[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#421

[quote=“Patrick, post:420, topic:108”]Adding

would solve it. Sane?[/quote]

should suffice. I believe that if you have a single application installing a gnome library, access to “~/[TBB-Directory]/wherever/.gnome2” (it is now under “Browser”, was in TBB root) will be required. It did happen to me earlier, so we better leave it as standard.

You have removed tlsdate from sdwdate and timesync latest profiles. lines

	/usr/bin/tlsdate r,
	/usr/bin/tlsdate Px,

Is that intentional ?


#422
  1. Added to Tor Browser profile.

  2. No, didn’t modify anything in sdwdate profile related to tlsdate yet. It’s still in my local and remote repo. And afaik it was never in timesync profile. I am going to remove tlsdate suppport unfortunately, so need to work on that further.


#423

Updated sdwdate profile for “date_to_unixtime”.


#424

Merged.

Also added to apparmor-profile-timesync.


#425

Pushed https://github.com/troubadoour/apparmor-profile-pidgin/commit/02cda3703211240ecdb1087387cdded1583ab1f9 related to https://www.whonix.org/forum/index.php/topic,660.0.html


#426

Merged.


#427

(Related to: https://www.whonix.org/forum/index.php/topic,661.0.html)

apparmor-profiles-whonix: added apparmor-profile-gwenview apparmor-profile-okular:

I am not considering that change as stable upgrade. Too risky, because the whole anon-meta-packages would be upgraded.


#428

But this isn’t a big deal. If we go with https://www.whonix.org/forum/index.php/topic,661.0.html then these profiles would not be installed by

but they could still be installed by using

sudo apt-get install apparmor-profile-gwenview sudo apt-get install apparmor-profile-okular


#429

Pushed an update to Tor Browser profile (libvisual-4.0).


#430

Merged.


#431

Tails doing some AppArmor stuff also. No action required. Just sharing the news.

https://tails.boum.org/contribute/design/application_isolation/


#432
Tails doing some AppArmor stuff also. No action required. Just sharing the news.

Yes, I have seen that form their news. They use the Debian default and extra profiles, which at the moment, are not of much interest for us.

The Debian AppArmor team has been recently resurrected, probably at intrigeri’s initiative. Since s/he is also participating to Tails (an more)…


#433

I moved a thread into this forum:
https://www.whonix.org/forum/index.php/topic,668.0.html

Did you get a notification? (Take your time. I am just wondering if I should ping you or if you get notifications. I wouldn’t wonder if the forum software “forgets” to dispatch notifications for moved threads.)

[hr]

Maybe related, maybe not.

~ $ sudo apparmor_parser -r /etc/apparmor.d/home.\*.tor-browser_\*.Browser.firefox ; echo $? 0

sudo apparmor_parser -r /etc/apparmor.d/usr.lib.dovecot.*
Warning from /etc/apparmor.d/usr.lib.dovecot.deliver (/etc/apparmor.d/usr.lib.dovecot.deliver line 29): profile /usr/lib/dovecot/deliver network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.dovecot-auth (/etc/apparmor.d/usr.lib.dovecot.dovecot-auth line 23): profile /usr/lib/dovecot/dovecot-auth network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap (/etc/apparmor.d/usr.lib.dovecot.imap line 27): profile /usr/lib/dovecot/imap network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap-login (/etc/apparmor.d/usr.lib.dovecot.imap-login line 23): profile /usr/lib/dovecot/imap-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.managesieve-login (/etc/apparmor.d/usr.lib.dovecot.managesieve-login line 22): profile /usr/lib/dovecot/managesieve-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3 (/etc/apparmor.d/usr.lib.dovecot.pop3 line 23): profile /usr/lib/dovecot/pop3 network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3-login (/etc/apparmor.d/usr.lib.dovecot.pop3-login line 21): profile /usr/lib/dovecot/pop3-login network rules not enforced
~ $ echo $?
0

/etc/apparmor.d/usr.lib.dovecot.pop3-login line 21 is the last empty line. So I am wondering what its complaining about.

If you’re feeling awesome, perhaps dare to run “sudo apparmor_parser -r /etc/apparmor.d/*”. We don’t have to fix all the upstream issues, but hopefully we didn’t introduce issues through conflicting x modifies by apparmor-profile-anondist.


#434
I moved a thread into this forum: https://www.whonix.org/forum/index.php/topic,668.0.html

Did you get a notification? (Take your time. I am just wondering if I should ping you or if you get notifications. I wouldn’t wonder if the forum software “forgets” to dispatch notifications for moved threads.)

No notification, but I’m not subscribed to the forum. The best would be to ping me.

Maybe related, maybe not.

~ $ sudo apparmor_parser -r /etc/apparmor.d/home.\*.tor-browser_\*.Browser.firefox ; echo $? 0

sudo apparmor_parser -r /etc/apparmor.d/usr.lib.dovecot.*
Warning from /etc/apparmor.d/usr.lib.dovecot.deliver (/etc/apparmor.d/usr.lib.dovecot.deliver line 29): profile /usr/lib/dovecot/deliver network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.dovecot-auth (/etc/apparmor.d/usr.lib.dovecot.dovecot-auth line 23): profile /usr/lib/dovecot/dovecot-auth network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap (/etc/apparmor.d/usr.lib.dovecot.imap line 27): profile /usr/lib/dovecot/imap network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap-login (/etc/apparmor.d/usr.lib.dovecot.imap-login line 23): profile /usr/lib/dovecot/imap-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.managesieve-login (/etc/apparmor.d/usr.lib.dovecot.managesieve-login line 22): profile /usr/lib/dovecot/managesieve-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3 (/etc/apparmor.d/usr.lib.dovecot.pop3 line 23): profile /usr/lib/dovecot/pop3 network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3-login (/etc/apparmor.d/usr.lib.dovecot.pop3-login line 21): profile /usr/lib/dovecot/pop3-login network rules not enforced
~ $ echo $?
0

/etc/apparmor.d/usr.lib.dovecot.pop3-login line 21 is the last empty line. So I am wondering what its complaining about.

It’s not related. It looks like apparmor_parser goes to the end of the profile before declaring “network rules not enforced”. We should not worry about it, the profiles still work with this warning.

But now, a bit on the cause of the AppArmor issues with the Debian profiles. As far as I know, all the profiles from the apparmor-profiles package were/are written by the Ubuntu team. Besides the apparently growing divergences between the distributions, I believe that the core issue stems from the different versions of AppArmor they use:

  • Debian wheezy: 2.7.103-4
  • Debian jessie: 2.8.08
  • Ubuntu 14.04: 2.8.95~2430-0ubunt

Some examples. The network rules warning is not shown in Ubuntu (tried with the same profiles). A profile might work in Ubuntu, not in Debian, the other way around, or fail in both. That has been the case for torbrowser-launcher recently. I have not followed the development of the situation.

We don't have to fix all the upstream issues, but hopefully we didn't introduce issues through conflicting x modifies by apparmor-profile-anondist.

No, we did’nt. There is a conflicting x modifiers issue in the chromium-browser profile. “/usr/lib/chromium-browser/chromium-browser” is declared twice, once with "ix " mask in the parent profile, and once with “Px” mask in a child profile.

@townsend
In Whonix Gateway and Workstation, run:

sudo aa-disable /etc/apparmor.d/usr.bin.chromium-browser

Reboot. The red “failed!” error should not show.

I’m wondering about the pertinence of installing the apparmor-profiles package in Whonix. On this side I cannot spot that sort of problem because I move the Debian profiles outside /etc/apparmor.d (inside in a sub directory, they can still mess up aa-genprof). For the moment, they are only a source of noise and annoyance, so I think we’d be better off concentrating on our own profiles. If we ever need one of them, we can easily fork it wherever it comes from.


#435

If it’s your recommendation to drop apparmor-profiles from the list for pre-installed packages for Whonix 10.x, I’d think you’re right. Shall we go for it?

Could you answer townsend in his thread please?


#436
If it's your recommendation to drop apparmor-profiles from the list for pre-installed packages for Whonix 10.x, I'd think you're right. Shall we go for it?

Glad you agree. Yes, let’s go for it.


#437

Done:


#438

New change due to the recent icedove / enigmail upgrade:

This is a good example, that even Debian stable can change in unexpected ways that can mess up our profiles.


#439

[quote=“Patrick, post:418, topic:108”]Got some sdwdate denied messages on gateway.

Oct 17 00:32:27 host kernel: [ 13.423874] type=1400 audit(1413505947.089:39): apparmor="DENIED" operation="mkdir" parent=3269 profile="/usr/bin/sdwdate" name="/run/msgcollector/user/" pid=3271 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=101 ouid=101 Oct 17 00:32:27 host kernel: [ 13.457322] type=1400 audit(1413505947.121:40): apparmor="DENIED" operation="mkdir" parent=3269 profile="/usr/bin/sdwdate" name="/home/sdwdate/.msgcollector/" pid=3281 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=101 ouid=101

Could you make an abstractions/msgcollector (that we add to the msgcollector package?) please that we include from sdwdate [and timesync]?

Or would a separate apparmor-profile-msgcollector profile be better? (Other profiles would then execute using that profile if available?)[/quote]

Seems it was just requiring some minor modifications in sdwdate and timesync profiles. It has popped a couple of times for me, but in workstation, not gateway. Should be fixed.



#440

Thanks, merged!