Whonix AppArmor Profiles Development Discussion

Merged.

sdwdate now has a new time fetching method “tlsdate”:
https://github.com/Whonix/Whonix/issues/349#issuecomment-58452612

apparmor-profile-(sdwdate/timesync) is not compatible with it. Unless it’s too difficult / too time consuming, could you look at it please?

Modified timesync and sdwdate profiles. Added package GitHub - troubadoour/apparmor-profile-tlsdate.

sdwdate/timesync working fine with tlsdate. I don’t think that the discussion in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704680 is concerning Whonix directly.

Thanks for doing that so quickly! Merged timesync and sdwdate profile. Made small addition to sdwdate profile (you couldn’t know, it’s from latest sdwdate master, nevermind). Testing now. Seems to work so far.

It is weird, that upstream’s /etc/apparmor.d/usr.bin.tlsdate doesn’t include abstractions/base so we could benefit from apparmor-profile-anondist and wouldn’t need to to fork /etc/apparmor.d/usr.bin.tlsdate.

I don’t think GitHub - troubadoour/apparmor-profile-tlsdate can work as is at the moment, because we are not allowed to replace files that another package already shipped. We’d have to use config-package-dev as we do for apparmor-profile-anondist. It’s not a big issue, and I can easily do it, but I am wondering if there is a better way without a separate apparmor-profile-tlsdate package.

Getting some sdwdate apparmor denied messages.

Oct  9 22:41:17 host kernel: [ 2926.177762] audit_printk_skb: 204 callbacks suppressed
Oct  9 22:41:17 host kernel: [ 2926.177765] type=1400 audit(1412894477.903:153): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/string.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct  9 22:41:17 host kernel: [ 2926.187953] type=1400 audit(1412894477.911:154): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/collections.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct  9 22:41:17 host kernel: [ 2926.187989] type=1400 audit(1412894477.911:155): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/keyword.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct  9 22:41:17 host kernel: [ 2926.190772] type=1400 audit(1412894477.915:156): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/heapq.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct  9 22:41:17 host kernel: [ 2926.193679] type=1400 audit(1412894477.919:157): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/functools.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct  9 22:41:17 host kernel: [ 2926.198159] type=1400 audit(1412894477.923:158): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/struct.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct  9 22:41:17 host kernel: [ 2926.199955] type=1400 audit(1412894477.923:159): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/copy.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct  9 22:41:17 host kernel: [ 2926.202229] type=1400 audit(1412894477.927:160): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/weakref.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct  9 22:41:17 host kernel: [ 2926.204971] type=1400 audit(1412894477.931:161): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/hashlib.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct  9 22:41:17 host kernel: [ 2926.211345] type=1400 audit(1412894477.935:162): apparmor="DENIED" operation="unlink" parent=30376 profile="/usr/bin/sdwdate" name="/usr/lib/python2.7/textwrap.pyc" pid=30377 comm="tor_bootstrap_c" requested_mask="d" denied_mask="d" fsuid=119 ouid=0
Oct  9 22:41:23 host kernel: [ 2931.427713] audit_printk_skb: 204 callbacks suppressed
Oct  9 22:41:23 host kernel: [ 2931.427716] type=1400 audit(1412894483.150:231): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libc-2.17.so" pid=30723 comm="tlsdate" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct  9 22:41:23 host kernel: [ 2931.427737] type=1400 audit(1412894483.150:232): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libc-2.17.so" pid=30723 comm="tlsdate" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct  9 22:41:23 host kernel: [ 2931.427962] type=1400 audit(1412894483.150:233): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/librt-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct  9 22:41:23 host kernel: [ 2931.427962] type=1400 audit(1412894483.150:234): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/librt-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct  9 22:41:23 host kernel: [ 2931.427962] type=1400 audit(1412894483.150:235): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libc-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct  9 22:41:23 host kernel: [ 2931.427962] type=1400 audit(1412894483.150:236): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libc-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct  9 22:41:23 host kernel: [ 2931.427992] type=1400 audit(1412894483.150:237): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libdl-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct  9 22:41:23 host kernel: [ 2931.428014] type=1400 audit(1412894483.150:238): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libdl-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct  9 22:41:23 host kernel: [ 2931.428075] type=1400 audit(1412894483.150:239): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libpthread-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct  9 22:41:23 host kernel: [ 2931.428081] type=1400 audit(1412894483.150:240): apparmor="DENIED" operation="open" parent=30722 profile="/usr/bin/tlsdate" name="/lib/i386-linux-gnu/i686/cmov/libpthread-2.17.so" pid=30723 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=119 ouid=0

I have seen https://github.com/Whonix/Whonix/issues/349#issuecomment-58590186 about the tlsdate issue, but after making a modification to apparmor-profile-anondist.

Added “consoles.anondist” on the same principle as “base.anondist”.

I could not find where from the base->base.anondist link is installed, so I have put consoles->consoles.anondist in the package. It installs smoothly with “sudo make install”.

I am not sure it’s the right way to proceed, but it works as a temporary solution. Ideally, if Jacob could include <abstractions/base> in his profile…

Displacing files owned by other packages is tricky. Manually creating symlinks and/or using dpkg-divert can create a upgrade hell. Whonix uses config-package-dev (Debian configuration packages) as a robust solution in case this cannot be realistically avoided.

Took your forked abstraction/consoles AppArmor profile and implemented it using config-package-dev.

Works fine now without apparmor denied messages. Thanks!

Haven’t merged your commit first. Do you know how to get git back on track from there? (Otherwise I’ll document.)

Took your forked abstraction/consoles AppArmor profile and implemented it using config-package-dev. https://github.com/Whonix/apparmor-profile-anondist/commit/8cf8a0a9919db547aeef1c38dede02e886cb292a

Not sure at all I used config-package-dev. For that, I guess I should have added the file in debian/apparmor-profile-anondist.displace.

Here is what I did:

• renamed abstractions/consoles to abstractions/consoles.anondist-orig
• created abstractions/consoles.anondist
• created consoles/consoles symlink
• reloaded AppArmor (“sudo service apparmor reload”, not “restart” in case you don’t know),

When I was happy, I reverted to the original configuration, I git added the files in “etc/apparmor.d/abstarctions”, committed and ran “sudo make install”.

Haven't merged your commit first. Do you know how to get git back on track from there? (Otherwise I'll document.)

I suppose fetch/merge (or pull)?. At the moment, I have fetched the origin (yours), and diff shows the right changes: the additions in debian/apparmor-profile-anondist.displace and debian/changelog, and the removal of consoles and consoles.anondist-orig. It should be safe to merge.

Only the previously implemented state of it.

For that, I guess I should have added the file in debian/apparmor-profile-anondist.displace.

Yes.

Here is what I did: - renamed abstractions/consoles to abstractions/consoles.anondist-orig - created abstractions/consoles.anondist - created consoles/consoles symlink - reloaded AppArmor ("sudo service apparmor reload", not "restart" in case you don't know),

When I was happy, I reverted to the original configuration, I git added the files in “etc/apparmor.d/abstarctions”, committed and ran “sudo make install”.

During “sudo make install” you won’t notice that this won’t work in the final package (“make deb-icup”). Because “make install” only simply copies files to “$DESTDIR” (defaults to /) [implemented in Makefile and make-helper.bsh] and does not check conflicts with existing deb packages as dpkg would do and by design not run any deb package maintainer scripts. You can open the .deb (make deb-pkg) and see what it actually contains. Includes as well maintainer scripts, that include auto-generated code by config-package-dev. So while “make install” is required by debhelper and useful for manual use, it cannot replace trying to install the whole package. But don’t worry too much about that stuff, I usually “make deb-icup” packages and see if they still work and we’d also notice a build error as last resort if there are any conflicts with other packages (you may not overwrite files by other packages, unless specifically implemented [ex: config-package-dev]) or dpkg will stop installing the package).

I suppose fetch/merge (or pull)?. At the moment, I have fetched the origin (yours), and diff shows the right changes: the additions in debian/apparmor-profile-anondist.displace and debian/changelog, and the removal of consoles and consoles.anondist-orig. It should be safe to merge.

This is insufficient.

When you run.

git diff origin/master troubadoour/master

Or.

git diff whonix/master troubadoour/master

(Depending on your “git remote -v” naming scheme.)

You’ll see there is still a difference.

What could be done…

git log

git revert 7aa12d2c7c1c7bde72b2ed579e92f991474545e5

Then this reverted change would end up in Whonix/apparmor-profile-anondist history as well next time I merge troubadoour/master. I wouldn’t mind, but other projects might nitpick about this.

(Which is the easy way. The more nitpicky way would be to point your local master to origin/master and to git push --force. And since --force is “evil”, the even more correct nitpicky way would be to not commit to master for experimental changes, have a separate branches suggest the change, merge into master if okay (or I would have to suggest an alternative branch and merge that). Just explaining this to give a little more background on git in case you ever want to use it for profession. I don’t want to waste time on nitpicking git workflows that are used by huge projects with loads of contributors, where a clean git history might actually matter, so going for the easy revert way should more than suffice.)

Thanks again for the help.

Did as described and pushed. Can you check the history, see if it’s back on track?

My git log:

Merge: 873b1ba 8cf8a0a
Author: troubadoour <trobador@riseup.net>
Date:   Fri Oct 10 18:52:50 2014 +0000

    Merge remote-tracking branch 'origin'

commit 873b1baad9e62b718882d4623d7487a5a10625f3
Author: troubadoour <trobador@riseup.net>
Date:   Fri Oct 10 18:49:40 2014 +0000

    Revert "Added consoles.anondist"
    
    This reverts commit 7aa12d2c7c1c7bde72b2ed579e92f991474545e5.

commit 8cf8a0a9919db547aeef1c38dede02e886cb292a
Author: Patrick Schleizer <adrelanos@riseup.net>
Date:   Fri Oct 10 15:23:49 2014 +0000

    tlsdate profile does not include abstractions/base. Therefore displacing (config-package-dev) abstractions/consoles. Thanks to @trou

commit 7aa12d2c7c1c7bde72b2ed579e92f991474545e5
Author: troubadoour <trobador@riseup.net>
Date:   Fri Oct 10 11:11:13 2014 +0000

    Added consoles.anondist

where is 8cf8a0a9919db547aeef1c38dede02e886cb292a coming from, since I did

git fetch origin

but not

git merge origin master

?

8cf8a0a9919db547aeef1c38dede02e886cb292a is the commit I made. (tlsdate profile does not include abstractions/base. Therefore displac… · Kicksecure/apparmor-profile-dist@8cf8a0a · GitHub)

The top commit says you merged remote origin and thereby 8cf8a0a (= same as 8cf8a0a9919db547aeef1c38dede02e886cb292a [short / long]).

Looks good now.

Small tested addition:
https://github.com/Whonix/apparmor-profile-whonixcheck/commit/d5add18a9785248ead0a6ee99547c033730790cb

apparmor-profile-torbrowser broke with the upgrade of TBB 4.0.

Updated torbrowser profile. changes for TBB 4.0 · troubadoour/apparmor-profile-torbrowser@e3abe7f · GitHub.
May be some day, the Tor project will decide once for all the directory structure they want to use. They have reverted to the “.cache” files that were replaced by the “Cache” directory in 3.5, and added “/Browser/TorBrowser/” in front of “Data/Browser/”.

It should work, but I have another problem. TBB does not start from the panel icon, I have tor run ‘start-tor-browser’ from a terminal. No AppArmor message, but a warning in the terminal:

(firefox:23637): GLib-WARNING **: getpwuid_r(): failed due to: Permission denied.

Looking into it.

Minor update. "k" mask in ".cache" · troubadoour/apparmor-profile-torbrowser@74039ca · GitHub

Works! Merged, thanks!

Got some sdwdate denied messages on gateway.

Oct 17 00:32:27 host kernel: [ 13.423874] type=1400 audit(1413505947.089:39): apparmor="DENIED" operation="mkdir" parent=3269 profile="/usr/bin/sdwdate" name="/run/msgcollector/user/" pid=3271 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=101 ouid=101 Oct 17 00:32:27 host kernel: [ 13.457322] type=1400 audit(1413505947.121:40): apparmor="DENIED" operation="mkdir" parent=3269 profile="/usr/bin/sdwdate" name="/home/sdwdate/.msgcollector/" pid=3281 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=101 ouid=101

Could you make an abstractions/msgcollector (that we add to the msgcollector package?) please that we include from sdwdate [and timesync]?

Or would a separate apparmor-profile-msgcollector profile be better? (Other profiles would then execute using that profile if available?)

Getting a Tor Browser denied message. (Not using Gnome.)

[quote=“Patrick, post:419, topic:108”]Getting a Tor Browser denied message. (Not using Gnome.)

Adding

would solve it. Sane?