Whonix AppArmor Profiles Development Discussion

AppArmor
501
I don't know how well this answers your question. You tell me.
Well enough. The original purpose of the testers repository was forgotten sometime ago, it seems. But still, if it's not too much overwork, why not put the packages for the next release in the developers repository, and the ones that need upgrading between releases in the testers repository (from here, it looks easy :D)?
We could do this as a release goal for Whonix 11. Since we fully control these packages, this should be doable. If we well test this before release, there shouldn't be much need for AppArmor fixes then?
Yes. Actually, the package maintainer becomes the AppArmor profile maintainer, which makes sense. In Ubuntu, lots of profiles are included in the packages. https://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files/head:/ubuntu/15.04/ (see the files with ~220 bytes size). Most of the daemons, but also bigger clients like Evince.
[code] apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.sdwdate [/code] Looks like it does that all for us automatically? No manual reload required?
I was not meaning a manual reload. I guess dh-apparmor is taking care of that (still in wonder with the debhelper magic), so it's fine.
502

Well enough. The original purpose of the testers repository was forgotten sometime ago, it seems. But still, if it’s not too much overwork, why not put the packages for the next release in the developers repository, and the ones that need upgrading between releases in the testers repository (from here, it looks easy :D)?[/quote]
That works for some time, but at some point we need testers who test if upgrading to the next major version would work.

503

Updates.

  • apparmor-profile-torbrowser
    New directory and files in TBB 4.5a3 when using the internal updater.

  • apparmor-profile-icedove (enigmail)
    A few new denied messages when importing a key.

504

Good that you caught them before Whonix 10. Merged.

505

Are we installing the profiles in Whonix 10?

506

Not by default. But easily installable from the stable repository without referring to the testers repository which is less than ideal.

I think the stable-fixes-testers repository (⚓ T200 stable-proposed-updates repository required) would also help with apparmor profiles.

We wanted to install them by default for applications developed under the Whonix umbrella for Whonix 11. Created ⚓ T201 install apparmor profiles for software developed under the Whonix umbrella by default as reminder.

507

Small update. Seemed handy. Legally imported this from Tails documentation (Tails - Browsing the web with Tor Browser):
Tor Browser Essentials

Can be improved a bit after release of Whonix 10.

508

Is there anything we don’t know or do you on this page?

https://tails.boum.org/contribute/design/application_isolation/

509

I missed that one. Will have a look.

510

Hello, I have installed a fresh Whonix Gateway 9.6, updated the packages, enabled testers repository, installed apparmor profiles, updated whonix packages to the testers versions and I got an apparmor denied message for whonixcheck, “/usr/share/tor/tor-service-defaults-torrc.anondist”

Is this a known bug? It went away after I restarted the system

511

And got these on workstation

Profile: /usr/bin/sdwdate
Operation: mkdir
Name: /var/cache/sdwdate/sclockadj/.ruby_inline/
Denied: c

Profile: /usr/bin/sdwdate
Operation: exec
Name: /usr/lib/sdwdate/sclockadj_debug_helper
Denied: x

512

z if u went to the search above in the forum and searched for e.g mkdir or exec, in one of the results u gonna find this:-

read them, hope it gonna solve ur problem :slight_smile:

513

Got this on 10.0.0.5.0 using testers repository and “sudo apt-get install apparmor-profiles-whonix”.

Setting up apparmor-profile-pidgin (3:1.0-1) ... Warning from /etc/apparmor.d/usr.bin.pidgin (/etc/apparmor.d/usr.bin.pidgin line 92): profile /usr/bin/pidgin network rules not enforced

user@host:~$ sudo aa-enforce /etc/apparmor.d/usr.bin.pidgin Setting /etc/apparmor.d/usr.bin.pidgin to enforce mode.

Any idea why that could be?

514

Yes. When the profile is installed by apt-get, it’s loaded in the kernel and it shows the “network rules” message. Subsequent aa-enforce or apparmor_parser -r (replace) do not reload the profile if it was not changed. To get back the warning, you can try “sudo service apparmor reload” (or modify the profile and replace it with apparmor_parser).

That does not explain the “network rules not enforced” message, but there is much more to it. After installing Pidgin, it does not not start because of a litany or denied messages. It’s not making any sense, so I replaced the profile from Debian/Ubuntu (commit b56f71a) with the original one from Whonix. It works.

I have no idea why this is happening. The Debian profile is working without issue in jessie. I think we’ll use it again when Whonix is based on jessie.

515

Alright. Did a quick check on the Pidgin profile, merged and bumped changelog version. Will be included in next testers-only version.

516

From https://phabricator.whonix.org/T304

! In T304#4499, @HulaHoop wrote:
You probably agree the same stance should be taken for other components like apparmor profiles whenever upstream incorporates theirs in Debian.

It follows a summary of what troubadour and I agreed as far as I remember. troubadour, please correct me if anything is wrong.

Current status of AppArmor and Whonix:

  • we do enable apparmor by default for a while now (https://github.com/Whonix/grub-enable-apparmor)
  • therefore The Tor Project’s apparmor profile for Tor is on use on Whonix-Gateway
  • we tweak that one a bit to make it work with Whonix and obfsproxy (anon-gw-anonymizer-config/etc/apparmor.d/local/system_tor.anondist at master ¡ Whonix/anon-gw-anonymizer-config ¡ GitHub)
  • we don’t install any apparmor profiles by default as of Whonix 10
  • we do not plan on installing apparmor profiles by default for packages that are not developed under the Whonix umbrella such as for Tor Browser, pidgin, xchat, etc. (list: Whonix ¡ GitHub) - package upgrades that we don’t control by upstream could make it impossible to start the application, lead to eventual fingerprinting issues, therefore installation of such apparmor profiles is manual for testers and advanced users
  • upstreaming such profiles is a very time consuming process, also a slow process (requires a new stable debian release), help welcome
  • for apparmor profiles developed under the Whonix such as sdwdate, whonixcheck, we plan in future for Whonix 12 or so on deprecating the separate apparmor profiles and installing those profiles by default, that is doable, because we control package upgrades

If this is correct, I would like to turn this into a blog post.

517

Yes, that’s what we agreed.

The Whonix profiles can be installed with

sudo apt-get install apparmor-profiles-whonix

We do not install any longer the profiles from Debian (packages apparmor-profiles, apparmor-profiles-extra) since Whonix 9 (I believe) because of the noise they generate in this forum.

That was for wheezy based Whonix. Whonix 11 is based on jessie, and the issues are supposed to be fixed. Well, not completely, After installing the Debian profiles in Whonix 11.0.0.0.3, we still have some warnings (conlictiong x modifiers). Have not looked into it yet. For information, reloading AppArmor in the host (jessie) pops some errors too.

518

Created a ticket as reminder:
apparmor issues Whonix 11 / jessie
https://phabricator.whonix.org/T313

519

Blog post:

520

Pushed some updates to whonixcheck, sdwdate and timesync profiles, mostly related to systemd in Whonix 11.0.0.1.8.