Since many irc networks support SSL, I guess we could replace.
With.
How does that sound?
Since many irc networks support SSL, I guess we could replace.
With.
How does that sound?
Please try running āpidginā from terminal. Perhaps that requires a few extra permissions.
Since many irc networks support SSL, I guess we could replace./usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt r,
With.
/usr/share/ca-certificates/** r,
How does that sound?
Good. The profile is more robust.
I fixed a few already: https://github.com/Whonix/apparmor-profile-pidgin/commit/dae348af643e62a9256e76db51599aee6a8a530eBut for those in /tmp and /home I donāt know how to sanely add them.
I have pushed the updated profile. It should work.
I cannot reproduce those messages. Are you using a video or audio editor, like gstreamer?
A long standing issue: to open a link, we had to use āCopy link locationā and past it in the browser. The Tor browser now is opened when clicking the link.
āusr.lib.icedove.icedoveā.
'usr.bin.pigin".
Both profiles are pushed in troubadoour.
Please try running "pidgin" from terminal. Perhaps that requires a few extra permissions
Forgot that one. Pushed the profile with a minor modification.
Troubadour, just letting you know that upstream TPO is interested in all the help they can get to create and collect Apparmor profiles.
Micah Lee is the member that seems most responsive and active in this area.
Also there are plans to make profiles that constrain Flas plugin in TBB.
As a side question, Does Whonix ship with the set of Apparmor profiles that are currently available for Debian?
To answer Patrickās implied question and yours, yes, I am ready to start a collaborative work on AppArmor. It really makes sense and It will be a change, me working like a poor lonesome cowboy :(. Not true actually. Thanks Patrick for your commitment and limitless availability and patience (for me, especially on gitā¦).
As suggested, the best place where to start seems at Micah Leeās, with Radostanāhelp, if he is willing to collaborate. And I came across some quite good works on AppArmor, in some places I have to find again.
More notes on Collaboration:
I assume our longterm goal is to have Whonix profiles upstreamed to take off the maintenance burden and also expanding the total number of profiles on Debian to protect as much software on the platform as possible.
All the profiles Debian currently covers are listed under this package - which I recommend we add if we donāt use it right now.
https://packages.debian.org/wheezy/all/apparmor-profiles/filelist
Who can we talk too?
TPOās Jacob is a Debian user and contributor who holds major influence. From what he has proposed and said, he is a big proponent of using OS mechanisms for hardening for Tor components. We can talk to him for getting Apparmor profiles in general and Whonix profiles upstreamed.
Intrigeri TAILS dev and Apparmor package maintainer for Debian.
Work Plan
First is the network facing software which I see youāve done a great job on. Next comes popular software, especially complex packages should be targeted for profile support first. Examples are VLC, LibreOffice.
Since you already overworked, Iāll focus on scavenging for profiles already written that we can pass on upstream for addition after some minor testing.
VLC profile I found that may need some tuning because it excludes components related to Nvidia which are not relevant to our virtual environment:
[code] # Last Modified: Sat Mar 31 01:45:41 2012
#include <tunables/global>
/usr/bin/vlc {
#include <abstractions/base>
#include <abstractions/nvidia>
capability ipc_lock,
deny /etc/passwd r,
deny /etc/apparmor.d/** r,
deny /root/** r,
deny /selinux/** r,
deny /boot/** r,
deny /opt/** r,
deny /sbin/** r,
/bin/dash r,
/bin/grep rix,
/bin/mv rix,
/bin/sed rix,
/bin/sleep rix,
/bin/which rix,
/dev/ r,
/dev/ati/card0 rw,
/etc/fonts/** r,
/etc/nsswitch.conf r,
/etc/pulse/client.conf r,
/etc/xdg/Trolltech.conf rk,
/etc/xdg/sni-qt.conf rk,
/home/** rk,
/proc/*/auxv r,
/proc/*/cmdline r,
/proc/*/status r,
/proc/ati/* r,
/proc/modules r,
/run/shm/ r,
/run/shm/* rw,
/sys/devices/system/*/ r,
/tmp/** rw,
/tmp/**/ rw,
/usr/** rk,
/usr/bin/dbus-send rix,
/usr/bin/xdg-screensaver rix,
/usr/lib{,32,64}/** mrw,
/var/cache/** r,
/var/lib/dbus/machine-id r,
/var/lib/defoma/fontconfig.d/* r,
}
[/code]
After some time searching, all I found were two older profiles written for OpenJDK7 and nothing for Libreoffice
Looks like Apparmor profiles for these packages and more are on Micahās radar.
If we want to upstream or hope for upstream to take it, we should not strip the virtual environment specific parts. Also there is Whonix with physical isolation.
I assume our longterm goal is to have Whonix profiles upstreamed to take off the maintenance burden and also expanding the total number of profiles on Debian to protect as much software on the platform as possible.Sure. At least in theory this sounds nice and is an adorable goal. Practicality is a different thing.
Letās go back how this whole thread and troubadourās work started. I think troubadour said, he rather contributes to the Whonix project, becauseā¦ Well, I better donāt put words in someoneās mouth. The idea of upstreaming began here:
Another statement about difficulty with upstreaming here:
My reply:
troubadour:
TPO's Jacob is a Debian user and contributor who holds major influence. From what he has proposed and said, he is a big proponent of using OS mechanisms for hardening for Tor components. We can talk to him for getting Apparmor profiles in general and Whonix profiles upstreamed.I think he is overworked already. Worth a try.
All the profiles Debian currently covers are listed under this package - which I recommend we add if we don't use it right now.
Intrigeri TAILS dev and Apparmor package maintainer for Debian.
Since you already overworked, I'll focus on scavenging for profiles already written that we can pass on upstream for addition after some minor testing.Well, this all sounds very nice in theory.
In practice this is very time consuming and frustrating. To my experience youāre not running into open doors. āWe cooked something nice up in Whonix, here is the link, works quite well, can you test it yourself, do last changes and please merge it into your packageā doesnāt work. Donāt mention Whonix. You need a pure Debian testing (or sid?) development environment. And most times they donāt accept git branches and ask for things such as tested patches and debdiffs. Seems difficult to me to interact well with Debian devs if you have never met them in person.
For example just have a look at the āadd /etc/bashrc.d featureā discussion:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675008
So you need frustration tolerance. If troubadour feels like upstreaming stuff, Iāll be very happy about this. But if not, I can totally understand this.
Sure. At least in theory this sounds nice and is an adorable goal. Practicality is a different thing.
After what you described I can understand how difficult it is to get anything up there in Debian. Resistance to change is what Debian is known for. But maybe thats a good thing if you look at how they held off from including Upstart and went with systemd when it matured.
Its best to just keep focusing on our own anonymity packages and keep our fingers crossed that Tor mainline profiles eventually get in there and offload some stuff from your shoulders.
If you think talking to Jacob is worth a shot, I will write a draft of what we can say and you send it if thats ok.
I think they want you to contact the Debian maintainer of the original package first. Perhaps even better to contact the maintainer of the software first.
I was asking if Whonix already uses apparmor-profiles package out of the box. that way we protect the few daemons whose profiles are already included.
With your help I am planning to create a profile for ucspi-tcp eventually after testing is finished.
If you think talking to Jacob is worth a shot, I will write a draft of what we can say and you send it if thats ok.
Got some questions about thisā¦
Private mail to Jacob? That is always a bit intransparent. I need to ask if I may publish it and may or may not get an answer. And for any follow up and what has been talked about, getting difficult.
Why contact individuals when we could write to in general in public places (mailing list, bug tracker)?
I recently added an overview to their apparmor ticket #5791:
What else could be done? Write Jacob a one liner, āhave you seen the overview thereā?
But no one seems to work on #5791 at the moment. āKeywords: SponsorZā as far I understand means āwe have no sponsoring for this, we wish we had, might try to get one, as long we donāt have one, we most likely wonāt be working on thisā.
Feel free to propose something, but I have no idea what could be said.
I was asking if Whonix already uses [b]apparmor-profiles[/b] package out of the box.Yes. (Not enforced by default.)
dpkg -l | grep apparmor-profiles
Also very interesting:
apt-file list apparmor-profiles
/usr/share/doc/apparmor-profiles/extras contains lots of extra profiles.
With your help I am planning to create a profile for ucspi-tcp eventually after testing is finished.
For control-port-filter (which uses tcpserver), you mean? Thatād be great!
Then its better if this is addressed to the public Debian mailinglist, with a plea to ease the process of including Apparmor profiles. Besides this I still think its useful if you can also explain to Jacob the current obstacles and ask him to back up the proposal on the Debian mailinglist. You can ask him if he allows you to post his views on thi publically - in the same message.
Debian mailinglist:
Its becoming necessary to confine user-land software as much as possible to secure a system against advanced malware attacks perpetrated by criminal organizations and governments. Can you please make your Apparmor streamlining process easier to contribute to by outsiders so that profiles are collected,tested and used in Debian sooner than what the current guidelines allow?
Donāt get me wrong. I admire your fresh perspective, idealism and motivation! However, from my perspective it looks naive. Iāve been following a few Debian lists for years and the outcome of such discussions is usually zero, so my motivation to post something like this is zero.
For example, āget Tor Browser into Debianā failed due to politics / bureaucracy:
https://lists.torproject.org/pipermail/tor-talk/2013-February/027486.html
Or see the more recent thread āconcrete steps for improving apt downloading security and privacyā by Hans-Christoph Steiner, where he is doing a good job making his point, but to no avail:
https://lists.debian.org/debian-security/2014/07/msg00022.html
https://lists.debian.org/debian-security/2014/07/threads.html#00024
But thatās just my opinion. Please do make your own experience. Donāt let me slow you down. No need to take my opinion for it.
Feel free to post anything on any Debian mailing list and/or to contact intrigeri and/or Jacob. You can refer to the facts, link to what has been done/said an so forth. Please just donāt let anyone confuse it as an official Whonix ambassador task, please use āIā. Good luck! Looking forward for it! And I hope I am wrong, weād be much better off if I was wrong.
Debianās inertia is no stranger to me, Iāll heed your advice and conserve my effort for something worthwhile.
Yes, and Whonix is certainly worthwhile.
The AppArmor profiles development at Debian is either dead or non-existent. Or both.
I managed to catch John Johansen from the AppArmor development team (see Whonix Forum) and pointed him to this thread. He made a polite reply saying that he had a lot to do before the week-end but would take the time to have a look. i do not know if he did, but I could not see any increase in the views as I was naively hoping.
I believe that the best way to achieve something is to work together with Micah Lee and others on profiles we could propose upstream once and only once they are complete and tested. Number one should be the Tor Browser in Debian (we can consider itās operational in Whonix). Then we have a chance to revive ticket #5791 and to have an impact.
For other profiles, I have some work started with VLC, and Okular (because it is a PDF reader too) is nearly finished. Iāll have to dig them out.
Denied message in Tor Browser.
Pushed open-link-confirmation Ā· troubadoour/apparmor-profile-anondist@7a8dc23 Ā· GitHub