Merged.
sdwdate now has a new time fetching method âtlsdateâ:
https://github.com/Whonix/Whonix/issues/349#issuecomment-58452612
apparmor-profile-(sdwdate/timesync) is not compatible with it. Unless itâs too difficult / too time consuming, could you look at it please?
Modified timesync and sdwdate profiles. Added package GitHub - troubadoour/apparmor-profile-tlsdate.
sdwdate/timesync working fine with tlsdate. I donât think that the discussion in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704680 is concerning Whonix directly.
Thanks for doing that so quickly! Merged timesync and sdwdate profile. Made small addition to sdwdate profile (you couldnât know, itâs from latest sdwdate master, nevermind). Testing now. Seems to work so far.
It is weird, that upstreamâs /etc/apparmor.d/usr.bin.tlsdate doesnât include abstractions/base so we could benefit from apparmor-profile-anondist and wouldnât need to to fork /etc/apparmor.d/usr.bin.tlsdate.
I donât think GitHub - troubadoour/apparmor-profile-tlsdate can work as is at the moment, because we are not allowed to replace files that another package already shipped. Weâd have to use config-package-dev as we do for apparmor-profile-anondist. Itâs not a big issue, and I can easily do it, but I am wondering if there is a better way without a separate apparmor-profile-tlsdate package.
Getting some sdwdate apparmor denied messages.
Oct 9 22:41:17 host kernel: [ 2926.177762] audit_printk_skb: 204 callbacks suppressed
Oct 9 22:41:17 host kernel: [ 2926.177765] type=1400 audit(1412894477.903:153): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/string.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct 9 22:41:17 host kernel: [ 2926.187953] type=1400 audit(1412894477.911:154): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/collections.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct 9 22:41:17 host kernel: [ 2926.187989] type=1400 audit(1412894477.911:155): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/keyword.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct 9 22:41:17 host kernel: [ 2926.190772] type=1400 audit(1412894477.915:156): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/heapq.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct 9 22:41:17 host kernel: [ 2926.193679] type=1400 audit(1412894477.919:157): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/functools.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct 9 22:41:17 host kernel: [ 2926.198159] type=1400 audit(1412894477.923:158): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/struct.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct 9 22:41:17 host kernel: [ 2926.199955] type=1400 audit(1412894477.923:159): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/copy.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct 9 22:41:17 host kernel: [ 2926.202229] type=1400 audit(1412894477.927:160): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/weakref.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct 9 22:41:17 host kernel: [ 2926.204971] type=1400 audit(1412894477.931:161): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/hashlib.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct 9 22:41:17 host kernel: [ 2926.211345] type=1400 audit(1412894477.935:162): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/textwrap.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct 9 22:41:23 host kernel: [ 2931.427713] audit_printk_skb: 204 callbacks suppressed
Oct 9 22:41:23 host kernel: [ 2931.427716] type=1400 audit(1412894483.150:231): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libc-2.17.so" pid=30723 comm="tlsdate" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct 9 22:41:23 host kernel: [ 2931.427737] type=1400 audit(1412894483.150:232): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libc-2.17.so" pid=30723 comm="tlsdate" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct 9 22:41:23 host kernel: [ 2931.427962] type=1400 audit(1412894483.150:233): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/librt-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct 9 22:41:23 host kernel: [ 2931.427962] type=1400 audit(1412894483.150:234): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/librt-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct 9 22:41:23 host kernel: [ 2931.427962] type=1400 audit(1412894483.150:235): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libc-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct 9 22:41:23 host kernel: [ 2931.427962] type=1400 audit(1412894483.150:236): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libc-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct 9 22:41:23 host kernel: [ 2931.427992] type=1400 audit(1412894483.150:237): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libdl-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct 9 22:41:23 host kernel: [ 2931.428014] type=1400 audit(1412894483.150:238): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libdl-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct 9 22:41:23 host kernel: [ 2931.428075] type=1400 audit(1412894483.150:239): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libpthread-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct 9 22:41:23 host kernel: [ 2931.428081] type=1400 audit(1412894483.150:240): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libpthread-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
I have seen https://github.com/Whonix/Whonix/issues/349#issuecomment-58590186 about the tlsdate issue, but after making a modification to apparmor-profile-anondist.
Added âconsoles.anondistâ on the same principle as âbase.anondistâ.
I could not find where from the base->base.anondist link is installed, so I have put consoles->consoles.anondist in the package. It installs smoothly with âsudo make installâ.
I am not sure itâs the right way to proceed, but it works as a temporary solution. Ideally, if Jacob could include <abstractions/base> in his profileâŚ
Displacing files owned by other packages is tricky. Manually creating symlinks and/or using dpkg-divert can create a upgrade hell. Whonix uses config-package-dev (Debian configuration packages) as a robust solution in case this cannot be realistically avoided.
Took your forked abstraction/consoles AppArmor profile and implemented it using config-package-dev.
Works fine now without apparmor denied messages. Thanks!
Havenât merged your commit first. Do you know how to get git back on track from there? (Otherwise Iâll document.)
Took your forked abstraction/consoles AppArmor profile and implemented it using config-package-dev. https://github.com/Whonix/apparmor-profile-anondist/commit/8cf8a0a9919db547aeef1c38dede02e886cb292a
Not sure at all I used config-package-dev. For that, I guess I should have added the file in debian/apparmor-profile-anondist.displace.
Here is what I did:
- renamed abstractions/consoles to abstractions/consoles.anondist-orig
- created abstractions/consoles.anondist
- created consoles/consoles symlink
- reloaded AppArmor (âsudo service apparmor reloadâ, not ârestartâ in case you donât know),
When I was happy, I reverted to the original configuration, I git added the files in âetc/apparmor.d/abstarctionsâ, committed and ran âsudo make installâ.
Haven't merged your commit first. Do you know how to get git back on track from there? (Otherwise I'll document.)
I suppose fetch/merge (or pull)?. At the moment, I have fetched the origin (yours), and diff shows the right changes: the additions in debian/apparmor-profile-anondist.displace and debian/changelog, and the removal of consoles and consoles.anondist-orig. It should be safe to merge.
Only the previously implemented state of it.
For that, I guess I should have added the file in debian/apparmor-profile-anondist.displace.Yes.
Here is what I did: - renamed abstractions/consoles to abstractions/consoles.anondist-orig - created abstractions/consoles.anondist - created consoles/consoles symlink - reloaded AppArmor ("sudo service apparmor reload", not "restart" in case you don't know),When I was happy, I reverted to the original configuration, I git added the files in âetc/apparmor.d/abstarctionsâ, committed and ran âsudo make installâ.
During âsudo make installâ you wonât notice that this wonât work in the final package (âmake deb-icupâ). Because âmake installâ only simply copies files to â$DESTDIRâ (defaults to /) [implemented in Makefile and make-helper.bsh] and does not check conflicts with existing deb packages as dpkg would do and by design not run any deb package maintainer scripts. You can open the .deb (make deb-pkg) and see what it actually contains. Includes as well maintainer scripts, that include auto-generated code by config-package-dev. So while âmake installâ is required by debhelper and useful for manual use, it cannot replace trying to install the whole package. But donât worry too much about that stuff, I usually âmake deb-icupâ packages and see if they still work and weâd also notice a build error as last resort if there are any conflicts with other packages (you may not overwrite files by other packages, unless specifically implemented [ex: config-package-dev]) or dpkg will stop installing the package).
I suppose fetch/merge (or pull)?. At the moment, I have fetched the origin (yours), and diff shows the right changes: the additions in debian/apparmor-profile-anondist.displace and debian/changelog, and the removal of consoles and consoles.anondist-orig. It should be safe to merge.This is insufficient.
When you run.
git diff origin/master troubadoour/master
Or.
git diff whonix/master troubadoour/master
(Depending on your âgit remote -vâ naming scheme.)
Youâll see there is still a difference.
What could be doneâŚ
git log
git revert 7aa12d2c7c1c7bde72b2ed579e92f991474545e5
Then this reverted change would end up in Whonix/apparmor-profile-anondist history as well next time I merge troubadoour/master. I wouldnât mind, but other projects might nitpick about this.
(Which is the easy way. The more nitpicky way would be to point your local master to origin/master and to git push --force. And since --force is âevilâ, the even more correct nitpicky way would be to not commit to master for experimental changes, have a separate branches suggest the change, merge into master if okay (or I would have to suggest an alternative branch and merge that). Just explaining this to give a little more background on git in case you ever want to use it for profession. I donât want to waste time on nitpicking git workflows that are used by huge projects with loads of contributors, where a clean git history might actually matter, so going for the easy revert way should more than suffice.)
Thanks again for the help.
Did as described and pushed. Can you check the history, see if itâs back on track?
My git log:
Merge: 873b1ba 8cf8a0a
Author: troubadoour <trobador@riseup.net>
Date: Fri Oct 10 18:52:50 2014 +0000
Merge remote-tracking branch 'origin'
commit 873b1baad9e62b718882d4623d7487a5a10625f3
Author: troubadoour <trobador@riseup.net>
Date: Fri Oct 10 18:49:40 2014 +0000
Revert "Added consoles.anondist"
This reverts commit 7aa12d2c7c1c7bde72b2ed579e92f991474545e5.
commit 8cf8a0a9919db547aeef1c38dede02e886cb292a
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Fri Oct 10 15:23:49 2014 +0000
tlsdate profile does not include abstractions/base. Therefore displacing (config-package-dev) abstractions/consoles. Thanks to @trou
commit 7aa12d2c7c1c7bde72b2ed579e92f991474545e5
Author: troubadoour <trobador@riseup.net>
Date: Fri Oct 10 11:11:13 2014 +0000
Added consoles.anondist
where is 8cf8a0a9919db547aeef1c38dede02e886cb292a coming from, since I did
git fetch origin
but not
git merge origin master
?
8cf8a0a9919db547aeef1c38dede02e886cb292a is the commit I made. (tlsdate profile does not include abstractions/base. Therefore displac⌠¡ Kicksecure/apparmor-profile-dist@8cf8a0a ¡ GitHub)
The top commit says you merged remote origin and thereby 8cf8a0a (= same as 8cf8a0a9919db547aeef1c38dede02e886cb292a [short / long]).
Looks good now.
Small tested addition:
https://github.com/Whonix/apparmor-profile-whonixcheck/commit/d5add18a9785248ead0a6ee99547c033730790cb
apparmor-profile-torbrowser broke with the upgrade of TBB 4.0.
Updated torbrowser profile. changes for TBB 4.0 ¡ troubadoour/apparmor-profile-torbrowser@e3abe7f ¡ GitHub.
May be some day, the Tor project will decide once for all the directory structure they want to use. They have reverted to the â.cacheâ files that were replaced by the âCacheâ directory in 3.5, and added â/Browser/TorBrowser/â in front of âData/Browser/â.
It should work, but I have another problem. TBB does not start from the panel icon, I have tor run âstart-tor-browserâ from a terminal. No AppArmor message, but a warning in the terminal:
(firefox:23637): GLib-WARNING **: getpwuid_r(): failed due to: Permission denied.
Looking into it.
Works! Merged, thanks!
Got some sdwdate denied messages on gateway.
Oct 17 00:32:27 host kernel: [ 13.423874] type=1400 audit(1413505947.089:39): apparmor="DENIED" operation="mkdir" parent=3269 profile="/usr/bin/sdwdate" name="/run/msgcollector/user/" pid=3271 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=101 ouid=101
Oct 17 00:32:27 host kernel: [ 13.457322] type=1400 audit(1413505947.121:40): apparmor="DENIED" operation="mkdir" parent=3269 profile="/usr/bin/sdwdate" name="/home/sdwdate/.msgcollector/" pid=3281 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=101 ouid=101
Could you make an abstractions/msgcollector (that we add to the msgcollector package?) please that we include from sdwdate [and timesync]?
Or would a separate apparmor-profile-msgcollector profile be better? (Other profiles would then execute using that profile if available?)
Getting a Tor Browser denied message. (Not using Gnome.)
[quote=âPatrick, post:419, topic:108â]Getting a Tor Browser denied message. (Not using Gnome.)
Adding
would solve it. Sane?