[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#441

Some bits missing (k mask) in sdwdate and timesync profiles.



#442

Merged. Also added some commits on top. (Minor; packaging.)


#443

Please image you’re a new user and try register for Whonix forum. Click “Listen to the letters”. Then you get an apparmor denied message.


#444

One thing about the stable upgrade of Whonix AppArmor profiles… Not that simple, though. They’re not compatible with stable anymore. For example the sdwdate/timesync apparmor profiles uses “/usr/lib/sdwdate/sclockadj” (Whonix 10) rather than “/usr/lib/sclockadj” (Whonix 9). Would need further testing.


#445

Working on https://github.com/Whonix/Whonix/issues/167 at the moment.

Getting this.

What must I add to fix it? Trying like crazy…

  /etc/tor/torrc rwmixkl,
  /etc/tor/torrc.anondist rwmixkl,

Restarted Tor…

Doesn’t help.


#446

Can you have a look please here?
https://www.whonix.org/forum/index.php/topic,711.0.html


#447

[quote=“Patrick, post:445, topic:108”]Working on https://github.com/Whonix/Whonix/issues/167 at the moment.

Getting this.

What must I add to fix it? Trying like crazy…

  /etc/tor/torrc rwmixkl,
  /etc/tor/torrc.anondist rwmixkl,

Restarted Tor…

Doesn’t help.[/quote]

Most likely, the problem does not come from system-tor profile. Could you check that tor-launcher (what did you install, by the way?) has not installed its own profile. There is a bug in Vidalia. https://bugs.launchpad.net/ubuntu/+source/vidalia/+bug/680192


#448

Fixed.


#449

Merged. Please fetch and merge before pushing new commits.

If you’re wondering how to check any packaging code files do not include any malicious code? You don’t have to review the diff of all of them.

There is:

Usability of that script is not great yet. Just a dev tool.

There is a function diff_common_packaging_files. You can comment it in.

Then run:
debug-steps/packaging-helper-script

It’ll loop through all the packages and compare if the makefile(-helper) of any package matches the makefile(-helper) of anon-apt-sources-list. So if you have checked anon-apt-sources-list and packaging-helper-script to be non-malicious, it’s easy to verify all those files are non-malicious.


#450

Have pushed a couple of commits (2 /us/bin/ files, missing “k” mask) before https://github.com/troubadoour/apparmor-profile-sdwdate/commit/60fb5f7a919202af06403db36960e1c702032d6d. (the diff is not obvious because I have changed the indentation to 4 spaces).

both “/usr/lib/sdwdate/sclockadj” and “/usr/lib/sclockadj” are in the profile. Is there any other change in the folder structure for Whonix 10? So I can add the lines in the profiles, leaving the original for backward compatibility.

Pushed the change to apparmor-profile-timesync too. Easier to read.
https://github.com/troubadoour/apparmor-profile-timesync/commit/7d32aa9ee965d97ec974e5255b483d4104d1688e.


#451

Great. Looks much better. Merged.

Is there any other change in the folder structure for Whonix 10?
I don't recall any.
So I can add the lines in the profiles, leaving the original for backward compatibility.
Thanks for the offer. I may get back to it.

#452

tor-launcher AppArmor issues sorted out. Topic split:
https://www.whonix.org/forum/index.php/topic,720


#453

FYI

Worked on getting the AppArmor packages upgraded in the repository.

Prerequisite knowledge to prevent data loss.

A new –apparmor has been added to build-steps.d/1200_create-debian-packages. It conveniently only builds all apparmor packages.

(git commit: https://github.com/Whonix/Whonix/commit/95e00e90d2c96806d735c0e072ee7806f528179e)


#454

Uploaded packages to developers repository. Will migrate soon into testers repository.

While diffing the remote developers apt repository, I noticed that the changes are more intrusive than I thought unfortunately.

Package: apparmor-profile-anondist

So I am not sure https://www.whonix.org/forum/index.php/topic,661.0.html is still a good idea.


#455

Accidentally I also upgraded the grub-enable-apparmor package. Nothing important changed.

grub-enable-apparmor $ git diff --name-only 0.2-2 Makefile README.md debian/changelog make-helper.bsh

Fixed, made precautions so this won’t happen again:

Fixed in 10.0.0.1.7-developers-only.


#456

Migrated to testers repository. Tested 9.4. Works quite well overall.

There is an issue, but I can likely fix it.

whonixcheck also needs that right.


#457

Likely fixed. Going to test.

Please review:


#458

Works for me.

Updates testers repository again.

Do you want to test it?

Shall we blog and invite more testing using the testers repository? Profiting from AppArmor profiles, installing them, is now much simpler using the testers repository.


#459

[quote=“Patrick, post:457, topic:108”]Likely fixed. Going to test.

Please review:

There was a missing slash in “/run/msgcollector rwk,”.
Fixed.

Shall we blog and invite more testing using the testers repository?

Yes. I believe the profiles are usable now. What could (will?) happen is users installing extra packages, and Tor Browser will complain. Also, I have never tested sending files with Pidgin.

In the blog, It might be worth explaining how to report AppArmor messages, with “sudo tail -f /var/log/kern/log”.


#460

[quote=“troubadour, post:459, topic:108”][quote author=Patrick link=topic=97.msg5453#msg5453 date=1415796783]
Likely fixed. Going to test.

Please review:

There was a missing slash in “/run/msgcollector rwk,”.
Fixed.

Yes. I believe the profiles are usable now.
As they are currently or do we need your latest fix before the big shout out?