Whonix AppArmor Profiles Development Discussion

Some bits missing (k mask) in sdwdate and timesync profiles.

Merged. Also added some commits on top. (Minor; packaging.)

Please image you’re a new user and try register for Whonix forum. Click “Listen to the letters”. Then you get an apparmor denied message.

One thing about the stable upgrade of Whonix AppArmor profiles… Not that simple, though. They’re not compatible with stable anymore. For example the sdwdate/timesync apparmor profiles uses “/usr/lib/sdwdate/sclockadj” (Whonix 10) rather than “/usr/lib/sclockadj” (Whonix 9). Would need further testing.

Working on https://github.com/Whonix/Whonix/issues/167 at the moment.

Getting this.

Nov  7 22:51:47 host kernel: [ 2923.658653] type=1400 audit(1415400707.346:32): apparmor="DENIED" operation="rename_src" parent=1 profile="system_tor" name="/etc/tor/torrc" pid=12507 comm="tor" requested_mask="wd" denied_mask="wd" fsuid=106 ouid=0

What must I add to fix it? Trying like crazy…

/etc/apparmor.d/local/system_tor
  /etc/tor/torrc rwmixkl,
  /etc/tor/torrc.anondist rwmixkl,

Restarted Tor…

Doesn’t help.

Can you have a look please here?

[quote=“Patrick, post:445, topic:108”]Working on https://github.com/Whonix/Whonix/issues/167 at the moment.

Getting this.

Nov  7 22:51:47 host kernel: [ 2923.658653] type=1400 audit(1415400707.346:32): apparmor="DENIED" operation="rename_src" parent=1 profile="system_tor" name="/etc/tor/torrc" pid=12507 comm="tor" requested_mask="wd" denied_mask="wd" fsuid=106 ouid=0

What must I add to fix it? Trying like crazy…

/etc/apparmor.d/local/system_tor
  /etc/tor/torrc rwmixkl,
  /etc/tor/torrc.anondist rwmixkl,

Restarted Tor…

Doesn’t help.[/quote]

Most likely, the problem does not come from system-tor profile. Could you check that tor-launcher (what did you install, by the way?) has not installed its own profile. There is a bug in Vidalia. https://bugs.launchpad.net/ubuntu/+source/vidalia/+bug/680192

Fixed.

Merged. Please fetch and merge before pushing new commits.

If you’re wondering how to check any packaging code files do not include any malicious code? You don’t have to review the diff of all of them.

There is:
https://github.com/Whonix/whonix-developer-meta-files/blob/master/debug-steps/packaging-helper-script

Usability of that script is not great yet. Just a dev tool.

There is a function diff_common_packaging_files. You can comment it in.

#diff_common_packaging_files
->
diff_common_packaging_files

Then run:
debug-steps/packaging-helper-script

It’ll loop through all the packages and compare if the makefile(-helper) of any package matches the makefile(-helper) of anon-apt-sources-list. So if you have checked anon-apt-sources-list and packaging-helper-script to be non-malicious, it’s easy to verify all those files are non-malicious.

Have pushed a couple of commits (2 /us/bin/ files, missing “k” mask) before /usr/lib/sdwdate/sclockadj AND /usr/lib/sclockadj · troubadoour/apparmor-profile-sdwdate@60fb5f7 · GitHub. (the diff is not obvious because I have changed the indentation to 4 spaces).

both “/usr/lib/sdwdate/sclockadj” and “/usr/lib/sclockadj” are in the profile. Is there any other change in the folder structure for Whonix 10? So I can add the lines in the profiles, leaving the original for backward compatibility.

Pushed the change to apparmor-profile-timesync too. Easier to read.
/usr/lib/sdwdate/sclockadj AND /usr/lib/sclockadj ¡ troubadoour/apparmor-profile-timesync@7d32aa9 ¡ GitHub.

Great. Looks much better. Merged.

Is there any other change in the folder structure for Whonix 10?
I don't recall any.
So I can add the lines in the profiles, leaving the original for backward compatibility.
Thanks for the offer. I may get back to it.

tor-launcher AppArmor issues sorted out. Topic split:

FYI

Worked on getting the AppArmor packages upgraded in the repository.

Prerequisite knowledge to prevent data loss.

A new –apparmor has been added to build-steps.d/1200_create-debian-packages. It conveniently only builds all apparmor packages.

sudo -E ./build-steps.d/1200_create-debian-packages --apparmor

(git commit: https://github.com/Whonix/Whonix/commit/95e00e90d2c96806d735c0e072ee7806f528179e)

Uploaded packages to developers repository. Will migrate soon into testers repository.

While diffing the remote developers apt repository, I noticed that the changes are more intrusive than I thought unfortunately.

Package: apparmor-profile-anondist

Conflicts: diverts-etc++apparmor.d++abstractions++base
Conflicts: diverts-etc++apparmor.d++abstractions++base, diverts-etc++apparmor.d++abstractions++consoles

So I am not sure Whonix Forum is still a good idea.

Accidentally I also upgraded the grub-enable-apparmor package. Nothing important changed.

grub-enable-apparmor $ git diff --name-only 0.2-2 Makefile README.md debian/changelog make-helper.bsh

Fixed, made precautions so this won’t happen again:
https://github.com/Whonix/Whonix/commit/4719dd28039ec9c194a6a487635e4df30a7c85e3

Fixed in 10.0.0.1.7-developers-only.

Migrated to testers repository. Tested 9.4. Works quite well overall.

There is an issue, but I can likely fix it.

whonixcheck also needs that right.

Likely fixed. Going to test.

Please review:

Works for me.

Updates testers repository again.

Do you want to test it?

Shall we blog and invite more testing using the testers repository? Profiting from AppArmor profiles, installing them, is now much simpler using the testers repository.

[quote=“Patrick, post:457, topic:108”]Likely fixed. Going to test.

Please review:

There was a missing slash in “/run/msgcollector rwk,”.
Fixed.

Shall we blog and invite more testing using the testers repository?

Yes. I believe the profiles are usable now. What could (will?) happen is users installing extra packages, and Tor Browser will complain. Also, I have never tested sending files with Pidgin.

In the blog, It might be worth explaining how to report AppArmor messages, with “sudo tail -f /var/log/kern/log”.

[quote=“troubadour, post:459, topic:108”][quote author=Patrick link=topic=97.msg5453#msg5453 date=1415796783]
Likely fixed. Going to test.

Please review:

There was a missing slash in “/run/msgcollector rwk,”.
Fixed.

Yes. I believe the profiles are usable now.
As they are currently or do we need your latest fix before the big shout out?