Whonix AppArmor Profiles Development Discussion

Patrick · May 22, 2015, 9:43pm

All merged.

Patrick · May 26, 2015, 2:17pm

added ‘/usr/lib/sdwdate/restart_fresh rix,’:
https://github.com/Whonix/apparmor-profile-sdwdate/commit/4dc429f5e92d68bad0ce5e251d328cec40fc2792

troubadour · May 26, 2015, 7:44pm

Merged (in Gateway 11.0.0.2.0).

troubadour · June 8, 2015, 8:19pm

The profile for control-port-filter-python is ready (usr.sbin.cpfpd). Thanks to HulaHoop for the reminder.

The suggestion is to include it in control-port-filter-python instead of creating a separate AppArmor package. Since I’m maintaining both, it would make sense.

Patrick · June 9, 2015, 10:27am

Great! Sure, that was our plan anyhow.

Patrick · June 9, 2015, 12:52pm

A warning during installation, related to Login

Warning from /etc/apparmor.d/usr.lib.virtualbox.VirtualBox (/etc/apparmor.d/usr.lib.virtualbox.VirtualBox line 50): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.

[hr]

Some iceweasel denied messages.

Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:67): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/etc/udev/udev.conf" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:68): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:69): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:70): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:71): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/run/udev/data/+pci:0000:00:02.0" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:52 host kernel: audit: type=1400 audit(1433853832.622:72): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/usr/share/mozilla/extensions/{3550f703-e582-4d05-9a08-453d09bdfdc6}/" pid=9998 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Patrick · June 10, 2015, 1:31am

sdwdate denied messages.

Jun 9 23:01:31 host kernel: [10558.315401] audit: type=1400 audit(1433890891.237:39): apparmor="DENIED" operation="open" profile="/usr/bin/sdwdate" name="/usr/share/rubygems-integration/all/specifications/RubyInline-3.12.2.gemspec" pid=24331 comm="ruby" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 10 01:05:34 host kernel: [18001.356969] audit: type=1400 audit(1433898334.281:40): apparmor="DENIED" operation="open" profile="/usr/bin/sdwdate" name="/usr/share/rubygems-integration/all/specifications/RubyInline-3.12.2.gemspec" pid=4719 comm="ruby" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Patrick · June 10, 2015, 1:36am

[quote=“Patrick, post:527, topic:108”]sdwdate denied messages.

Jun 9 23:01:31 host kernel: [10558.315401] audit: type=1400 audit(1433890891.237:39): apparmor="DENIED" operation="open" profile="/usr/bin/sdwdate" name="/usr/share/rubygems-integration/all/specifications/RubyInline-3.12.2.gemspec" pid=24331 comm="ruby" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 10 01:05:34 host kernel: [18001.356969] audit: type=1400 audit(1433898334.281:40): apparmor="DENIED" operation="open" profile="/usr/bin/sdwdate" name="/usr/share/rubygems-integration/all/specifications/RubyInline-3.12.2.gemspec" pid=4719 comm="ruby" requested_mask="r" denied_mask="r" fsuid=0 ouid=0[/quote]
Fixed those easy ones:
https://github.com/Whonix/apparmor-profile-sdwdate/commit/f77622c669c21cf94119406dfef41be30b569e7b

Patrick · June 11, 2015, 7:43pm

Tor Browser Internal Updater related denied messages.

Jun 11 12:33:47 host kernel: [  613.487320] type=1400 audit(1434026027.845:12): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jun 11 12:33:47 host kernel: [  613.487980] type=1400 audit(1434026027.845:13): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

troubadour · June 11, 2015, 7:48pm

Merged. (swdate commit).

troubadour · June 11, 2015, 7:49pm

troubadour · June 11, 2015, 8:28pm

[quote=“Patrick, post:529, topic:108”]Tor Browser Internal Updater related denied messages.

Jun 11 12:33:47 host kernel: [ 613.487320] type=1400 audit(1434026027.845:12): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Jun 11 12:33:47 host kernel: [ 613.487980] type=1400 audit(1434026027.845:13): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000[/quote]
They have changed the structure again. Left the old one for backward compatibility.

Patrick · June 11, 2015, 8:36pm

[quote=“troubadour, post:531, topic:108”][quote author=troubadour link=topic=97.msg8413#msg8413 date=1433794771]
The profile for control-port-filter-python is ready (usr.sbin.cpfpd).
[/quote]
https://github.com/troubadoour/control-port-filter-python/commit/e3dd6731e2570abebc370851bdc45fb12973353d[/quote]
Merged.

Will do the required packaging changes.

Patrick · June 11, 2015, 8:41pm

packaging of apparmor profile - Whonix Forum
https://github.com/Whonix/control-port-filter-python/commit/f4e7853ee8d8a89d18fbdda19ce193a51e79348e

Patrick · June 11, 2015, 8:44pm

[quote=“troubadour, post:532, topic:108”][quote author=Patrick link=topic=97.msg8454#msg8454 date=1434051822]
Tor Browser Internal Updater related denied messages.

Jun 11 12:33:47 host kernel: [  613.487320] type=1400 audit(1434026027.845:12): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jun 11 12:33:47 host kernel: [  613.487980] type=1400 audit(1434026027.845:13): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

[/quote]
They have changed the structure again. Left the old one for backward compatibility.
https://github.com/troubadoour/apparmor-profile-torbrowser/commit/c1e6cf37e202a371a0420f2eca7659cffb1ec9ad[/quote]
Merged.

troubadour · June 11, 2015, 9:09pm

[quote=“Patrick, post:526, topic:108”]Some iceweasel denied messages.

Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:67): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/etc/udev/udev.conf" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:68): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:69): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:70): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:71): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/run/udev/data/+pci:0000:00:02.0" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 09 12:43:52 host kernel: audit: type=1400 audit(1433853832.622:72): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/usr/share/mozilla/extensions/{3550f703-e582-4d05-9a08-453d09bdfdc6}/" pid=9998 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0[/quote]
There was a couple of extra messages.

Patrick · June 11, 2015, 10:21pm

[quote=“troubadour, post:536, topic:108”][quote author=Patrick link=topic=97.msg8426#msg8426 date=1433854337]
Some iceweasel denied messages.

Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:67): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/etc/udev/udev.conf" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:68): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:69): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:70): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:71): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/run/udev/data/+pci:0000:00:02.0" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:52 host kernel: audit: type=1400 audit(1433853832.622:72): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/usr/share/mozilla/extensions/{3550f703-e582-4d05-9a08-453d09bdfdc6}/" pid=9998 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[/quote]
There was a couple of extra messages.
https://github.com/troubadoour/apparmor-profile-icedove/commit/725beb002ba482b04de693a8e1e741b1f5327c6f[/quote]
Merged.

Patrick · June 11, 2015, 10:26pm

One icedove denied message left.

Patrick · June 12, 2015, 5:04pm

control-port-filter-python profile seems to work fine. Just now installed the latest package version on Whonix 11 based gateway. “sudo aa-status” shows it contained, no denied messages, functional.

[hr]

(Meant icedove above. Post edited.)

Patrick · June 15, 2015, 4:04am

Jun 15 03:24:22 host kernel: [ 373.588702] audit: type=1400 audit(1434338662.640:17): apparmor="DENIED" operation="exec" profile="/usr/bin/timesync" name="/bin/systemd-tty-ask-password-agent" pid=19592 comm="systemctl" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Jun 15 03:24:22 host kernel: [ 373.871128] audit: type=1400 audit(1434338662.920:18): apparmor="DENIED" operation="exec" profile="/usr/bin/timesync" name="/bin/systemd-tty-ask-password-agent" pid=19830 comm="systemctl" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Jun 15 03:29:38 host kernel: [  688.764735] audit: type=1400 audit(1434338978.870:23): apparmor="DENIED" operation="mknod" profile="/usr/bin/timesync" name="/run/systemd/ask-password-block/136:2" pid=2093 comm="systemd-tty-ask" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jun 15 03:29:39 host kernel: [  688.971895] audit: type=1400 audit(1434338979.074:24): apparmor="DENIED" operation="mknod" profile="/usr/bin/timesync" name="/run/systemd/ask-password-block/136:2" pid=2349 comm="systemd-tty-ask" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Fixed these:
https://github.com/Whonix/apparmor-profile-timesync/commit/072d5847c928a038070f3fc48bf0a5bae1865b51

Jun 15 03:36:12 host kernel: [ 1082.089226] audit: type=1400 audit(1434339372.194:51): apparmor="DENIED" operation="open" profile="/usr/bin/timesync" name="/sys/fs/cgroup/systemd/system.slice/timesanitycheck.service/cgroup.procs" pid=18500 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Fixed:
https://github.com/Whonix/apparmor-profile-timesync/commit/e513bd970dc0bea6e93142d8ad030ffd7578c74e