Whonix AppArmor Profiles Development Discussion

Patrick · August 21, 2014, 7:49pm

[quote=“Patrick, post:330, topic:108”]Got some XChat denied messages.

Aug 18 22:13:02 host kernel: [ 432.541293] type=1400 audit(1408399982.047:44): apparmor="DENIED" operation="open" parent=8696 profile="/usr/bin/xchat" name="/usr/share/tcltk/tcl8.5/init.tcl" pid=8697 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 18 22:13:02 host kernel: [ 432.553180] type=1400 audit(1408399982.059:45): apparmor="DENIED" operation="open" parent=8696 profile="/usr/bin/xchat" name="/usr/local/lib/python2.7/dist-packages/" pid=8697 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 18 22:13:02 host kernel: [ 432.553441] type=1400 audit(1408399982.059:46): apparmor="DENIED" operation="open" parent=8696 profile="/usr/bin/xchat" name="/usr/share/pyshared/pygst.pth" pid=8697 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 18 22:13:02 host kernel: [ 432.553461] type=1400 audit(1408399982.059:47): apparmor="DENIED" operation="open" parent=8696 profile="/usr/bin/xchat" name="/usr/share/pyshared/pygtk.pth" pid=8697 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 18 22:13:02 host kernel: [ 432.553523] type=1400 audit(1408399982.059:48): apparmor="DENIED" operation="open" parent=8696 profile="/usr/bin/xchat" name="/usr/share/pyshared/setuptools.pth" pid=8697 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 18 22:13:02 host kernel: [ 432.553542] type=1400 audit(1408399982.059:49): apparmor="DENIED" operation="open" parent=8696 profile="/usr/bin/xchat" name="/usr/share/pyshared/zope.interface-3.6.1-nspkg.pth" pid=8697 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 18 22:13:02 host kernel: [ 432.553610] type=1400 audit(1408399982.059:50): apparmor="DENIED" operation="open" parent=8696 profile="/usr/bin/xchat" name="/etc/python2.7/sitecustomize.py" pid=8697 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 18 22:13:02 host kernel: [ 432.567959] type=1400 audit(1408399982.071:51): apparmor="DENIED" operation="open" parent=8696 profile="/usr/bin/xchat" name="/usr/local/lib/python2.7/dist-packages/" pid=8697 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 18 22:13:02 host kernel: [ 432.568345] type=1400 audit(1408399982.075:52): apparmor="DENIED" operation="open" parent=8696 profile="/usr/bin/xchat" name="/usr/share/pyshared/pygst.pth" pid=8697 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 18 22:13:02 host kernel: [ 432.568366] type=1400 audit(1408399982.075:53): apparmor="DENIED" operation="open" parent=8696 profile="/usr/bin/xchat" name="/usr/share/pyshared/pygtk.pth" pid=8697 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0[/quote]

I have added the lines at the end of the profile. Not committed yet. For the message in the commit, did you get those messages after you started packaging Python applications?[/quote]
I found the underlying issue:
https://github.com/Whonix/xchat-improved-privacy/commit/56e5c43d816fc9479a919adac4fbf88ccaa0ba8d

These AppArmor warnings should be fixed nevertheless (for those who re-enable those plugins).

whonix-user32 · August 21, 2014, 9:19pm

[quote=“troubadour, post:336, topic:108”]This is due to the AppArmor profiles installed by Debian. They are not useful here. To remove them, run

The other profiles (from Whonix, yours…) will be left.[/quote]

Sorry, did not noticed that debian has it’s own profiles by default.

Patrick · August 21, 2014, 9:48pm

They’re not installed by default in Debian. It is a default Debian package (by Debian, not by Whonix). It just is installed by default in Whonix (not in Debian).

Patrick · August 22, 2014, 4:06pm

profile has merged rule with conflicting x modifiers ERROR processing regexs for profile sanitized_helper, failed to load

Those two are fixed in Debian jessie. No further action required by Whonix.

Patrick · August 27, 2014, 1:51pm

Got a new okluar apparmor denied message.

apparmor="DENIED" operation="open" parent=6660 profile="/usr/bin/okular" name="/proc/sys/vm/overcommit_memory" pid=6999 comm="Okular::PixmapG" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Patrick · August 28, 2014, 4:03pm

After running “apt-get purge apparmor-profile-whonxicheck” and even after “cd /etc/apparmor.d” and “sudo grep whonixcheck *” yielding no results, whonixcheck’s AppArmor profile was still in effect. Is this expected? Shouldn’t the profile be unloaded on purge? Or what must be done to really unload a profile without reboot?

troubadour · August 30, 2014, 7:03pm

This is expected. Once the profile is loaded in the kernel, the only way to remove it to run “sudo apparmor_parser -R profile-name” or “sudo aa-disable profile-name”. Both commands expect the profile file to be existing. So when the profile file is deleted (manually or after purging), the only way I know to unload it is rebooting.

troubadour · August 30, 2014, 7:51pm

I found the underlying issue: https://github.com/Whonix/xchat-improved-privacy/commit/56e5c43d816fc9479a919adac4fbf88ccaa0ba8d
These AppArmor warnings should be fixed nevertheless (for those who re-enable those plugins).

Pushed the updates New denied messages · troubadoour/apparmor-profile-xchat@7834981 · GitHub

troubadour · August 30, 2014, 8:20pm

Got a new okluar apparmor denied message.

Pushed the update New denied message · troubadoour/apparmor-profile-okular@5c1fede · GitHub

Patrick · August 31, 2014, 1:04am

Both merged!

Patrick · August 31, 2014, 6:18pm

Getting some whonixcheck apparmor denied messages.

Aug 31 18:17:15 host kernel: [159281.094342] audit_printk_skb: 6 callbacks suppressed
Aug 31 18:17:15 host kernel: [159281.094346] type=1400 audit(1409509035.962:495): apparmor="DENIED" operation="unlink" parent=20184 profile="/usr/bin/whonixcheck" name="/usr/lib/python2.7/collections.pyc" pid=20185 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
Aug 31 18:17:15 host kernel: [159281.094732] type=1400 audit(1409509035.962:496): apparmor="DENIED" operation="unlink" parent=20184 profile="/usr/bin/whonixcheck" name="/usr/lib/python2.7/keyword.pyc" pid=20185 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
Aug 31 18:17:15 host kernel: [159281.096177] type=1400 audit(1409509035.962:497): apparmor="DENIED" operation="unlink" parent=20184 profile="/usr/bin/whonixcheck" name="/usr/lib/python2.7/heapq.pyc" pid=20185 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
Aug 31 18:17:15 host kernel: [159281.109815] type=1400 audit(1409509035.978:498): apparmor="DENIED" operation="unlink" parent=20184 profile="/usr/bin/whonixcheck" name="/usr/lib/python2.7/hashlib.pyc" pid=20185 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
Aug 31 18:17:16 host kernel: [159281.279107] type=1400 audit(1409509036.146:499): apparmor="DENIED" operation="unlink" parent=20195 profile="/usr/bin/whonixcheck" name="/usr/lib/python2.7/collections.pyc" pid=20197 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
Aug 31 18:17:16 host kernel: [159281.279539] type=1400 audit(1409509036.146:500): apparmor="DENIED" operation="unlink" parent=20195 profile="/usr/bin/whonixcheck" name="/usr/lib/python2.7/keyword.pyc" pid=20197 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
Aug 31 18:17:16 host kernel: [159281.289717] type=1400 audit(1409509036.158:501): apparmor="DENIED" operation="unlink" parent=20195 profile="/usr/bin/whonixcheck" name="/usr/lib/python2.7/heapq.pyc" pid=20197 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
Aug 31 18:17:16 host kernel: [159281.319534] type=1400 audit(1409509036.186:502): apparmor="DENIED" operation="unlink" parent=20195 profile="/usr/bin/whonixcheck" name="/usr/lib/python2.7/hashlib.pyc" pid=20197 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
Aug 31 18:17:16 host kernel: [159281.510620] type=1400 audit(1409509036.378:503): apparmor="DENIED" operation="unlink" parent=20220 profile="/usr/bin/whonixcheck" name="/usr/lib/python2.7/collections.pyc" pid=20221 comm="tor_circuit_est" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
Aug 31 18:17:16 host kernel: [159281.511063] type=1400 audit(1409509036.378:504): apparmor="DENIED" operation="unlink" parent=20220 profile="/usr/bin/whonixcheck" name="/usr/lib/python2.7/keyword.pyc" pid=20221 comm="tor_circuit_est" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0

Patrick · August 31, 2014, 6:22pm

Documented this:

troubadour · September 2, 2014, 8:16pm

Getting some whonixcheck apparmor denied messages.

Pushed an update. The “d” mask is not documented anywhere. Because of operation=“unlink”, I have given the “l” mask. Could you test it?

Patrick · September 3, 2014, 5:18am

Pushed an update. The “d” mask is not documented anywhere. Because of operation=“unlink”, I have given the “l” mask. Could you test it?[/quote]
Merged and testing now.

Patrick · September 3, 2014, 5:58am

Works fine.

troubadour · September 3, 2014, 4:49pm

When installing the torbrowser profile with “sudo apt-get install apparmor-profile-torbrowser”, the last update is missing ("@{HOME}/tor-browser_*/Data/Browser/profile.default/ r,").

It’s OK when installing from github.

troubadour · September 8, 2014, 9:16am

Pushed an update to the icedove profile.

Patrick · September 8, 2014, 10:43am

[quote=“troubadour, post:356, topic:108”]When installing the torbrowser profile with “sudo apt-get install apparmor-profile-torbrowser”, the last update is missing (“@{HOME}/tor-browser_*/Data/Browser/profile.default/ r,”).

It’s OK when installing from github.[/quote]
Off-topic: I thought I answered that a few days ago. Somehow it got lost perhaps.

On-topic: This is expected. I am not keeping the remote repository up to date yet. When there are releases, the remote repository will be up to date. But I am not sure the effort maintaining the repository for use outside of Whonix would be justified.

[quote=“troubadour, post:357, topic:108”]Pushed an update to the icedove profile.
https://github.com/troubadoour/apparmor-profile-icedove/commit/c0dfbd5aa93f0654702b773a9d48849a0943f716[/quote]
Merged.

troubadour · September 8, 2014, 11:45am

Update to the Tor Browser profile.

troubadour · September 8, 2014, 11:50am

[quote=“troubadour, post:309, topic:108”][quote]
Quote from: troubadour on July 27, 2014, 10:22:04 pm

[quote]
When installing Icedove for the first time, clicking a link in a message tries to start Iceweasel, which is not allowed (rightly) if Icedove is confined by AppArmor.

To use Tor Browser instead,
 
   Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.http and
   Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.https

have to be set to "true".

When a link is clicked, a popup asking for the preferred browser is shown, where one should select "/home/user/tor-browser_[your-language]/Browser/firefox".

Should we mention it somewhere in the wiki?[/quote]

I am not sure I 100% understand, but please feel free to document this.[/quote]

When I switched to Whonix 8.6, I had to install Icedove, like everyone, I guess. Clicking a link in an email was opening Iceweasel directly. One can use right-click “Copy Link Location” and paste it in Torbrowser, but I modified the preferences in Icedove to open it in Torbrowser, on the ground that it is safer that way than opening both browsers at the same time or Iceweasel only, despite the ongoing discussion in tor-talk and Sign in · GitLab

This is still valid. I can document this (with clearer explanations), but I do not see where in the wiki.

By the way, I will take some time to update the AppArmor part in the wiki.