[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#21

It is true that I have to be careful with the files I deny in the profiles, but the ones you submitted are not in my version of the Workstation. In this regard, the question is: should I allow or deny them? It certainly does not open a security threat in the case of fontconfig or kate-2.desktop, so the answer is to allow them. But why are our versions different? I have to write the profiles for the majority of the users, and I assume that they have downloaded and are using the same Whonix 8 as mine.

I will review the profiles after your remarks. I think the first batch of denied files (/etc/resolv.conf, /etc/passwd…) was in the right line. For the rest, especially the DE specific ones, it should be safe to allow everything. And sooner or later, I am sure there will be alternative to KDE, be it Xfce or LXDE (I cannot imagine somebody in her right mind wanting to use Gnome3). I have build a terminal-only Workstation and installed Xfce4, but I must have missed a step, because I cannot run whonixchek. More on that in the proper thread. As far as I know, Xfce uses some Gnome features, and I will have to add them in all the profiles so that they can be used regardless of the environment.

Browser fingerprinting. When I started with the TBB profile, I was allowing only the required files dealing with the fonts. I checked the fingerprint with ip-check.info once in a while during the process, confined and open. No difference.* Some new messages were flashing as I was testing, so I included <abstractions/fonts>. From a standardization point of view, it makes sense. And then, should I put the fontconfig line in <abstractions/fonts>, instead of leaving it as a lone reference to the fonts in the profile?

I have not rechecked the fingerprint since, I will do.

  • There are some parts of the test that are not displayed in ip-check.info, because it needs a plug-in (probably Flash).

#22
In this regard, the question is: should I allow or deny them?
Allow.
But why are our versions different?
Because I am installing lots of additional packages from Debian.

Applications seem to interact with lots of other files and packages.

I have to write the profiles for the majority of the users, and I assume that they have downloaded and are using the same Whonix 8 as mine.
Sure.
Browser fingerprinting. When I started with the TBB profile, I was allowing only the required files dealing with the fonts. I checked the fingerprint with ip-check.info once in a while during the process, confined and open. No difference.*
In my opinion the ip-check.info test is a non-Free (as in Freedom) service advertising the jondonym service. Causing lots of confusion and wasted time discussing it. Not a substitute for real browser fingerprinting test.
Some new messages were flashing as I was testing, so I included . From a standardization point of view, it makes sense.
Yes.
And then, should I put the fontconfig line in , instead of leaving it as a lone reference to the fonts in the profile?
Including abstractions/fonts is fine. Editing abstractions/fonts, i.e. forking the Debian defaults should only be done if inevitable because when Debian updates that file later, we end up with merge conflicts (user gets interactive dpkg conflict resolution prompt while updating). Ideally abstractions/fonts, would be updated upstream or as alternative, create a abstractions/fonts_ext or so.
I have not rechecked the fingerprint since, I will do.
I don't think you can do more than a rudimentary fingerprinting test, since there are no tools available for that task that are at least 50% finished. There are too many opportunities for browser fingerprinting.

#23

Trying to update the profiles. Get a database error.


#24

Now fixed.


#25

I have updated the TBB and Icedove profiles according to your latest comments. They have been reorganized to be more readable. The denied messages you reported were put in local profiles, so that I can follow them easily and they may be removed if they are included in a Whonix release.

I have added the VirtualBox profile, too.

I did not want to create a /dev/apparmor page before I was clear about the approach to writing profiles, especially for the ‘deny’ statement. It is clearer now, but before I start it, I’d like to go ahead with some more. I have checked Pidgin, it is not complete for me, i will do whonixcheck and timesync, XChat, and since I like to listen to my favorite streaming music radios, Radiotray that I use nearly full time. Or a more general audio streaming profile.

Then it might a good idea to try to attract more attention from outsiders at Debian, Ubuntu, the one who wrote the original profile I started with, may be from tor-talk… That could be a nice promotion for Whonix.

What do you think?


#26

Added <abstractions/kde> and <abstractions/gnome> to the TBB profile. Should save some work.


#27

Added some minor (non-profile related) fixes.

About…

There are also other languages supported. Could we make this

?


#28

I am getting a few more denied messages.

Mar 5 13:38:11 host kernel: [38300.890500] type=1400 audit(1394026691.239:80): apparmor="DENIED" operation="open" parent=4471 profile="/usr/lib/icedove/icedove" name="/etc/gnome-vfs-2.0/modules/" pid=4773 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 5 13:38:11 host kernel: [38301.076401] type=1400 audit(1394026691.427:81): apparmor="DENIED" operation="open" parent=4471 profile="/usr/lib/icedove/icedove" name="/usr/share/poppler/cMap/Adobe-CNS1/" pid=4773 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 5 13:38:11 host kernel: [38301.076420] type=1400 audit(1394026691.427:82): apparmor="DENIED" operation="open" parent=4471 profile="/usr/lib/icedove/icedove" name="/usr/share/poppler/cMap/Adobe-GB1/" pid=4773 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 5 13:38:11 host kernel: [38301.076443] type=1400 audit(1394026691.427:83): apparmor="DENIED" operation="open" parent=4471 profile="/usr/lib/icedove/icedove" name="/usr/share/poppler/cMap/Adobe-Japan2/" pid=4773 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 5 13:38:11 host kernel: [38301.076461] type=1400 audit(1394026691.427:84): apparmor="DENIED" operation="open" parent=4471 profile="/usr/lib/icedove/icedove" name="/usr/share/poppler/cMap/Adobe-Japan1/" pid=4773 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 5 13:38:11 host kernel: [38301.076477] type=1400 audit(1394026691.427:85): apparmor="DENIED" operation="open" parent=4471 profile="/usr/lib/icedove/icedove" name="/usr/share/poppler/cMap/Adobe-Korea1/" pid=4773 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 5 13:38:11 host kernel: [38301.178256] type=1400 audit(1394026691.527:86): apparmor="DENIED" operation="open" parent=4471 profile="/usr/lib/icedove/icedove" name="/etc/xul-ext/enigmail.js" pid=4773 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 5 13:38:12 host kernel: [38302.191644] type=1400 audit(1394026692.539:87): apparmor="DENIED" operation="open" parent=4471 profile="/usr/lib/icedove/icedove" name="/usr/share/applications/mimeinfo.cache" pid=4773 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 5 13:38:12 host kernel: [38302.191685] type=1400 audit(1394026692.539:88): apparmor="DENIED" operation="open" parent=4471 profile="/usr/lib/icedove/icedove" name="/usr/share/applications/mimeinfo.cache" pid=4773 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I don’t have adobe flash installed.


#29

Also getting similar denied messages for TBB.

Mar 5 13:40:58 host kernel: [38467.922602] type=1400 audit(1394026858.271:89): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/poppler/cMap/Adobe-CNS1/" pid=5203 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 5 13:40:58 host kernel: [38467.922622] type=1400 audit(1394026858.271:90): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/poppler/cMap/Adobe-GB1/" pid=5203 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 5 13:40:58 host kernel: [38467.922639] type=1400 audit(1394026858.271:91): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/poppler/cMap/Adobe-Japan2/" pid=5203 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 5 13:40:58 host kernel: [38467.922656] type=1400 audit(1394026858.271:92): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/poppler/cMap/Adobe-Japan1/" pid=5203 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Another thing:
Have you seen the /etc/apparmor.d/whonix file already?


#30

Some more denied messages from icedove.

Mar 5 13:46:15 host kernel: [38785.090621] type=1400 audit(1394027175.443:93): apparmor="DENIED" operation="file_lock" parent=4471 profile="/usr/lib/icedove/icedove" name="/home/user/.cache/event-sound-cache.tdb.b08dfa6083e7567a1921a715000001fb.i486-pc-linux-gnu" pid=4773 comm="icedove" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 Mar 5 13:46:15 host kernel: [38785.091020] type=1400 audit(1394027175.443:94): apparmor="DENIED" operation="file_lock" parent=4471 profile="/usr/lib/icedove/icedove" name="/home/user/.cache/event-sound-cache.tdb.b08dfa6083e7567a1921a715000001fb.i486-pc-linux-gnu" pid=4773 comm="icedove" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 Mar 5 13:46:17 host kernel: [38787.316414] type=1400 audit(1394027177.667:95): apparmor="DENIED" operation="exec" parent=4773 profile="/usr/lib/icedove/icedove" name="/usr/bin/gpg2" pid=5926 comm="icedove" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0


#31

The profiles are updated after your last messages. The lines about the fonts in ‘/usr/share/poppler/cMap/’ are in the local profiles.

There are also other languages supported. Could we make this
/home/user/tor-browser_*/Browser/firefox {

?

No, we can use wild cards only between the brackets. ‘/home/user/tor-browser_en-US/Browser/firefox {’ refers to the file being confined. Earlier, I have tried ‘@{HOME}/tor-browser_en-US/Browser/firefox’ to try to get around the potential problem wit the user changing her HOME. It did not work either. For that, may be we can create a simlink in ‘/etc/apparmor.d’ to ‘tor-browser_en-US.Browser.firefox’ ih HOME.


#32

Afterthought. No simlink, it would not work. Trying something else.


#33

Updated the Pidgin profile (two line). It is now working without denied messages flashing.


#34

The iceweasel profile doesn’t allow one to safe attachments or mails to disk.


#35

Warning, when you go to janusvm.tumblr.com and scroll down with TBB profile enabled, your browser crashes. Getting the following denied messages.

Mar 6 11:45:02 host kernel: [48648.500844] type=1400 audit(1394106302.099:151): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/alsa/alsa.conf.d/" pid=24429 comm=4D6564696120417564696F requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 6 11:45:02 host kernel: [48648.503878] type=1400 audit(1394106302.099:152): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/alsa/cards/aliases.conf" pid=24429 comm=4D6564696120417564696F requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 6 11:45:02 host kernel: [48648.503924] type=1400 audit(1394106302.099:153): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/dev/snd/controlC0" pid=24429 comm=4D6564696120417564696F requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Same for Firefox. No downloads possible.

Perhaps it would make sense to look into existing Firefox / Iceweasel profiles to prevent re-inverting the wheel? I guess those could have suggestions what must be added to not restrict legitimate features.


#36
The iceweasel profile doesn't allow one to safe attachments or mails to disk.

The downloads for TBB or the attachments for Icedove have to go in ‘~/Downloads’. Same for the files you want to upload or send as attachments. I have just dowloaded the Whonix signing key an attachment, for test.

I have chosen Downloads because it comes as a standard in many Linux distribution. You have to create it and you can access it from the dialog box. The rest is denied and will flash a message if you try to use it. I will have a look to existing profiles, though, if I can find any.

I had the problem with alsa before, I had allowed ‘/usr/share/alsa/alsa.conf’. I changed it, allowing everything there: ‘/usr/share/alsa/** r,’ and added ‘/dev/snd/* r,’. That should take care of the sound.

Also, when openeing the download dialog, you might see a lot of messages with all the files in the home directory denied. More on that in the next update, along with a major reorganization proposal.


#37

Fixed.

I have finished the timesync profile in complain mode, but it does not start in enforce mode, and that one might be tricky. I cannot put it in the AppArmor page, therefore now is probably the right time to create the dev/AppArmor page. But before putting the profile there, I have a suggestion.

Reading the profiles written until now, one can find some common lines, especially concerning Whonix. It would be a good idea to write an <abstraction/whonix> file. That would let us clean the profiles and make them easier to port as is in Debian, for example. And easier to write new profiles.

The second thing would be to write a profile template, including <abstractions/whonix> amongst other things. This template is beginning to take shape.

The wiki Apparmor page begins to be crowded, and it will grow bigger. It might be an idea to make sub-pages, put a little more literature in the main page, and put the profiles in their own page.


#38

Sounds all very good to me. :slight_smile:


#39
Perhaps it would make sense to look into existing Firefox / Iceweasel profiles to prevent re-inventing the wheel?

Oh my! There is a Firefox profile in Ubuntu 12.04. I will put it side by side with mine and merge the best of both.


#40

I have started with a new AppArmor page. We could show the experimental warning only in the main page. If you agree, could you change ‘The following AppArmor profile is still experimental’ to ‘The following AppArmor profiles are still experimental’?

By the way, where can I find this warning?