[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#521

All merged.


#522

added ‘/usr/lib/sdwdate/restart_fresh rix,’:
https://github.com/Whonix/apparmor-profile-sdwdate/commit/4dc429f5e92d68bad0ce5e251d328cec40fc2792


#523

Merged (in Gateway 11.0.0.2.0).


#524

The profile for control-port-filter-python is ready (usr.sbin.cpfpd). Thanks to HulaHoop for the reminder.

The suggestion is to include it in control-port-filter-python instead of creating a separate AppArmor package. Since I’m maintaining both, it would make sense.


#525

Great! Sure, that was our plan anyhow.


#526

A warning during installation, related to https://phabricator.whonix.org/T313:

[hr]

Some iceweasel denied messages.

Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:67): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/etc/udev/udev.conf" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:68): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:69): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:70): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:71): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/run/udev/data/+pci:0000:00:02.0" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:52 host kernel: audit: type=1400 audit(1433853832.622:72): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/usr/share/mozilla/extensions/{3550f703-e582-4d05-9a08-453d09bdfdc6}/" pid=9998 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

#527

sdwdate denied messages.

Jun 9 23:01:31 host kernel: [10558.315401] audit: type=1400 audit(1433890891.237:39): apparmor="DENIED" operation="open" profile="/usr/bin/sdwdate" name="/usr/share/rubygems-integration/all/specifications/RubyInline-3.12.2.gemspec" pid=24331 comm="ruby" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 10 01:05:34 host kernel: [18001.356969] audit: type=1400 audit(1433898334.281:40): apparmor="DENIED" operation="open" profile="/usr/bin/sdwdate" name="/usr/share/rubygems-integration/all/specifications/RubyInline-3.12.2.gemspec" pid=4719 comm="ruby" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


#528

[quote=“Patrick, post:527, topic:108”]sdwdate denied messages.

Jun 9 23:01:31 host kernel: [10558.315401] audit: type=1400 audit(1433890891.237:39): apparmor="DENIED" operation="open" profile="/usr/bin/sdwdate" name="/usr/share/rubygems-integration/all/specifications/RubyInline-3.12.2.gemspec" pid=24331 comm="ruby" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 10 01:05:34 host kernel: [18001.356969] audit: type=1400 audit(1433898334.281:40): apparmor="DENIED" operation="open" profile="/usr/bin/sdwdate" name="/usr/share/rubygems-integration/all/specifications/RubyInline-3.12.2.gemspec" pid=4719 comm="ruby" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [/quote]
Fixed those easy ones:
https://github.com/Whonix/apparmor-profile-sdwdate/commit/f77622c669c21cf94119406dfef41be30b569e7b


#529

Tor Browser Internal Updater related denied messages.

Jun 11 12:33:47 host kernel: [  613.487320] type=1400 audit(1434026027.845:12): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jun 11 12:33:47 host kernel: [  613.487980] type=1400 audit(1434026027.845:13): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

#530

Merged. (swdate commit).


#531

#532

[quote=“Patrick, post:529, topic:108”]Tor Browser Internal Updater related denied messages.

Jun 11 12:33:47 host kernel: [ 613.487320] type=1400 audit(1434026027.845:12): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Jun 11 12:33:47 host kernel: [ 613.487980] type=1400 audit(1434026027.845:13): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [/quote]
They have changed the structure again. Left the old one for backward compatibility.


#533

[quote=“troubadour, post:531, topic:108”][quote author=troubadour link=topic=97.msg8413#msg8413 date=1433794771]
The profile for control-port-filter-python is ready (usr.sbin.cpfpd).
[/quote]
https://github.com/troubadoour/control-port-filter-python/commit/e3dd6731e2570abebc370851bdc45fb12973353d[/quote]
Merged.

Will do the required packaging changes.


#534

packaging of apparmor profile - https://www.whonix.org/forum/index.php/topic,97.msg8456.html#msg8456:
https://github.com/Whonix/control-port-filter-python/commit/f4e7853ee8d8a89d18fbdda19ce193a51e79348e


#535

[quote=“troubadour, post:532, topic:108”][quote author=Patrick link=topic=97.msg8454#msg8454 date=1434051822]
Tor Browser Internal Updater related denied messages.

Jun 11 12:33:47 host kernel: [  613.487320] type=1400 audit(1434026027.845:12): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jun 11 12:33:47 host kernel: [  613.487980] type=1400 audit(1434026027.845:13): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/home/user/tor-browser_en-US/update.test/" pid=17879 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

[/quote]
They have changed the structure again. Left the old one for backward compatibility.
https://github.com/troubadoour/apparmor-profile-torbrowser/commit/c1e6cf37e202a371a0420f2eca7659cffb1ec9ad[/quote]
Merged.


#536

[quote=“Patrick, post:526, topic:108”]Some iceweasel denied messages.

Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:67): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/etc/udev/udev.conf" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:68): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:69): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:70): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:71): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/run/udev/data/+pci:0000:00:02.0" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jun 09 12:43:52 host kernel: audit: type=1400 audit(1433853832.622:72): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/usr/share/mozilla/extensions/{3550f703-e582-4d05-9a08-453d09bdfdc6}/" pid=9998 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [/quote]
There was a couple of extra messages.


#537

[quote=“troubadour, post:536, topic:108”][quote author=Patrick link=topic=97.msg8426#msg8426 date=1433854337]
Some iceweasel denied messages.

Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:67): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/etc/udev/udev.conf" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:68): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:69): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:70): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:51 host kernel: audit: type=1400 audit(1433853831.678:71): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/run/udev/data/+pci:0000:00:02.0" pid=9999 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jun 09 12:43:52 host kernel: audit: type=1400 audit(1433853832.622:72): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/usr/share/mozilla/extensions/{3550f703-e582-4d05-9a08-453d09bdfdc6}/" pid=9998 comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[/quote]
There was a couple of extra messages.
https://github.com/troubadoour/apparmor-profile-icedove/commit/725beb002ba482b04de693a8e1e741b1f5327c6f[/quote]
Merged. :slight_smile:


#538

One icedove denied message left.


#539

control-port-filter-python profile seems to work fine. Just now installed the latest package version on Whonix 11 based gateway. “sudo aa-status” shows it contained, no denied messages, functional.

[hr]

(Meant icedove above. Post edited.)


#540

Jun 15 03:24:22 host kernel: [ 373.588702] audit: type=1400 audit(1434338662.640:17): apparmor="DENIED" operation="exec" profile="/usr/bin/timesync" name="/bin/systemd-tty-ask-password-agent" pid=19592 comm="systemctl" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Jun 15 03:24:22 host kernel: [ 373.871128] audit: type=1400 audit(1434338662.920:18): apparmor="DENIED" operation="exec" profile="/usr/bin/timesync" name="/bin/systemd-tty-ask-password-agent" pid=19830 comm="systemctl" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Jun 15 03:29:38 host kernel: [  688.764735] audit: type=1400 audit(1434338978.870:23): apparmor="DENIED" operation="mknod" profile="/usr/bin/timesync" name="/run/systemd/ask-password-block/136:2" pid=2093 comm="systemd-tty-ask" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jun 15 03:29:39 host kernel: [  688.971895] audit: type=1400 audit(1434338979.074:24): apparmor="DENIED" operation="mknod" profile="/usr/bin/timesync" name="/run/systemd/ask-password-block/136:2" pid=2349 comm="systemd-tty-ask" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Fixed these:
https://github.com/Whonix/apparmor-profile-timesync/commit/072d5847c928a038070f3fc48bf0a5bae1865b51

Fixed:
https://github.com/Whonix/apparmor-profile-timesync/commit/e513bd970dc0bea6e93142d8ad030ffd7578c74e