Whonix AppArmor Profiles Development Discussion

This is what I found out what

is doing…

Which results in.

profile system_tor: has merged rule /usr/bin/obfsproxy with conflicting x modifiers
ERROR merging rules for profile system_tor, failed to load

Probably found cause and workaround:

I am not that happy with what The Tor Project did in file

/etc/apparmor.d/abstractions/tor

with

/usr/bin/obfsproxy PUx,
Pux - as Px but fallback to executing unconfined if the target profile is not found

Since there is no obfsproxy AppArmor profile, obfsproxy would now run unconfined. I guess this requires a hotfix, i.e. Whonix 9.1.

Removing

/usr/bin/obfsproxy rix,

from anon-gw-anonymizer-config/etc/apparmor.d/local/system_tor.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub should be appropriate.

As a fix for Whonix 10, we should probably remove the whole

[code]

obfsproxy

/usr/local/lib/python2.7/** r,
/var/log/tor/log rw,
/dev/urandom r,
/dev/random r,
/usr/** r,
/etc/python2.7/sitecustomize.py r,
/usr/bin/obfsproxy rix,[/code]

and eventually provide a separate AppArmor profile package for obfsproxy or submit a profile upstream.

Wondering what

/var/log/tor/log rw,

does in that list anyway? Should be outside that list?

More gwenview related AppArmor denied messages.

Sep 24 22:28:30 host kernel: [ 1327.817571] type=1400 audit(1411597710.710:46): apparmor="DENIED" operation="open" parent=6916 profile="/usr/bin/gwenview" name="/usr/share/poppler/cMap/Adobe-CNS1/" pid=15810 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Sep 24 22:28:30 host kernel: [ 1327.817615] type=1400 audit(1411597710.710:47): apparmor="DENIED" operation="open" parent=6916 profile="/usr/bin/gwenview" name="/usr/share/poppler/cMap/Adobe-GB1/" pid=15810 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Sep 24 22:28:30 host kernel: [ 1327.817654] type=1400 audit(1411597710.710:48): apparmor="DENIED" operation="open" parent=6916 profile="/usr/bin/gwenview" name="/usr/share/poppler/cMap/Adobe-Japan2/" pid=15810 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Sep 24 22:28:30 host kernel: [ 1327.817692] type=1400 audit(1411597710.710:49): apparmor="DENIED" operation="open" parent=6916 profile="/usr/bin/gwenview" name="/usr/share/poppler/cMap/Adobe-Japan1/" pid=15810 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Sep 24 22:28:30 host kernel: [ 1327.817728] type=1400 audit(1411597710.710:50): apparmor="DENIED" operation="open" parent=6916 profile="/usr/bin/gwenview" name="/usr/share/poppler/cMap/Adobe-Korea1/" pid=15810 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Sep 24 22:28:30 host kernel: [ 1327.905801] type=1400 audit(1411597710.798:51): apparmor="DENIED" operation="open" parent=6916 profile="/usr/bin/gwenview" name="/home/user/.local/share/user-places.xbel" pid=15810 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

I missed your first posts on that one.

Probably found cause and workaround: https://www.whonix.org/forum/index.php/topic,559.msg4313.html#msg4313

Yes. That was one way, since we cannot modify abstractions.

The apparmor_parser error

profile has merged rule /usr/bin/obfsproxy with conflicting x modifiers

is true to the letter. In the local profile, we declare “/usr/bin/obfsproxy rix,”, and <abstractions/tor> suddenly says, out of the blue, “/usr/bin/obfsproxy PUx,”. apparmor_parser cannot replace the profile with these conditions. [The ‘-r’ switch stands for “replace”, not “reload”, that makes a difference if the profile is cached or not, and might explain why the problem has been delayed for me].

The problem does not lie with the process being run unconfined, but with two contradictory declarations. In the local profile, replacing “/usr/bin/obfsproxy rix,” with “/usr/bin/obfsproxy PUx,” solves the problem too. As far as I know. AppArmor does not care whether a process exists or not.

I am not that happy with what The Tor Project did in file [code] /etc/apparmor.d/abstractions/tor[/code]

Rightly… I guess someone upstream was using obfsproxy AND AppArmor. Giving the “PUx” mask was the easiest way to get around the problem (tor would not start, most likely), but, as it concerns the whole population of tor+AppArmor users, the line should not be in abstractions. Most of them won’t be affected (outside Whonix, I do not believe many people have a ‘system_tor’ local profile), but the group of people using this configuration should have created and used a local profile. In that sense, it would probably be worth filing a complaint (or whatever, I don’t know the procedure).

As a fix for Whonix 10, we should probably remove the whole

[code]

obfsproxy

/usr/local/lib/python2.7/** r,
/var/log/tor/log rw,
/dev/urandom r,
/dev/random r,
/usr/** r,
/etc/python2.7/sitecustomize.py r,
/usr/bin/obfsproxy rix,[/code]

and eventually provide a separate AppArmor profile package for obfsproxy or submit a profile upstream.

Yes, we could create a profile for obfsproxy and use “/usr/bin/obfsproxy Px,” only in local/system_tor. Then, we could submit it when we are happy with it.

Wondering what
/var/log/tor/log rw,

does in that list anyway? Should be outside that list?

May be obfsproxy has to write its own log somewhere? Anyhow, that could be investigated when we use it.

torbrowser-launcher doesn’t work in Whonix 10 anymore. Can you check please?

Sep 25 17:19:33 host kernel: [55710.114316] type=1400 audit(1411665573.214:191): apparmor="DENIED" operation="open" parent=6872 profile="/usr/bin/torbrowser-launcher" name="/dev/tty" pid=6876 comm="gpg" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
Sep 25 17:19:33 host kernel: [55710.114389] type=1400 audit(1411665573.214:192): apparmor="DENIED" operation="open" parent=6872 profile="/usr/bin/torbrowser-launcher" name="/dev/pts/5" pid=6876 comm="gpg" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=1000
Sep 25 17:19:33 host kernel: [55710.115796] type=1400 audit(1411665573.214:193): apparmor="DENIED" operation="open" parent=6872 profile="/usr/bin/torbrowser-launcher" name="/dev/tty" pid=6876 comm="uwtwrapper" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
Sep 25 17:19:33 host kernel: [55710.115844] type=1400 audit(1411665573.214:194): apparmor="DENIED" operation="open" parent=6872 profile="/usr/bin/torbrowser-launcher" name="/dev/pts/5" pid=6876 comm="uwtwrapper" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=1000
Sep 25 17:19:33 host kernel: [55710.117354] type=1400 audit(1411665573.218:195): apparmor="DENIED" operation="exec" parent=6876 profile="/usr/bin/torbrowser-launcher" name="/usr/bin/basename" pid=6877 comm="uwtwrapper" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Sep 25 17:19:33 host kernel: [55710.117372] type=1400 audit(1411665573.218:196): apparmor="DENIED" operation="open" parent=6876 profile="/usr/bin/torbrowser-launcher" name="/usr/bin/basename" pid=6877 comm="uwtwrapper" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 25 17:19:33 host kernel: [55710.118877] type=1400 audit(1411665573.218:197): apparmor="DENIED" operation="exec" parent=6878 profile="/usr/bin/torbrowser-launcher" name="/bin/grep" pid=6880 comm="uwtwrapper" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Sep 25 17:19:33 host kernel: [55710.118900] type=1400 audit(1411665573.218:198): apparmor="DENIED" operation="open" parent=6878 profile="/usr/bin/torbrowser-launcher" name="/bin/grep" pid=6880 comm="uwtwrapper" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 25 17:19:33 host kernel: [55710.120611] type=1400 audit(1411665573.222:199): apparmor="DENIED" operation="exec" parent=6876 profile="/usr/bin/torbrowser-launcher" name="/bin/bash" pid=6881 comm="uwtwrapper" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Sep 25 17:19:33 host kernel: [55710.120637] type=1400 audit(1411665573.222:200): apparmor="DENIED" operation="open" parent=6876 profile="/usr/bin/torbrowser-launcher" name="/bin/bash" pid=6881 comm="uwtwrapper" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Looks like we need an addition to apparmor-profile-anondist?

It looks like you have torbrowser-launcher installed. It’s available in jessie, but I do not know if it’s installed by default in a fresh installation.

Could you check your /etc/apparmor.d ? Most likely, you have the following profiles:

    system_tor
    torbrowser.Browser.firefox
    torbrowser.start-tor-browser
    torbrowser.Tor.tor
    usr.bin.torbrowser-launcher

If you purge torbrowser-launcher, it should remove the profiles. Just tried it in my host.

More gwenview related AppArmor denied messages.

Pushed an update. Permissions to standard HOME directories · troubadoour/apparmor-profile-gwenview@9272818 · GitHub

Yes and this is an issue with torbrowser-launcher.

Could you check your /etc/apparmor.d ? Most likely, you have the following profiles:
[code] system_tor torbrowser.Browser.firefox torbrowser.start-tor-browser torbrowser.Tor.tor usr.bin.torbrowser-launcher [/code]

I had these.

If you purge torbrowser-launcher, it should remove the profiles. Just tried it in my host.

Yes, “sudo apt-get purge torbrowser-launcher” purges

torbrowser.Browser.firefox torbrowser.start-tor-browser torbrowser.Tor.tor usr.bin.torbrowser-launcher

Just installed v0.1.4 from GitHub - torproject/torbrowser-launcher: Securely and easily download, verify, install, and launch Tor Browser in Linux. This repository is a mirror of https://gitlab.torproject.org/tpo/applications/torbrowser-launcher (signed git tag available).

Getting the following errors.

Sep 25 18:59:01 host kernel: [61675.553821] type=1400 audit(1411671541.609:251): apparmor="DENIED" operation="exec" parent=15693 profile="/usr/bin/torbrowser-launcher" name="/usr/bin/basename" pid=15694 comm="uwtwrapper" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Sep 25 18:59:01 host kernel: [61675.553840] type=1400 audit(1411671541.609:252): apparmor="DENIED" operation="open" parent=15693 profile="/usr/bin/torbrowser-launcher" name="/usr/bin/basename" pid=15694 comm="uwtwrapper" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 25 18:59:01 host kernel: [61675.557093] type=1400 audit(1411671541.613:253): apparmor="DENIED" operation="exec" parent=15693 profile="/usr/bin/torbrowser-launcher" name="/bin/bash" pid=15698 comm="uwtwrapper" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Sep 25 18:59:01 host kernel: [61675.557115] type=1400 audit(1411671541.613:254): apparmor="DENIED" operation="open" parent=15693 profile="/usr/bin/torbrowser-launcher" name="/bin/bash" pid=15698 comm="uwtwrapper" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 25 18:59:01 host kernel: [61675.558186] type=1400 audit(1411671541.613:255): apparmor="DENIED" operation="open" parent=28234 profile="/usr/bin/torbrowser-launcher" name="/home/user/.kde/share/config/gtkrc-2.0" pid=15689 comm="torbrowser-laun" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 25 18:59:01 host kernel: [61675.589822] type=1400 audit(1411671541.645:256): apparmor="DENIED" operation="open" parent=28234 profile="/usr/bin/torbrowser-launcher" name="/usr/share/fontconfig/conf.avail/10-scale-bitmap-fonts.conf" pid=15689 comm="torbrowser-laun" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 25 18:59:01 host kernel: [61675.590080] type=1400 audit(1411671541.645:257): apparmor="DENIED" operation="open" parent=28234 profile="/usr/bin/torbrowser-launcher" name="/usr/share/fontconfig/conf.avail/20-unhint-small-vera.conf" pid=15689 comm="torbrowser-laun" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 25 18:59:01 host kernel: [61675.590093] type=1400 audit(1411671541.645:258): apparmor="DENIED" operation="open" parent=28234 profile="/usr/bin/torbrowser-launcher" name="/usr/share/fontconfig/conf.avail/30-metric-aliases.conf" pid=15689 comm="torbrowser-laun" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 25 18:59:01 host kernel: [61675.590112] type=1400 audit(1411671541.645:259): apparmor="DENIED" operation="open" parent=28234 profile="/usr/bin/torbrowser-launcher" name="/usr/share/fontconfig/conf.avail/30-urw-aliases.conf" pid=15689 comm="torbrowser-laun" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 25 18:59:01 host kernel: [61675.590125] type=1400 audit(1411671541.645:260): apparmor="DENIED" operation="open" parent=28234 profile="/usr/bin/torbrowser-launcher" name="/usr/share/fontconfig/conf.avail/40-nonlatin.conf" pid=15689 comm="torbrowser-laun" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Some of them are caused by Whonix (uwtwrapper). Can we fix them? (The point is here, to make Whonix 9 or 10 compatible with torbrowser-launcher again, even if we do not install it by default.)

Pushed an update. https://github.com/troubadoour/apparmor-profile-gwenview/commit/927281881d3c1e49b466a25bd2cb75445b2f7442[/quote]
Merged. Testing this now.

Gave the AppArmor wiki page a revision.

I also plan to write a blog post about the apparmor profiles.

Beforehand I would like to discuss a few more details.

  • The AppArmor wiki page looks okay so far?

  • Are you okay with renaming this thread from “Join us testing new AppArmor Profiles! (Whonix Security Hardening)” to “AppArmor technical discussion”? - Seems to me if we sometimes move off topic and discuss git and things this scares people off.

  • Would you like to have a separate AppArmor forum? I think it would advertise the availability of AppArmor better. And easier for users to create one thread per question. Following the discussion in one big thread does in my experience not seem so easy.

- The AppArmor wiki page looks okay so far?

Not quite. Before we go further, I’d like to make some changes, like removing the individual profile pages, add a warning and update some profiles.

- Are you okay with renaming this thread from "Join us testing new AppArmor Profiles! (Whonix Security Hardening)" to "AppArmor technical discussion"? -

Yes. The name would be more pertinent, and as mentioned before, the “Join us…” has not enlisted many candidates.

Seems to me if we sometimes move off topic and discuss git and things this scares people off.
  • Would you like to have a separate AppArmor forum? I think it would advertise the availability of AppArmor better. And easier for users to create one thread per question. Following the discussion in one big thread does in my experience not seem so easy.

Our git digressions and this thread growing bigger certainly do not incite new comers to take the plunge (I would probably stay off). So we can start a separate forum, perhaps we’ll finally succeed in gathering a regular AppArmor user base. Please just wait until I’m finished with the wiki.

Okay. Alright. Keep your time. Whenever you’re ready. :slight_smile:

Made a few commits. Please fetch and merge.
apparmor-profile-(anondist|whonixcheck|sdwdate|timesync): Fixed Whonix-Gateway compatibility.

By the way, if you don’t already know. This might be useful. You can instruct git to only show what changed in the remote while ignoring what you did locally. For easier review/audit.

[quote=“Patrick, post:394, topic:108”]By the way, if you don’t already know. This might be useful. You can instruct git to only show what changed in the remote while ignoring what you did locally. For easier review/audit.

Thanks for the tip. Quite helpful.

In the wiki, can I write that the “~/Downloads” directory will be created at installation in Whonix 10?

Can do only for specifically /home/user/Downloads unless there is a strong reason against this because doing that for any new user would be more difficult and is probably not required.

Yes. Just added to the top of my list. I’ll implement that soon.

I’ll add this to the usability-misc package? And only do that once ever for any installation that uses that package, I suppose. (So if the user once deletes the /home/user/Downloads folder, she is free to, and won’t get annoyed by recreation of that folder every time that package gets upgraded.)

Any other folders that should be created like this? /home/user/Pictures perhaps?

Done:

Any other folders that should be created like this? /home/user/Pictures perhaps?

Yes, Pictures, and that should be it.

Done. (create once /home/user/Pictures · Kicksecure/usability-misc@46bf55f · GitHub)

Made additions to apparmor-profile-icedove.