Whonix AppArmor Profiles Development Discussion

Will push the three remaining whonix profiles

Done.

I think the VirtualBox AppArmor profile has no effect at all.

ps aux | grep virtualbox /usr/lib/virtualbox/VirtualBox

Under “sudo aa-status” it’s not listed under “processes are in enforce mode.”

Did you know Ubuntu’s repository already?
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files/head:/ubuntu/14.04/

Could be useful for comparison. However, their profiles have to be used with care. For example their Firefox profile can read/write to the whole /home/$user folder (https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/592121).

I think the VirtualBox AppArmor profile has no effect at all.

I have noticed it some time ago. I did not recheck and forgot it completely!

VirtualBox has changed their links in /usr/bin. It is now “virtualbox → …/share/virtualbox/VBox.sh” instead of “VBox → something-else” or VBox only. I have modified the profile accordingly, I had to add a couple of rules, but it is still not enforced, without any apparmor message, just one profile /usr/share/virtualbox/VBox.sh//null-8 in complain mode. I’ll look into it.

Did you know Ubuntu's repository already? http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files/head:/ubuntu/14.04/

Yes. The firefox profile is not there, but I have an older machine with Ubuntu 12.04. The bug report at https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/59212, although from 2010, is not outdated. They still allow reading the whole file system. [code] # so browsing directories works / r, /**/ r, [/code]

May be criticizing, but it seems that they have a rather laxed way of writing their profiles, by overusing abstractions first of all. Including <abstractions/nameservice> for example, saves you writing a few lines in the profile (like /etc/hosts, /etc/passwd… that I deny) but opens a whole lot of other things used in servers (samba, kerberosclient…). <abstractions/ibus> or <abstractions/dbus-session> is a mystery to me. I think that, until proven wrong, my approach to deny everything not strictly necessary to the good functioning of the confined package is better, and safer, definitely.

Take this one too:

  # allow access to documentation and other files the user may want to look
  # at in /usr and /opt
  /usr/ r,
  /usr/** r,
  /opt/ r,
  /opt/** r,

They allow the whole ‘/usr’ folder just in case the user wants to read a doc?

To mitigate my criticism, I reckon that at Ubuntu, they do have to make the profiles as transparent as possible to the user. And the Firefox profile is disabled by default in 12.04 (but it works).

We are writing profiles for Whonix, where the user, since she has gone that far, is supposed to accept some limitations. Having two virtual machines for anonymity is already a burden, so having a couple of security notifications because she tries to access a denied folder from the Tor browser does not seem a big penalty, in my opinion.

The link is just an obsolete script. I should have checked with “ps aux” as you did (by the way, I’m using htop).

So, I have completely rewritten the VirtualBox profile. It’s much shorter this time. I’ll to push it on github and update the wiki.

While testing the new profile, I have installed Ubuntu 14.04 in a VM. They still use the same Firefox profile and it is still disabled.

Done.

The first profile was written for VirtualBox 4.3 (Debian wheezy). I still have wheezy, but now it is VirtualBox 4.1 after my last reinstallation (netinstall). It seems consistent with yours. I had written a warning about 4.1 being installed when building Whonix. Most likely, I had updated VirtualBox manually.

Is the VirtualBox AppArmor profile is complete?

As far I know, VirtualBox installs and loads kernel modules. Can those also be restricted?

Can you compare the VirtualBox profile with the libvirt (from Ubuntu) one please?

Is the VirtualBox AppArmor profile is complete?

To me, as long as it's working, yes. I have imported appliances, created new VMs, run four VMs at the same time, so I can consider it tested.

As far I know, VirtualBox installs and loads kernel modules. Can those also be restricted?

As far as I understand, VirtualBox uses DKMS to recompile its own kernel when the host kernel change. I do not know it there are any differences, but when installing VirtualBox, I can see it building its kernel to match the host's, not trying to modify its security (I might be wrong).

Can you compare the VirtualBox profile with the libvirt (from Ubuntu) one please?

In the documentation, it is stated:

First, the libvirtd process is considered trusted and is therefore confined with a lenient profile

True. From usr.bin.libvirtd: [code] # for now, use a very lenient profile since we want to first focus on # confining the guests / r, /** rwmkl,

/bin/* PUx,
/sbin/* PUx,
/usr/bin/* PUx,
/usr/sbin/* PUx,
/lib/udev/scsi_id PUx,
/usr/lib/xen-common/bin/xen-toolstack PUx,
[/code]

It’s fairly open, nearly transparent actually. virt-aa-helper is then used to create profiles in a manner described at http://wiki.apparmor.net/index.php/Libvirt#Implementation_Overview. It is confined itself by usr.lib.libvirt.virt-aa-helper. I do not know libvirt, but the apparmor architecture is totally diffrent from the one we are trying to implement with VirtualBox (the VirtualBox profile is very restrictive and we confined applications in the guests vs the livirtd profile is open and the libvirt guests are confined).

To expand on that (as much for myself as for the reader), the VirtualBox kernel device drivers (/dev/vboxrv and /dev/vboxdrvu) are loaded for running the guests, but the kernel modules themselves are restricted, explicitly in /sys/modules (“deny /sys/** r,”), and implicitly in /lib and /var/lib, as there is no reference to those folders in the profile.

Got a new denied message when using icedove.

Happens when trying to use enigmail to fetch a key from the keyserver.

I am reinstalling the profiles from github.

First apparmor-profile-anondist.
After ‘dpkg -i’, /etc/apparmor.d/abstractions’ shows:

-rw-r--r-- 1 root root 4650 Jul 17  2012 base
-rw-r--r-- 1 root root 5111 Aug 15  2013 base.anondist
lrwxrwxrwx 1 root root   22 May 29 22:04 base.apparmor -> base.apparmor.anondist

Perhaps that’s what is intended, but I seem to remember that base was linking to base.anondist. As it is, the profiles do not work, as they use ‘include <abstractions/base>’, which is left unmodified.

[quote=“troubadour, post:250, topic:108”]I am reinstalling the profiles from github.

First apparmor-profile-anondist.
After ‘dpkg -i’, /etc/apparmor.d/abstractions’ shows:

-rw-r--r-- 1 root root 4650 Jul 17  2012 base
-rw-r--r-- 1 root root 5111 Aug 15  2013 base.anondist
lrwxrwxrwx 1 root root   22 May 29 22:04 base.apparmor -> base.apparmor.anondist

Perhaps that’s what is intended, but I seem to remember that base was linking to base.anondist. As it is, the profiles do not work, as they use ‘include <abstractions/base>’, which is left unmodified.[/quote]
i though that bug is fixed. It still is for me.

sudo apt-get purge apparmor-profile-anondist

Purge, not remove. Because when you manually edit files in /etc/*, dpkg will not remove them when you use “apt-get remove” to preserve user changes. But for development/clean install, it is better to use “apt-get purge”, because it ensures, really everything is wiped.

sudo dpkg -i apparmor-profile-anondist_0.1-1_all.deb

ls -la /etc/apparmor.d/abstractions/base* lrwxrwxrwx 1 root root 13 May 29 22:24 /etc/apparmor.d/abstractions/base -> base.anondist -rw-r--r-- 1 root root 5110 Aug 15 2013 /etc/apparmor.d/abstractions/base.anondist -rw-r--r-- 1 root root 4650 Jul 17 2012 /etc/apparmor.d/abstractions/base.anondist-orig

Seems all fine. (Also /etc/apparmor.d/abstractions/base contains Whonix’s additions.)

Perhaps you’re building from outdated git?

See below for how to check which git tip (latest commit hash) you’re using. For me it is:

git describe --always
5ba2aa1

(That is one commit ahead of your branch. But the change is only packaging related and would not affect this.)

(You probably got “2f3b9c5”, if you have most recent, which should be fine for this purpose.)

Or the first two of “git log” should look like this:

[code]commit 5ba2aa18a22557789b62cf5d9addd56c814bbce7
Author: Patrick Schleizer adrelanos@riseup.net
Date: Thu May 29 22:22:55 2014 +0000

packaging

commit 2f3b9c56d984fe11e8cd86633beab24962b18ab9
Author: Patrick Schleizer adrelanos@riseup.net
Date: Thu May 22 23:22:41 2014 +0000

packaging[/code]

By the way, before editing a file or committing to a package, it would be worth git fetching and merging beforehand to avoid conflicts. We did not have serious such cases yet, just mentoining.

I have cloned first from my repository (troubadoour), then from the whonix repo.

The output from whonix.
‘git describe --always’

a6cfff0

‘git log’

commit a6cfff05f21780304906b7535717ae1b1d83919e
Author: troubadoour <trobador@riseup.net>
Date:   Thu May 8 20:09:46 2014 +0000

    Squashed commit of the following:
    
    commit 1e52c01ff41e353dc66e3d969ec818b7eecaaee0
    Author: troubadoour <trobador@riseup.net>
    Date:   Thu May 8 20:07:59 2014 +0000
    
        etc/apparmor.d/abstractions/base.anondist
    
    etc/apparmor.d/abstractions/base.anondist

commit 9f8095dcda7c1b340b3c89e03fbce3147ef66658
Author: Patrick Schleizer <adrelanos@riseup.net>
Date:   Wed May 7 23:09:15 2014 +0000

    newline

commit a352943c2eadd5f26404b2dc6a475d186cb27dbe
Author: Patrick Schleizer <adrelanos@riseup.net>
Date:   Wed May 7 23:06:06 2014 +0000

    changed displace extension from .apparmor to .anondist, thanks to http://mailman.mit.edu/pipermail/config-package-dev/2014-May

commit 0dc93302853583b825b5976a23dc248dda608c4d
Author: Patrick Schleizer <adrelanos@riseup.net>
Date:   Mon May 5 22:39:38 2014 +0000

    initial commit

You can’t clone the same repository twice. Clone is just for initially getting a repository. Once you cloned a repository, the next thing is to change directory into that folder and to add git remotes.

When you cloned troubadoour, then troubadoour becomes “origin”. To add the Whonix repository, use.

git remote add whonix git@github.com:Whonix/apparmor-profile-anondist.git

Then fetch.

git fetch whonix

Then audit. (So you don’t get malicious scripts from github.)

git diff whonix/master

Then merge.

git merge whonix/master

Should look like this then.

[code]git log
commit 5ba2aa18a22557789b62cf5d9addd56c814bbce7
Author: Patrick Schleizer adrelanos@riseup.net
Date: Thu May 29 22:22:55 2014 +0000

packaging

commit 2f3b9c56d984fe11e8cd86633beab24962b18ab9
Author: Patrick Schleizer adrelanos@riseup.net
Date: Thu May 22 23:22:41 2014 +0000

packaging[/code]

Correction. I have cloned first from my repository (troubadoour), removed the apparmor-profile-anondist directory, and then cloned from the whonix repo. I believe it makes a difference.

Anyhow, I’ll start all over again.

OK. I managed to build and install apparmor-profile-anondist following the procedure in Dev/Build Documentation/security-misc - Whonix.

Almost everything as per the book, except, after verifying your key:

git tag -v 0.1
error: tag '0.1' not found.

Then

git checkout 0.1
error: pathspec '0.1' did not match any file(s) known to git.

but the package was build normally, and in abstractions

base -> base.anondist
base.anondist
base.anondist-orig

I don’t know what went wrong originally, I have tried the recommendations from you previous post, but anyhow, it might be a good idea to move the git discussion elsewhere, as it is beginning to pollute the thread. We are off topic half of the time now.

Got a new denied message when using icedove.

apparmor="DENIED" operation="open" parent=17614 profile="/usr/lib/icedove/icedove" name="/etc/pkcs11/modules/" pid=17648 comm="gpgkeys_hkp" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Happens when trying to use enigmail to fetch a key from the keyserver.

I could not reproduce it when importing a key. Added to the profile nonetheless, plus a few new messages requesting mask “c”. I pushed the updated profile.

And a very new one:

apparmor="DENIED" operation="exec" parent=5715 profile="/usr/lib/icedove/icedove" name="/usr/bin/gpg.whonix-orig" pid=5796 comm="torsocks" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

I put it in “abstractions/base.anondist” and pushed apparmor-profile-anondist.

[quote=“troubadour, post:254, topic:108”][quote author=troubadour link=topic=97.msg2151#msg2151 date=1401404129]
I have cloned first from my repository (troubadoour), then from the whonix repo.
[/quote]

Correction. I have cloned first from my repository (troubadoour), removed the apparmor-profile-anondist directory, and then cloned from the whonix repo. I believe it makes a difference.[/quote]
That won’t work. “git clone” is only supposed to be used once when you get a repository “you didn’t know about before” for the first time. Once you cloned once, git remotes have to be used.

[quote=“troubadour, post:255, topic:108”]OK. I managed to build and install apparmor-profile-anondist following the procedure in Dev/Build Documentation/security-misc - Whonix.

Almost everything as per the book, except, after verifying your key:

git tag -v 0.1
error: tag '0.1' not found.

Then

git checkout 0.1
error: pathspec '0.1' did not match any file(s) known to git.

but the package was build normally, and in abstractions

base -> base.anondist
base.anondist
base.anondist-orig

I don’t know what went wrong originally, I have tried the recommendations from you previous post, but anyhow, it might be a good idea to move the git discussion elsewhere, as it is beginning to pollute the thread. We are off topic half of the time now.[/quote]
Ok, feel free to make a separate thread. Git tag verification didn’t work, because we haven’t decided on a tag yet. Who makes the tag. When to make a tag. I just created a tag.

git tag -s 0.1 -m .

You need a passphrase to unlock the secret key for user: "Patrick Schleizer <adrelanos@riseup.net>" 4096-bit RSA key, ID 77BB3C48, created 2014-01-16 (main key ID 2EEACCDA)

And uploaded it to remotes.

git push origin 0.1

[code]
git push aCounting objects: 12, done.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (7/7), 1.26 KiB, done.
Total 7 (delta 2), reused 0 (delta 0)
dre To git@github.com:Whonix/apparmor-profile-anondist.git

• [new tag] 0.1 → 0.1[/code]

git push adre 0.1

[code]
Counting objects: 12, done.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (7/7), 1.26 KiB, done.
Total 7 (delta 2), reused 0 (delta 0)
To git@github.com:adrelanos/apparmor-profile-anondist.git

• [new tag] 0.1 → 0.1[/code]

Note, is my case “origin” is Whonix/Whonix. It is configured in .git/config.

[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[remote "origin"]
        url = git@github.com:Whonix/apparmor-profile-anondist.git
        fetch = +refs/heads/*:refs/remotes/origin/*
[remote "adre"]
        url = git@github.com:adrelanos/apparmor-profile-anondist.git
        fetch = +refs/heads/*:refs/remotes/adre/*
[remote "troubadoour"]
        url = https://github.com/troubadoour/apparmor-profile-anondist.git
        fetch = +refs/heads/*:refs/remotes/troubadoour/*
[remote "whonix"]
        url = git@github.com:Whonix/apparmor-profile-anondist.git
        fetch = +refs/heads/*:refs/remotes/whonix/*

Whatever you cloned first (and you can only clone once) gets “origin” by default. But that all can be re-configured later with “git remote …”

It was because you can’t use git clone more than once. You build from an earlier git revision, which still included that bug.

Got some more pidgin related apparmor denied messages.

Jun 3 23:15:20 host kernel: [21293.875635] type=1400 audit(1401837320.312:93): apparmor="DENIED" operation="open" parent=17295 profile="/usr/bin/pidgin" name="/run/utmp" pid=17664 comm="pidgin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 3 23:15:20 host kernel: [21293.875645] type=1400 audit(1401837320.312:94): apparmor="DENIED" operation="open" parent=17295 profile="/usr/bin/pidgin" name="/run/utmp" pid=17664 comm="pidgin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 3 23:15:20 host kernel: [21293.995761] type=1400 audit(1401837320.432:95): apparmor="DENIED" operation="open" parent=17295 profile="/usr/bin/pidgin" name="/etc/wildmidi/wildmidi.cfg" pid=17664 comm="pidgin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 3 23:15:20 host kernel: [21294.035783] type=1400 audit(1401837320.472:96): apparmor="DENIED" operation="open" parent=17295 profile="/usr/bin/pidgin" name="/usr/share/poppler/cMap/Adobe-CNS1/" pid=17664 comm="pidgin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 3 23:15:20 host kernel: [21294.035802] type=1400 audit(1401837320.472:97): apparmor="DENIED" operation="open" parent=17295 profile="/usr/bin/pidgin" name="/usr/share/poppler/cMap/Adobe-GB1/" pid=17664 comm="pidgin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 3 23:15:20 host kernel: [21294.035819] type=1400 audit(1401837320.472:98): apparmor="DENIED" operation="open" parent=17295 profile="/usr/bin/pidgin" name="/usr/share/poppler/cMap/Adobe-Japan2/" pid=17664 comm="pidgin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 3 23:15:20 host kernel: [21294.035836] type=1400 audit(1401837320.472:99): apparmor="DENIED" operation="open" parent=17295 profile="/usr/bin/pidgin" name="/usr/share/poppler/cMap/Adobe-Japan1/" pid=17664 comm="pidgin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 3 23:15:20 host kernel: [21294.035852] type=1400 audit(1401837320.472:100): apparmor="DENIED" operation="open" parent=17295 profile="/usr/bin/pidgin" name="/usr/share/poppler/cMap/Adobe-Korea1/" pid=17664 comm="pidgin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 3 23:15:32 host kernel: [21305.966654] type=1400 audit(1401837332.404:101): apparmor="DENIED" operation="file_mmap" parent=17295 profile="/usr/bin/pidgin" name="/tmp/orcexec.CZIJm9" pid=17697 comm="wavparse0:sink" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Jun 3 23:15:32 host kernel: [21305.966694] type=1400 audit(1401837332.404:102): apparmor="DENIED" operation="file_mmap" parent=17295 profile="/usr/bin/pidgin" name="/home/user/orcexec.YhmXoE" pid=17697 comm="wavparse0:sink" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Jun 3 23:22:23 host kernel: [21717.149156] type=1400 audit(1401837743.588:103): apparmor="STATUS" operation="profile_replace" name="/usr/bin/pidgin" pid=18581 comm="apparmor_parser" Jun 3 23:22:24 host kernel: [21718.362177] type=1400 audit(1401837744.800:104): apparmor="DENIED" operation="file_lock" parent=14939 profile="/usr/bin/pidgin" name="/run/utmp" pid=18617 comm="pidgin" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0 Jun 3 23:22:50 host kernel: [21744.154470] type=1400 audit(1401837770.592:105): apparmor="DENIED" operation="file_mmap" parent=14939 profile="/usr/bin/pidgin" name="/tmp/orcexec.OLg7yP" pid=18626 comm="wavparse0:sink" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Jun 3 23:22:50 host kernel: [21744.154518] type=1400 audit(1401837770.592:106): apparmor="DENIED" operation="file_mmap" parent=14939 profile="/usr/bin/pidgin" name="/home/user/orcexec.5oz9pN" pid=18626 comm="wavparse0:sink" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000

I fixed a few already:
https://github.com/Whonix/apparmor-profile-pidgin/commit/dae348af643e62a9256e76db51599aee6a8a530e

But for those in /tmp and /home I don’t know how to sanely add them.