It depends on what we're up to here. Putting them into a profile we would like to see getting merged into Debian is eventually counter productive to get them merged into Debian? Would confuse Debian maintainers? I guess having them in base.anondist is better as long as kde-lowfat [...] does not enter Debian. I have no idea! What is the usual thing to do in such cases if there is such a thing as a usual thing here?
On the other hand, Debian maintainers may not care about an extra â/usr/share/kde-lowfat/share/config/kdeglobals r,â if there is no such file in Debian. Doesnât worsen security and even if there is such a file one day in Debian, it would be required. So while I am very unsure about this, I tend to put them into the profile.
I donât think there is yet such a thing as a usual thing in Debian where it concerns AppArmor, but may be there is a slight upturn (intrigeri is there and apparently the only one really active). See AppArmor/Progress - Debian Wiki.
So, for our little problem, we say âback in the profileâ? That cannot harm in any way the functioning of the package (on the contrary) or the security.
What timesync does is using "sudo service sdwdate" restart and then monitoring it.
Or somehow tell the timesync apparmor profile to run sdwdate using sdwdate's profile?
cx - the new process should run under a child profile that matches the name of the executable
px - the new process should run under another profile that matches the name of the executable
Using either cx or px.
I believe youâll agree that it is certainly neater to use a child profile instead of a new abstraction, so I assume I can start in that direction.
I am using a child profile in the Icedove profile.
@{HOME}/tor-browser_*/Browser/firefox Px,
That is why we cannot start Iceweasel from Icedove when the packages are confined. Only Torbrowser is available to open the links in messages. Whonix Forum
No. Far fetched, but may be there was a problem with you revert. I have pushed apparmor-profile-anondist with dh-apparmor back. If you merge itâŚ[/quote]
No problem with the revert. This was the revert commit:
Git records changesets. So you can easily add/remove/re-add changes.
I just checked, the abstractions/base and the torbrowser profile exactly matches the versions on github and I even rebooted. No idea why I am still getting these errors. Any idea? Perhaps it is because this was an Whonix-Workstation build version 8.2 that was upgraded to 8.6.x.
Nevertheless I would like to debug and fix this. Is there some way to tell AppArmor to show me how a profile is looking that is currently load in memory? To show me how the profile looks like after it actually sourced the abstractions?
Have you subscribed to torbrowser-launcher using githubâs âwatchâ button? I did.
If yes, there is no need for me to mirrors things here.
Just wanted to say, intrigeri just wrote a bigger comment on the AppArmor profile.
Just saying. Keep your time.
No problem with the revert. This was the revert commit:
Git records changesets. So you can easily add/remove/re-add changes.
I just checked, the abstractions/base and the torbrowser profile exactly matches the versions on github and I even rebooted. No idea why I am still getting these errors. Any idea? Perhaps it is because this was an Whonix-Workstation build version 8.2 that was upgraded to 8.6.x.
Nevertheless I would like to debug and fix this. Is there some way to tell AppArmor to show me how a profile is looking that is currently load in memory? To show me how the profile looks like after it actually sourced the abstractions?[/quote]
Figured it out. Seems to be a bug in AppArmor.
Steps to reach that conclusion were.
sudo apt-get purge apparmor-profile-torbrowser
cd /etc/apparmor.d
sudo grep -r firefox *
sudo rm "cache/home.*.tor-browser_*.Browser.firefox"
sudo reboot
## install latest apparmor-profile-torbrowser from source using make deb-icup
No more denied messages by the apparmor-profile-torbrowser package.
Are you aware of an upstream bug report, should we document this or just keep it in mind?
Had it too, a couple of times. Forgot it. I pushed the update.[/quote]
Merged into Whonix/apparmor-profile-torbrowser master.
Merged into Whonix/Whonix master.
I have added the lines at the end of the profile. Not committed yet. For the message in the commit, did you get those messages after you started packaging Python applications?
i get a âfailedâ during boot and manual restart of apparmor at Whonix 8.6.6.0.
Gateway:
root@host:~# /etc/init.d/apparmor restart
[....] Reloading AppArmor profiles:Warning from /etc/apparmor.d/bin.ping (/etc/apparmor.d/bin.ping line 28): profile /bin/ping network rules not enforced
Warning from /etc/apparmor.d/sbin.klogd (/etc/apparmor.d/sbin.klogd line 36): profile /sbin/klogd network rules not enforced
Warning from /etc/apparmor.d/sbin.syslogd (/etc/apparmor.d/sbin.syslogd line 41): profile /sbin/syslogd network rules not enforced
Warning from /etc/apparmor.d/sbin.syslog-ng (/etc/apparmor.d/sbin.syslog-ng line 55): profile /sbin/syslog-ng network rules not enforced
Warning from /etc/apparmor.d/system_tor (/etc/apparmor.d/system_tor line 18): profile system_tor network rules not enforced
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile sanitized_helper, failed to load
Warning from /etc/apparmor.d/usr.lib.dovecot.deliver (/etc/apparmor.d/usr.lib.dovecot.deliver line 29): profile /usr/lib/dovecot/deliver network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.dovecot-auth (/etc/apparmor.d/usr.lib.dovecot.dovecot-auth line 23): profile /usr/lib/dovecot/dovecot-auth network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap (/etc/apparmor.d/usr.lib.dovecot.imap line 27): profile /usr/lib/dovecot/imap network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap-login (/etc/apparmor.d/usr.lib.dovecot.imap-login line 23): profile /usr/lib/dovecot/imap-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.managesieve-login (/etc/apparmor.d/usr.lib.dovecot.managesieve-login line 22): profile /usr/lib/dovecot/managesieve-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3 (/etc/apparmor.d/usr.lib.dovecot.pop3 line 23): profile /usr/lib/dovecot/pop3 network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3-login (/etc/apparmor.d/usr.lib.dovecot.pop3-login line 21): profile /usr/lib/dovecot/pop3-login network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.avahi-daemon (/etc/apparmor.d/usr.sbin.avahi-daemon line 31): profile /usr/sbin/avahi-daemon network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.dnsmasq (/etc/apparmor.d/usr.sbin.dnsmasq line 61): profile /usr/sbin/dnsmasq network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.dovecot (/etc/apparmor.d/usr.sbin.dovecot line 42): profile /usr/sbin/dovecot network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.identd (/etc/apparmor.d/usr.sbin.identd line 31): profile /usr/sbin/identd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.mdnsd (/etc/apparmor.d/usr.sbin.mdnsd line 35): profile /usr/sbin/mdnsd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.nmbd (/etc/apparmor.d/usr.sbin.nmbd line 27): profile /usr/sbin/nmbd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.nscd (/etc/apparmor.d/usr.sbin.nscd line 48): profile /usr/sbin/nscd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.smbd (/etc/apparmor.d/usr.sbin.smbd line 52): profile /usr/sbin/smbd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.traceroute (/etc/apparmor.d/usr.sbin.traceroute line 29): profile /usr/{sbin/traceroute,bin/traceroute.db} network rules not enforced
failed!
Workstation:
root@host:~# /etc/init.d/apparmor restart
[....] Reloading AppArmor profiles:Warning from /etc/apparmor.d/bin.ping (/etc/apparmor.d/bin.ping line 28): profile /bin/ping network rules not enforced
Warning from /etc/apparmor.d/sbin.klogd (/etc/apparmor.d/sbin.klogd line 36): profile /sbin/klogd network rules not enforced
Warning from /etc/apparmor.d/sbin.syslogd (/etc/apparmor.d/sbin.syslogd line 41): profile /sbin/syslogd network rules not enforced
Warning from /etc/apparmor.d/sbin.syslog-ng (/etc/apparmor.d/sbin.syslog-ng line 55): profile /sbin/syslog-ng network rules not enforced
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile sanitized_helper, failed to load
Warning from /etc/apparmor.d/usr.bin.freshclam (/etc/apparmor.d/usr.bin.freshclam line 44): profile /usr/bin/freshclam network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.deliver (/etc/apparmor.d/usr.lib.dovecot.deliver line 29): profile /usr/lib/dovecot/deliver network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.dovecot-auth (/etc/apparmor.d/usr.lib.dovecot.dovecot-auth line 23): profile /usr/lib/dovecot/dovecot-auth network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap (/etc/apparmor.d/usr.lib.dovecot.imap line 27): profile /usr/lib/dovecot/imap network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap-login (/etc/apparmor.d/usr.lib.dovecot.imap-login line 23): profile /usr/lib/dovecot/imap-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.managesieve-login (/etc/apparmor.d/usr.lib.dovecot.managesieve-login line 22): profile /usr/lib/dovecot/managesieve-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3 (/etc/apparmor.d/usr.lib.dovecot.pop3 line 23): profile /usr/lib/dovecot/pop3 network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3-login (/etc/apparmor.d/usr.lib.dovecot.pop3-login line 21): profile /usr/lib/dovecot/pop3-login network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.avahi-daemon (/etc/apparmor.d/usr.sbin.avahi-daemon line 31): profile /usr/sbin/avahi-daemon network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.dnsmasq (/etc/apparmor.d/usr.sbin.dnsmasq line 61): profile /usr/sbin/dnsmasq network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.dovecot (/etc/apparmor.d/usr.sbin.dovecot line 42): profile /usr/sbin/dovecot network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.identd (/etc/apparmor.d/usr.sbin.identd line 31): profile /usr/sbin/identd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.mdnsd (/etc/apparmor.d/usr.sbin.mdnsd line 35): profile /usr/sbin/mdnsd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.nmbd (/etc/apparmor.d/usr.sbin.nmbd line 27): profile /usr/sbin/nmbd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.nscd (/etc/apparmor.d/usr.sbin.nscd line 48): profile /usr/sbin/nscd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.smbd (/etc/apparmor.d/usr.sbin.smbd line 52): profile /usr/sbin/smbd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.traceroute (/etc/apparmor.d/usr.sbin.traceroute line 29): profile /usr/{sbin/traceroute,bin/traceroute.db} network rules not enforced
failed!
Great to see the new âfreshclamâ profile. Thanks a lot. As i have absolute no knowledge about apparmor, so iâm unfortunately not able to provide a solution.
Purging them at the moment as long as we have them set as dependency (may change in later version or not) as an end user is not advices due to dependencies.
apt-get purge apparmor-profiles
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
anon-banned-packages anon-iceweasel-warning anon-shared-build-inst-tb apparmor-profile-virtualbox gpl-sources-download knetattach-hide power-savings-disable-in-vms
poweroff-passwordless rads scurl shared-folder-help swap-file-creator swappiness-lowest tor-ctrl uwt virt-what whonixcheck
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
anon-shared-packages-recommended* apparmor-profiles* whonix-shared-packages-recommended*
0 upgraded, 0 newly installed, 3 to remove and 99 not upgraded.
After this operation, 306 kB disk space will be freed.
Do you want to continue [Y/n]?
i get a âfailedâ during boot and manual restart of apparmor at Whonix 8.6.6.0.
Gateway:
root@host:~# /etc/init.d/apparmor restart
[....] Reloading AppArmor profiles:Warning from /etc/apparmor.d/bin.ping (/etc/apparmor.d/bin.ping line 28): profile /bin/ping network rules not enforced
Warning from /etc/apparmor.d/sbin.klogd (/etc/apparmor.d/sbin.klogd line 36): profile /sbin/klogd network rules not enforced
Warning from /etc/apparmor.d/sbin.syslogd (/etc/apparmor.d/sbin.syslogd line 41): profile /sbin/syslogd network rules not enforced
Warning from /etc/apparmor.d/sbin.syslog-ng (/etc/apparmor.d/sbin.syslog-ng line 55): profile /sbin/syslog-ng network rules not enforced
Warning from /etc/apparmor.d/system_tor (/etc/apparmor.d/system_tor line 18): profile system_tor network rules not enforced
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile sanitized_helper, failed to load
Warning from /etc/apparmor.d/usr.lib.dovecot.deliver (/etc/apparmor.d/usr.lib.dovecot.deliver line 29): profile /usr/lib/dovecot/deliver network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.dovecot-auth (/etc/apparmor.d/usr.lib.dovecot.dovecot-auth line 23): profile /usr/lib/dovecot/dovecot-auth network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap (/etc/apparmor.d/usr.lib.dovecot.imap line 27): profile /usr/lib/dovecot/imap network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap-login (/etc/apparmor.d/usr.lib.dovecot.imap-login line 23): profile /usr/lib/dovecot/imap-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.managesieve-login (/etc/apparmor.d/usr.lib.dovecot.managesieve-login line 22): profile /usr/lib/dovecot/managesieve-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3 (/etc/apparmor.d/usr.lib.dovecot.pop3 line 23): profile /usr/lib/dovecot/pop3 network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3-login (/etc/apparmor.d/usr.lib.dovecot.pop3-login line 21): profile /usr/lib/dovecot/pop3-login network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.avahi-daemon (/etc/apparmor.d/usr.sbin.avahi-daemon line 31): profile /usr/sbin/avahi-daemon network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.dnsmasq (/etc/apparmor.d/usr.sbin.dnsmasq line 61): profile /usr/sbin/dnsmasq network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.dovecot (/etc/apparmor.d/usr.sbin.dovecot line 42): profile /usr/sbin/dovecot network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.identd (/etc/apparmor.d/usr.sbin.identd line 31): profile /usr/sbin/identd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.mdnsd (/etc/apparmor.d/usr.sbin.mdnsd line 35): profile /usr/sbin/mdnsd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.nmbd (/etc/apparmor.d/usr.sbin.nmbd line 27): profile /usr/sbin/nmbd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.nscd (/etc/apparmor.d/usr.sbin.nscd line 48): profile /usr/sbin/nscd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.smbd (/etc/apparmor.d/usr.sbin.smbd line 52): profile /usr/sbin/smbd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.traceroute (/etc/apparmor.d/usr.sbin.traceroute line 29): profile /usr/{sbin/traceroute,bin/traceroute.db} network rules not enforced
failed!
Workstation:
root@host:~# /etc/init.d/apparmor restart
[....] Reloading AppArmor profiles:Warning from /etc/apparmor.d/bin.ping (/etc/apparmor.d/bin.ping line 28): profile /bin/ping network rules not enforced
Warning from /etc/apparmor.d/sbin.klogd (/etc/apparmor.d/sbin.klogd line 36): profile /sbin/klogd network rules not enforced
Warning from /etc/apparmor.d/sbin.syslogd (/etc/apparmor.d/sbin.syslogd line 41): profile /sbin/syslogd network rules not enforced
Warning from /etc/apparmor.d/sbin.syslog-ng (/etc/apparmor.d/sbin.syslog-ng line 55): profile /sbin/syslog-ng network rules not enforced
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile sanitized_helper, failed to load
Warning from /etc/apparmor.d/usr.bin.freshclam (/etc/apparmor.d/usr.bin.freshclam line 44): profile /usr/bin/freshclam network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.deliver (/etc/apparmor.d/usr.lib.dovecot.deliver line 29): profile /usr/lib/dovecot/deliver network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.dovecot-auth (/etc/apparmor.d/usr.lib.dovecot.dovecot-auth line 23): profile /usr/lib/dovecot/dovecot-auth network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap (/etc/apparmor.d/usr.lib.dovecot.imap line 27): profile /usr/lib/dovecot/imap network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap-login (/etc/apparmor.d/usr.lib.dovecot.imap-login line 23): profile /usr/lib/dovecot/imap-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.managesieve-login (/etc/apparmor.d/usr.lib.dovecot.managesieve-login line 22): profile /usr/lib/dovecot/managesieve-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3 (/etc/apparmor.d/usr.lib.dovecot.pop3 line 23): profile /usr/lib/dovecot/pop3 network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3-login (/etc/apparmor.d/usr.lib.dovecot.pop3-login line 21): profile /usr/lib/dovecot/pop3-login network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.avahi-daemon (/etc/apparmor.d/usr.sbin.avahi-daemon line 31): profile /usr/sbin/avahi-daemon network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.dnsmasq (/etc/apparmor.d/usr.sbin.dnsmasq line 61): profile /usr/sbin/dnsmasq network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.dovecot (/etc/apparmor.d/usr.sbin.dovecot line 42): profile /usr/sbin/dovecot network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.identd (/etc/apparmor.d/usr.sbin.identd line 31): profile /usr/sbin/identd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.mdnsd (/etc/apparmor.d/usr.sbin.mdnsd line 35): profile /usr/sbin/mdnsd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.nmbd (/etc/apparmor.d/usr.sbin.nmbd line 27): profile /usr/sbin/nmbd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.nscd (/etc/apparmor.d/usr.sbin.nscd line 48): profile /usr/sbin/nscd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.smbd (/etc/apparmor.d/usr.sbin.smbd line 52): profile /usr/sbin/smbd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.traceroute (/etc/apparmor.d/usr.sbin.traceroute line 29): profile /usr/{sbin/traceroute,bin/traceroute.db} network rules not enforced
failed!
Great to see the new âfreshclamâ profile. Thanks a lot. As i have absolute no knowledge about apparmor, so iâm unfortunately not able to provide a solution.[/quote]
Not really errors just warnings. Theyâre just not enforced by default.
Except for.
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile sanitized_helper, failed to load
Which seems to be an issue with the AppArmor profile that Tor developers are shipping. Theyâre using quite some non-standard way to confine Tor. Nevertheless, the profile is enforced when you run âsudo aa-statusâ. Since it works and they would ask for a patch, I think we better donât spend energy on fixing that message.
We could consider this. On the other hand I find it quite useful to have them installed by default so you can simply enforce them by just using one command. This all needs documentation so we can refer to it.