature.

Perhaps in Whonix 10?

The problem with AppArmor profiles, that are not tested and maintained by upstream is, that any upgrades released by upstream (Tor Browser is a good example here) can lead to the application no longer functioning at all. Having Tor Browser break for all Whonix users due to the AppArmor profile would cause a giant wave of support requests and bad press, I think. Perhaps it’s better if users are educated about the nature of the profiles, advised to install, and to keep in mind to temporarily remove them (and how!) in case of upgrade/failure. Or if we try to get upstream to takeover maintenance.

For applications developed by the Whonix team (sdwdate…) however, I guess pre-installing them in Whonix 9 or 10 should be easier, since there we know what changes will come and are able to test before release.

Small change in XChat profile to allow sound notification, please review:

Just reinstalled apparmor-profile-anondist from github.

'ls -l /etc/apparmor.d/abstractions/base* gives

-rw-r--r-- 1 root root 4650 Jul 17  2012 base
-rw-r--r-- 1 root root 5111 Aug 15  2013 base.anondist
lrwxrwxrwx 1 root root   22 May 12 21:13 base.apparmor -> base.apparmor.anondist

when it was

lrwxrwxrwx 1 root root   13 May  5 22:38 /etc/apparmor.d/abstractions/base -> base.apparmor
-rw-r--r-- 1 root root 4771 Aug 15  2013 /etc/apparmor.d/abstractions/base.apparmor
-rw-r--r-- 1 root root 4650 Jul 17  2012 /etc/apparmor.d/abstractions/base.apparmor-orig

To get it working, I have to modify the Tor browser profile with ‘include <abstractions/base.anondist>’.

Was there any change during my short period of absence? I cannot see any modification on github since my last commit.

Sorry. Somehow there was a bug we did not notice before. Has been introduced when changing from .whonix to .anondist displace extension. Now fixed (packaging fixes · Kicksecure/apparmor-profile-dist@35eb88f · GitHub). Please “git fetch”, “git diff origin/master”, “git merge origin/master”.

ls -la /etc/apparmor.d/abstractions/base* lrwxrwxrwx 1 root root 13 May 13 01:11 /etc/apparmor.d/abstractions/base -> base.anondist -rw-r--r-- 1 root root 5111 Aug 15 2013 /etc/apparmor.d/abstractions/base.anondist -rw-r--r-- 1 root root 4650 Jul 17 2012 /etc/apparmor.d/abstractions/base.anondist-orig

Please do “include /etc/apparmor.d/abstractions/base”, that’s the way it is supposed to work. /etc/apparmor.d/abstractions/base is a symlink to /etc/apparmor.d/abstractions/base.anondist.

The problem with AppArmor profiles, that are not tested and maintained by upstream is, that any upgrades released by upstream (Tor Browser is a good example here) can lead to the application no longer functioning at all. Having Tor Browser break for all Whonix users due to the AppArmor profile would cause a giant wave of support requests and bad press, I think.

A recent example is the last Debian’s Icedove update, when it would not start when the profile was enforced.

Perhaps it's better if users are educated about the nature of the profiles, advised to install, and to keep in mind to temporarily remove them (and how!) in case of upgrade/failure. Or if we try to get upstream to takeover maintenance.

It poses the problem of finding testers, again. So far, the “Join us…” has not provoked a tsunami, as far as I can judge. Perhaps installing the profiles packages in the developers and/or testers repositories might help. We have been testing the profiles for quite some time now, and the more we advance, the less updates, except for the new releases or the newly, non-standard packages. Even for the latters, the scope of the problem is narrowing.

Please "git fetch", "git diff origin/master", "git merge origin/master".

After “git merge origin/master” the output is “Already up-to-date.”

I build again. “dpkg --purge apparmor-profile-anondist” brings back the original configuration (only abstractions/base). “dpkg -i apparmor-profile-anondist_0.1-1_all.deb” reinstalls the wrong symlink “base.apparmor → base.apparmor.anondist”.

Do I miss something?

[quote=“troubadour, post:213, topic:108”][quote]Please “git fetch”, “git diff origin/master”, “git merge origin/master”.
[/quote]

After “git merge origin/master” the output is “Already up-to-date.”

I build again. “dpkg --purge apparmor-profile-anondist” brings back the original configuration (only abstractions/base). “dpkg -i apparmor-profile-anondist_0.1-1_all.deb” reinstalls the wrong symlink “base.apparmor → base.apparmor.anondist”.

Do I miss something?[/quote]

Can you check please if your apparmor-profile-anondist/debian/apparmor-profile-anondist.displace matches https://github.com/Whonix/apparmor-profile-anondist/blob/master/debian/apparmor-profile-anondist.displace? If not, your repository is not up to date for some reason. The fetch did not work in that case.

Can you check please if your apparmor-profile-anondist/debian/apparmor-profile-anondist.displace matches https://github.com/Whonix/apparmor-profile-anondist/blob/master/debian/apparmor-profile-anondist.displace? If not, your repository is not up to date for some reason. The fetch did not work in that case.

debian/apparmor-profile-anondist.displace was reading “/etc/apparmor.d/abstractions/base.apparmor”. Changed it to “/etc/apparmor.d/abstractions/base.anondist” and base is now linking to base.anondist. OK, but it does not explain why.

You should not need to manually update this indeed. Must be a git usability thing.

Please post.

True.

Sounds good in theory. Implementing it is challenging. The testers repository only contains more recent packages than stable. After testing period, the stable repository is replaced with the testers repository. In that sense, the testers repository does not have an extra recommendation on apparmor-profile-*.

Maybe we could get more testers, if users would only have to use the testers repository and do “sudo apt-get install apparmor-profile-*”?

Maybe there is some way to install apparmor profiles for all repositories (easy), but only enable them by default for users of developers and testers repository? But that seems weird/like a hack and would be unintuitive (users of stable repository install an apparmor profiles but it does not get enabled…).

Hello to all who are reading this text I have decided to contact the entire apparmor mailing group and told them about your small problem in apparmor but before I do that I would like some advice on what I should say here below is what I think I will say and let me know if I should reword anything.

"For the record this is directed to all members not just one,a small community of low level to non-level developers are working for a good apparmor profile for Debian,any input or help from you would be most appreciated,for example if you care to test their apparmor profile to see any errors in the coding or possible bugs,that would be appreciated,or if you care to create your very own apparmor profile from the ground up,that would also be welcomed or if you want you can teach them your knowledge in apparmor profile and past mistakes other developers have commited would be helpful,pretty much any kind of help would be welcomed just please no ridicule of any kind is welcomed,if you have something to say say it nicely otherwise do not talk at all.For example instead of saying “hmph your apparmor profile is stupid as f*** a toddler could do better.” say it in a nicer fashion “sir I believe you made an error there how about you do this,no thats incorrect again do it like this.”

“If you are interested and only if you are interested you may click this link to know more about our project”

“Have a nice day!”

I have been in touch with some of the members of the AppArmor developers group. They are developers and are not really interested in the implementation of the profiles themselves. If you subscribe to the apparmor mailing list, you’ll see mainly a lot of C code dealing with low-level issues. I receive their digest only to check if they will implement conditional statements in the scripting some day, because that would be really helpful. Most of the rest of their discussions is way beyond my area od competence.

If have sent a couple of requests too, without reply so far. The best way to contact them would be to try to catch someone on their IRC channel (AppArmor).

Yes I have seen them talk all about the coding and constant patches nothing but coding language it seems i have been subscribed to there apparmor mailing list for a little more than a year and all I see is complex coding it seems far beyond what I can comprehend sadly I think I will never catch up to their skills and as you said it does seem they are not interested in actual apparmor profile development for the community to use in their personal operating system rather discuss flaws and patches,shame they could of helped us in no time if they join us,I just wanted to asked them since my gut feelings might have been wrong about them seems you cleared that up now.