Whonix AppArmor Profiles Development Discussion

Since many irc networks support SSL, I guess we could replace.

With.

How does that sound?

Please try running ā€œpidginā€ from terminal. Perhaps that requires a few extra permissions.

Since many irc networks support SSL, I guess we could replace.
/usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt r,

With.

/usr/share/ca-certificates/** r,

How does that sound?

Good. The profile is more robust.

I fixed a few already: https://github.com/Whonix/apparmor-profile-pidgin/commit/dae348af643e62a9256e76db51599aee6a8a530e

But for those in /tmp and /home I donā€™t know how to sanely add them.

I have pushed the updated profile. It should work.

I cannot reproduce those messages. Are you using a video or audio editor, like gstreamer?

A long standing issue: to open a link, we had to use ā€œCopy link locationā€ and past it in the browser. The Tor browser now is opened when clicking the link.

ā€œusr.lib.icedove.icedoveā€.

  • Had to allow reading the whole home folder in order to select ā€œ/home/user/tor-browser_*/Browser/firefoxā€ as the link application.
  • If the Tor browser is already open, the link is opened in a new tab.

'usr.bin.pigin".

  • When clicking a link, Pidgin opens a warning popup, and opens a new instance of the Tor browser.
  • Originally, for ā€œorcexecā€, only write permissions was denied. It is read/write now.

Both profiles are pushed in troubadoour.

Please try running "pidgin" from terminal. Perhaps that requires a few extra permissions

Forgot that one. Pushed the profile with a minor modification.

Troubadour, just letting you know that upstream TPO is interested in all the help they can get to create and collect Apparmor profiles.

Micah Lee is the member that seems most responsive and active in this area.
Also there are plans to make profiles that constrain Flas plugin in TBB.

As a side question, Does Whonix ship with the set of Apparmor profiles that are currently available for Debian?

To answer Patrickā€™s implied question and yours, yes, I am ready to start a collaborative work on AppArmor. It really makes sense and It will be a change, me working like a poor lonesome cowboy :(. Not true actually. Thanks Patrick for your commitment and limitless availability and patience (for me, especially on gitā€¦).

As suggested, the best place where to start seems at Micah Leeā€™s, with Radostanā€™help, if he is willing to collaborate. And I came across some quite good works on AppArmor, in some places I have to find again.

More notes on Collaboration:

I assume our longterm goal is to have Whonix profiles upstreamed to take off the maintenance burden and also expanding the total number of profiles on Debian to protect as much software on the platform as possible.

All the profiles Debian currently covers are listed under this package - which I recommend we add if we donā€™t use it right now.

https://packages.debian.org/wheezy/all/apparmor-profiles/filelist

Who can we talk too?

TPOā€™s Jacob is a Debian user and contributor who holds major influence. From what he has proposed and said, he is a big proponent of using OS mechanisms for hardening for Tor components. We can talk to him for getting Apparmor profiles in general and Whonix profiles upstreamed.

Intrigeri TAILS dev and Apparmor package maintainer for Debian.

Work Plan

First is the network facing software which I see youā€™ve done a great job on. Next comes popular software, especially complex packages should be targeted for profile support first. Examples are VLC, LibreOffice.
Since you already overworked, Iā€™ll focus on scavenging for profiles already written that we can pass on upstream for addition after some minor testing.

VLC profile I found that may need some tuning because it excludes components related to Nvidia which are not relevant to our virtual environment:

[code] # Last Modified: Sat Mar 31 01:45:41 2012
#include <tunables/global>

/usr/bin/vlc {
  #include <abstractions/base>
  #include <abstractions/nvidia>


  capability ipc_lock,


  deny /etc/passwd r,
  deny /etc/apparmor.d/** r,
  deny /root/** r,
  deny /selinux/** r,
  deny /boot/** r,
  deny /opt/** r,
  deny /sbin/** r,

  /bin/dash r,
  /bin/grep rix,
  /bin/mv rix,
  /bin/sed rix,
  /bin/sleep rix,
  /bin/which rix,
  /dev/ r,
  /dev/ati/card0 rw,
  /etc/fonts/** r,
  /etc/nsswitch.conf r,
  /etc/pulse/client.conf r,
  /etc/xdg/Trolltech.conf rk,
  /etc/xdg/sni-qt.conf rk,
  /home/** rk,
  /proc/*/auxv r,
  /proc/*/cmdline r,
  /proc/*/status r,
  /proc/ati/* r,
  /proc/modules r,
  /run/shm/ r,
  /run/shm/* rw,
  /sys/devices/system/*/ r,
  /tmp/** rw,
  /tmp/**/ rw,
  /usr/** rk,
  /usr/bin/dbus-send rix,
  /usr/bin/xdg-screensaver rix,
  /usr/lib{,32,64}/** mrw,
  /var/cache/** r,
  /var/lib/dbus/machine-id r,
  /var/lib/defoma/fontconfig.d/* r,

}

[/code]

After some time searching, all I found were two older profiles written for OpenJDK7 and nothing for Libreoffice

Looks like Apparmor profiles for these packages and more are on Micahā€™s radar.

If we want to upstream or hope for upstream to take it, we should not strip the virtual environment specific parts. Also there is Whonix with physical isolation.

I assume our longterm goal is to have Whonix profiles upstreamed to take off the maintenance burden and also expanding the total number of profiles on Debian to protect as much software on the platform as possible.
Sure. At least in theory this sounds nice and is an adorable goal. Practicality is a different thing.

Letā€™s go back how this whole thread and troubadourā€™s work started. I think troubadour said, he rather contributes to the Whonix project, becauseā€¦ Well, I better donā€™t put words in someoneā€™s mouth. The idea of upstreaming began here:

Another statement about difficulty with upstreaming here:

My reply:

troubadour:

TPO's Jacob is a Debian user and contributor who holds major influence. From what he has proposed and said, he is a big proponent of using OS mechanisms for hardening for Tor components. We can talk to him for getting Apparmor profiles in general and Whonix profiles upstreamed.
I think he is overworked already. Worth a try.
All the profiles Debian currently covers are listed under this package - which I recommend we add if we don't use it right now.

Debian -- Error


I think they want you to contact the Debian maintainer of the original package first. Perhaps even better to contact the maintainer of the software first.

Intrigeri TAILS dev and Apparmor package maintainer for Debian.
Since you already overworked, I'll focus on scavenging for profiles already written that we can pass on upstream for addition after some minor testing.
Well, this all sounds very nice in theory.

In practice this is very time consuming and frustrating. To my experience youā€™re not running into open doors. ā€œWe cooked something nice up in Whonix, here is the link, works quite well, can you test it yourself, do last changes and please merge it into your packageā€ doesnā€™t work. Donā€™t mention Whonix. You need a pure Debian testing (or sid?) development environment. And most times they donā€™t accept git branches and ask for things such as tested patches and debdiffs. Seems difficult to me to interact well with Debian devs if you have never met them in person.

For example just have a look at the ā€œadd /etc/bashrc.d featureā€ discussion:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675008

So you need frustration tolerance. If troubadour feels like upstreaming stuff, Iā€™ll be very happy about this. But if not, I can totally understand this.

Sure. At least in theory this sounds nice and is an adorable goal. Practicality is a different thing.

After what you described I can understand how difficult it is to get anything up there in Debian. Resistance to change is what Debian is known for. But maybe thats a good thing if you look at how they held off from including Upstart and went with systemd when it matured.

Its best to just keep focusing on our own anonymity packages and keep our fingers crossed that Tor mainline profiles eventually get in there and offload some stuff from your shoulders.

If you think talking to Jacob is worth a shot, I will write a draft of what we can say and you send it if thats ok.

I think they want you to contact the Debian maintainer of the original package first. Perhaps even better to contact the maintainer of the software first.

I was asking if Whonix already uses apparmor-profiles package out of the box. that way we protect the few daemons whose profiles are already included.

With your help I am planning to create a profile for ucspi-tcp eventually after testing is finished.

If you think talking to Jacob is worth a shot, I will write a draft of what we can say and you send it if thats ok.

Got some questions about thisā€¦

Private mail to Jacob? That is always a bit intransparent. I need to ask if I may publish it and may or may not get an answer. And for any follow up and what has been talked about, getting difficult.

Why contact individuals when we could write to in general in public places (mailing list, bug tracker)?

I recently added an overview to their apparmor ticket #5791:

What else could be done? Write Jacob a one liner, ā€œhave you seen the overview thereā€?

But no one seems to work on #5791 at the moment. ā€œKeywords: SponsorZā€ as far I understand means ā€œwe have no sponsoring for this, we wish we had, might try to get one, as long we donā€™t have one, we most likely wonā€™t be working on thisā€.

Feel free to propose something, but I have no idea what could be said.

I was asking if Whonix already uses [b]apparmor-profiles[/b] package out of the box.
Yes. (Not enforced by default.)
dpkg -l | grep apparmor-profiles

Also very interesting:

apt-file list apparmor-profiles

/usr/share/doc/apparmor-profiles/extras contains lots of extra profiles.

With your help I am planning to create a profile for ucspi-tcp eventually after testing is finished.

For control-port-filter (which uses tcpserver), you mean? Thatā€™d be great!

Then its better if this is addressed to the public Debian mailinglist, with a plea to ease the process of including Apparmor profiles. Besides this I still think its useful if you can also explain to Jacob the current obstacles and ask him to back up the proposal on the Debian mailinglist. You can ask him if he allows you to post his views on thi publically - in the same message.

Debian mailinglist:

Its becoming necessary to confine user-land software as much as possible to secure a system against advanced malware attacks perpetrated by criminal organizations and governments. Can you please make your Apparmor streamlining process easier to contribute to by outsiders so that profiles are collected,tested and used in Debian sooner than what the current guidelines allow?

Donā€™t get me wrong. I admire your fresh perspective, idealism and motivation! However, from my perspective it looks naive. Iā€™ve been following a few Debian lists for years and the outcome of such discussions is usually zero, so my motivation to post something like this is zero.

For example, ā€œget Tor Browser into Debianā€ failed due to politics / bureaucracy:
https://lists.torproject.org/pipermail/tor-talk/2013-February/027486.html

Or see the more recent thread ā€œconcrete steps for improving apt downloading security and privacyā€ by Hans-Christoph Steiner, where he is doing a good job making his point, but to no avail:
https://lists.debian.org/debian-security/2014/07/msg00022.html
https://lists.debian.org/debian-security/2014/07/threads.html#00024

But thatā€™s just my opinion. Please do make your own experience. Donā€™t let me slow you down. No need to take my opinion for it.

Feel free to post anything on any Debian mailing list and/or to contact intrigeri and/or Jacob. You can refer to the facts, link to what has been done/said an so forth. Please just donā€™t let anyone confuse it as an official Whonix ambassador task, please use ā€œIā€. Good luck! Looking forward for it! And I hope I am wrong, weā€™d be much better off if I was wrong.

Debianā€™s inertia is no stranger to me, Iā€™ll heed your advice and conserve my effort for something worthwhile.

Yes, and Whonix is certainly worthwhile.

The AppArmor profiles development at Debian is either dead or non-existent. Or both.

I managed to catch John Johansen from the AppArmor development team (see Whonix Forum) and pointed him to this thread. He made a polite reply saying that he had a lot to do before the week-end but would take the time to have a look. i do not know if he did, but I could not see any increase in the views as I was naively hoping.

I believe that the best way to achieve something is to work together with Micah Lee and others on profiles we could propose upstream once and only once they are complete and tested. Number one should be the Tor Browser in Debian (we can consider itā€™s operational in Whonix). Then we have a chance to revive ticket #5791 and to have an impact.

For other profiles, I have some work started with VLC, and Okular (because it is a PDF reader too) is nearly finished. Iā€™ll have to dig them out.

Denied message in Tor Browser.
Pushed open-link-confirmation Ā· troubadoour/apparmor-profile-anondist@7a8dc23 Ā· GitHub