Some bits missing (k mask) in sdwdate and timesync profiles.
Merged. Also added some commits on top. (Minor; packaging.)
Please image youâre a new user and try register for Whonix forum. Click âListen to the lettersâ. Then you get an apparmor denied message.
One thing about the stable upgrade of Whonix AppArmor profiles⌠Not that simple, though. Theyâre not compatible with stable anymore. For example the sdwdate/timesync apparmor profiles uses â/usr/lib/sdwdate/sclockadjâ (Whonix 10) rather than â/usr/lib/sclockadjâ (Whonix 9). Would need further testing.
Working on https://github.com/Whonix/Whonix/issues/167 at the moment.
Getting this.
Nov 7 22:51:47 host kernel: [ 2923.658653] type=1400 audit(1415400707.346:32): apparmor="DENIED" operation="rename_src" parent=1 profile="system_tor" name="/etc/tor/torrc" pid=12507 comm="tor" requested_mask="wd" denied_mask="wd" fsuid=106 ouid=0What must I add to fix it? Trying like crazyâŚ
/etc/apparmor.d/local/system_tor /etc/tor/torrc rwmixkl,
/etc/tor/torrc.anondist rwmixkl,Restarted TorâŚ
Doesnât help.
Can you have a look please here?
[quote=âPatrick, post:445, topic:108â]Working on https://github.com/Whonix/Whonix/issues/167 at the moment.
Getting this.
Nov 7 22:51:47 host kernel: [ 2923.658653] type=1400 audit(1415400707.346:32): apparmor="DENIED" operation="rename_src" parent=1 profile="system_tor" name="/etc/tor/torrc" pid=12507 comm="tor" requested_mask="wd" denied_mask="wd" fsuid=106 ouid=0What must I add to fix it? Trying like crazyâŚ
/etc/apparmor.d/local/system_tor /etc/tor/torrc rwmixkl,
/etc/tor/torrc.anondist rwmixkl,Restarted TorâŚ
Doesnât help.[/quote]
Most likely, the problem does not come from system-tor profile. Could you check that tor-launcher (what did you install, by the way?) has not installed its own profile. There is a bug in Vidalia. https://bugs.launchpad.net/ubuntu/+source/vidalia/+bug/680192
Fixed.
Merged. Please fetch and merge before pushing new commits.
If youâre wondering how to check any packaging code files do not include any malicious code? You donât have to review the diff of all of them.
Usability of that script is not great yet. Just a dev tool.
There is a function diff_common_packaging_files. You can comment it in.
#diff_common_packaging_files->diff_common_packaging_filesThen run:
debug-steps/packaging-helper-script
Itâll loop through all the packages and compare if the makefile(-helper) of any package matches the makefile(-helper) of anon-apt-sources-list. So if you have checked anon-apt-sources-list and packaging-helper-script to be non-malicious, itâs easy to verify all those files are non-malicious.
Have pushed a couple of commits (2 /us/bin/ files, missing âkâ mask) before /usr/lib/sdwdate/sclockadj AND /usr/lib/sclockadj ¡ troubadoour/apparmor-profile-sdwdate@60fb5f7 ¡ GitHub. (the diff is not obvious because I have changed the indentation to 4 spaces).
both â/usr/lib/sdwdate/sclockadjâ and â/usr/lib/sclockadjâ are in the profile. Is there any other change in the folder structure for Whonix 10? So I can add the lines in the profiles, leaving the original for backward compatibility.
Pushed the change to apparmor-profile-timesync too. Easier to read.
/usr/lib/sdwdate/sclockadj AND /usr/lib/sclockadj ¡ troubadoour/apparmor-profile-timesync@7d32aa9 ¡ GitHub.
Great. Looks much better. Merged.
Is there any other change in the folder structure for Whonix 10?I don't recall any.
So I can add the lines in the profiles, leaving the original for backward compatibility.Thanks for the offer. I may get back to it.
tor-launcher AppArmor issues sorted out. Topic split:
FYI
Worked on getting the AppArmor packages upgraded in the repository.
Prerequisite knowledge to prevent data loss.
- https://github.com/Whonix/Whonix/blob/master/build-steps.d/1200_create-debian-packages runs https://github.com/Whonix/Whonix/blob/master/help-steps/cleanup-files.
- help-steps/cleanup-files removes all files that are not committed to git.
A new âapparmor has been added to build-steps.d/1200_create-debian-packages. It conveniently only builds all apparmor packages.
sudo -E ./build-steps.d/1200_create-debian-packages --apparmor(git commit: https://github.com/Whonix/Whonix/commit/95e00e90d2c96806d735c0e072ee7806f528179e)
Uploaded packages to developers repository. Will migrate soon into testers repository.
While diffing the remote developers apt repository, I noticed that the changes are more intrusive than I thought unfortunately.
Package: apparmor-profile-anondist
Conflicts: diverts-etc++apparmor.d++abstractions++baseConflicts: diverts-etc++apparmor.d++abstractions++base, diverts-etc++apparmor.d++abstractions++consolesSo I am not sure Whonix Forum is still a good idea.
Accidentally I also upgraded the grub-enable-apparmor package. Nothing important changed.
grub-enable-apparmor $ git diff --name-only 0.2-2
Makefile
README.md
debian/changelog
make-helper.bsh
Fixed, made precautions so this wonât happen again:
https://github.com/Whonix/Whonix/commit/4719dd28039ec9c194a6a487635e4df30a7c85e3
Fixed in 10.0.0.1.7-developers-only.
Migrated to testers repository. Tested 9.4. Works quite well overall.
There is an issue, but I can likely fix it.
whonixcheck also needs that right.
Likely fixed. Going to test.
Please review:
- https://github.com/Whonix/apparmor-profile-whonixcheck/commit/17775849d88faabb981d1c8c0490c3b33c45f5bc
- https://github.com/Whonix/apparmor-profile-sdwdate/commit/a53e35e4e4a8f9876a4579c5756f5de39415b832
- https://github.com/Whonix/apparmor-profile-timesync/commit/3e1a019047fff8ed0e9c9a458cd4f70b5edf6f40
Works for me.
Updates testers repository again.
Do you want to test it?
Shall we blog and invite more testing using the testers repository? Profiting from AppArmor profiles, installing them, is now much simpler using the testers repository.
[quote=âPatrick, post:457, topic:108â]Likely fixed. Going to test.
Please review:
- https://github.com/Whonix/apparmor-profile-whonixcheck/commit/17775849d88faabb981d1c8c0490c3b33c45f5bc
- https://github.com/Whonix/apparmor-profile-sdwdate/commit/a53e35e4e4a8f9876a4579c5756f5de39415b832
- https://github.com/Whonix/apparmor-profile-timesync/commit/3e1a019047fff8ed0e9c9a458cd4f70b5edf6f40[/quote]
There was a missing slash in â/run/msgcollector rwk,â.
Fixed.
- /run/msgcollector/ ¡ troubadoour/apparmor-profile-timesync@a5ffbfd ¡ GitHub
- /run/msgcollector/ ¡ troubadoour/apparmor-profile-sdwdate@9b0e729 ¡ GitHub
- /run/msgcollector/ ¡ troubadoour/apparmor-profile-whonixcheck@c3c4b35 ¡ GitHub
Shall we blog and invite more testing using the testers repository?
Yes. I believe the profiles are usable now. What could (will?) happen is users installing extra packages, and Tor Browser will complain. Also, I have never tested sending files with Pidgin.
In the blog, It might be worth explaining how to report AppArmor messages, with âsudo tail -f /var/log/kern/logâ.
[quote=âtroubadour, post:459, topic:108â][quote author=Patrick link=topic=97.msg5453#msg5453 date=1415796783]
Likely fixed. Going to test.
Please review:
- https://github.com/Whonix/apparmor-profile-whonixcheck/commit/17775849d88faabb981d1c8c0490c3b33c45f5bc
- https://github.com/Whonix/apparmor-profile-sdwdate/commit/a53e35e4e4a8f9876a4579c5756f5de39415b832
- https://github.com/Whonix/apparmor-profile-timesync/commit/3e1a019047fff8ed0e9c9a458cd4f70b5edf6f40
[/quote]
There was a missing slash in â/run/msgcollector rwk,â.
Fixed.
- /run/msgcollector/ ¡ troubadoour/apparmor-profile-timesync@a5ffbfd ¡ GitHub
- /run/msgcollector/ ¡ troubadoour/apparmor-profile-sdwdate@9b0e729 ¡ GitHub
- https://github.com/troubadoour/apparmor-profile-whonixcheck/commit/c3c4b35b9f79d1ff3f6b45a44335e78ec65ff052[/quote]
Does the slash make a difference? Does it work without? Does it require updated packages in the repository?
Yes. I believe the profiles are usable now.As they are currently or do we need your latest fix before the big shout out?