Whonix AppArmor Profiles Development Discussion

When you press edit you see at the bottom “Templates used on this page:”. There you can find the link.

The link the the template is:
https://www.whonix.org/wiki/Template:AppArmorProfileWarning

If we were to just use it once on whole whonix.org, we wouldn’t need a template. These are useful for repeating text blocks, so when the text block gets changed only the template gets changed.

If we’d use the template only on the top, people who follow deep links will miss it.

I have modified the AppArmor page. The profiles are now in their own page. The text is untouched.

Some page names are messed up. I try fixing them.

I think we should name these pages AppArmor/Icedove and so forth. What do you think?

We could also leave the AppArmor/ out. When we some day get a page named Icedove with general documentation, do we want the AppArmor profile in the Iceweasel page or in the AppArmor/Iceweasel page?

Something went wrong last night. I have put the profiles in [[AppArmor/‘package_name’]]. If we want to include them in dedicated pages later on (Icedove page, TBB page…), there must be a way to rename the pages and their links…?

The original pages ‘VirtualBox profile’ and '‘Pidgin profile’ should be deleted. Not done. The other two were deleted already.

Renaming is possible. I fixed all these links.

I think it isn’t a good idea to write [[pagename including (, ) and/or " " | description of page]] and then to click on that links. It will create really ugly page names. It’s better to manually enter into the browser https://www.whonix.org/wiki/AppArmor/Tor_Browser_Bundle_(TBB).

When someone copies and pastes the url from the browser, it will look really bad:
https://www.whonix.org/wiki/AppArmor/Tor_Browser_Bundle_(TBB)

I guess it would be better if we omitted those ( ). If you agree, I will rename the page.

Can you check please if these pages all look ok? Eventually just copy and paste your profile versions from your hdd to the wiki pages again to make sure no changes are lost.

Yes, I realize that the page naming is confusing. Please rename them at your liking, and feel tree to add, delete or modify the text around them. There is no copyright and in absolutely no way, the right of troubadour to be identified as the author of this work can ever, hopefully, be asserted… 8)

The profiles are checked and OK. When I make modifications in my local copy while testing, I copy/paste the whole profile in the wiki, and the other way around for small modifications in the wiki, after messages you report, for example.

Page names are all sorted out now.

Fonts look different with Pidgin AppArmor profile enabled. Have you tested Pidgin with OTR?

In AppArmor you wrote:

[code]# In <abstractions/kde>

/usr/bin/kde4-config rix,[/code]

This is not the case for me.

kwrite /etc/apparmor.d/abstractions/kde

[code]# ------------------------------------------------------------------

Copyright (C) 2002-2006 Novell/SUSE

Copyright (C) 2009-2011 Canonical Ltd.

This program is free software; you can redistribute it and/or

modify it under the terms of version 2 of the GNU General Public

License published by the Free Software Foundation.

------------------------------------------------------------------

#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/xdg-desktop>
#include <abstractions/user-tmp>

/etc/qt3/kstylerc r,
/etc/qt3/qt_plugins_3.3rc r,
/etc/qt3/qtrc r,
/etc/kderc r,
/etc/kde3/* r,
/etc/kde4rc r,

@{HOME}/.DCOPserver_* r,
@{HOME}/.ICEauthority r,
@{HOME}/.fonts.* lrw,
@{HOME}/.kde{,4}/share/config/kdeglobals rw,
@{HOME}/.kde{,4}/share/config/*.lock rwl,
@{HOME}/.qt/** rw,
@{HOME}/.config/Trolltech.conf rwk,

/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/X11/XKeysymDB r,

kde3

/usr/lib*/kde3/plugins/styles/ r,
/usr/lib*/kde3/plugins/styles/* mr,
/usr/lib*/kde3/libso mr,
/usr/lib/@{multiarch}/kde3/plugins/styles/ r,
/usr/lib/@{multiarch}/kde3/plugins/styles/* mr,
/usr/lib/@{multiarch}/kde3/libso mr,
/usr/lib*/qt3/lib*/libso mr,
/usr/lib*/qt3/plugins/** mr,
/usr/lib/@{multiarch}/qt3/lib*/libso mr,
/usr/lib/@{multiarch}/qt3/plugins/** mr,
/usr/lib*/libqt-mtso mr,
/usr/lib*/libquiso mr,
/usr/lib/@{multiarch}/libqt-mtso mr,
/usr/lib/@{multiarch}/libquiso mr,
/usr/share/qt3/lib*/libqt-mtso mr,
/usr/share/qt3/lib*/libquiso mr,

kde4

/usr/lib*/kde4/plugins//.so mr,
/usr/lib*/kde4/plugins// r,
/usr/lib
/kde4/libso mr,
/usr/lib/@{multiarch}/kde4/plugins//.so mr,
/usr/lib/@{multiarch}/kde4/plugins// r,
/usr/lib/@{multiarch}/kde4/lib
so* mr,
/usr/lib*/qt4/lib*/libso mr,
/usr/lib*/qt4/plugins/** mr,
/usr/lib/@{multiarch}/qt4/lib*/libso mr,
/usr/lib/@{multiarch}/qt4/plugins/** mr,
/usr/share/qt4/** r,
[/code]

Doesn’t include kde4-config.

Strange?

Hence I am getting.

type=1400 audit(1394291840.323:35): apparmor="DENIED" operation="exec" parent=6677 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/bin/kde4-config" pid=6689 comm="firefox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

We have the same versions of <abstractions/kde>. My mistake. Modified the profile accordingly. What is strange is that if does not flash a message here.

Fonts look different with Pidgin AppArmor profile enabled. Have you tested Pidgin with OTR?

No. I have just installed ‘pidgin-otr’ (apt-get) and I’ll check.

Okay.

Got another denied message.

I’ve started the Debian packaging:

It is already functional. Installation, loading the apparmor profile and uninstallation is functional. (By default on uninstallation the profile does not get automatically unloaded.)

This means, once ready and uploaded to Whonix repository one can run sudo apt-get install apparmor-profile-torbrowser and be done with it.

Can be build using ./build. Cleanup of the debian folder is possible using ./clean.

Increasing version numbers involves 1) editing build and 2) debian/changelog (using dch). I hope 1) can be omitted some day, but I have no idea how creation of the upstream tarball could be automated.

Please check the copyright. Eventually try to build it.

Do you speak git?

When this package is finished, this one can be used as template and this process can be easily repeated for the other profiles.

The package isn’t deterministic yet, I try to work on that.

Package is now deterministic.

I've started the Debian packaging: https://github.com/Whonix/apparmor-profile-torbrowser

This is great news! There are two new profiles I have just added and that you can package straight away, I think. timesync and whonixcheck have their AppArmor page. Since there is no user interference for those, they should be safe. There are in place here.

The output of ‘aa-status’ while running whonicheck:

user@host:/etc/apparmor.d$ sudo aa-status
AppArmor available in kernel.
7 profiles are loaded.
7 profiles are in enforce mode.
   /*
   /home/user/tor-browser_en-US/Browser/firefox
   /usr/bin/pidgin
   /usr/bin/pidgin//launchpad_integration
   /usr/bin/timesync
   /usr/bin/whonixcheck
   /usr/lib/icedove/icedove
0 profiles are in complain mode.
16 processes have profiles defined.
16 processes are in enforce mode.
   /home/user/tor-browser_en-US/Browser/firefox (15587) 
   /usr/bin/pidgin (13706) 
   /usr/bin/timesync (13914) 
   /usr/bin/timesync (30674) 
   /usr/bin/whonixcheck (14171) 
   /usr/bin/whonixcheck (17549) 
   /usr/bin/whonixcheck (17550) 
   /usr/bin/whonixcheck (17551) 
   /usr/bin/whonixcheck (17589) 
   /usr/bin/whonixcheck (17590) 
   /usr/bin/whonixcheck (17591) 
   /usr/bin/whonixcheck (17592) 
   /usr/bin/whonixcheck (17601) 
   /usr/bin/whonixcheck (17609) 
   /usr/bin/whonixcheck (17616) 
   /usr/lib/icedove/icedove (27539) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

The Icedove and TBB profiles have been updated to make them more robust.

  • Allowed everything under ‘/usr/share/applications/’ so you should get less messages when testing new packages. As far as I understand, there is nothing sensitive there.
  • Added <abstractions/audio> to take care of any situation with audio.
Do you speak git?

Unfortunately, I am far from being fluent. Let me finish fine tuning Pidgin, start the dev/Apparmor page… My plan was to give more time to git, but the profiles have used most of it, lately.

I think this change was a mistake:

AppArmor using Icedove.

Corrected.

whonixcheck denied message.

And I needed to add awk and gawk as well. (Testing on Whonxi-Workstation.)

Timesync denied messages.

Mar 9 21:44:25 host kernel: [29227.138843] type=1400 audit(1394401465.724:378): apparmor="DENIED" operation="exec" parent=13306 profile="/usr/bin/timesync" name="/usr/bin/gawk" pid=13308 comm="timesync" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Mar 9 21:44:25 host kernel: [29227.138868] type=1400 audit(1394401465.724:379): apparmor="DENIED" operation="open" parent=13306 profile="/usr/bin/timesync" name="/usr/bin/gawk" pid=13308 comm="timesync" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Mar 9 21:44:25 host kernel: [29227.200141] type=1400 audit(1394401465.788:380): apparmor="DENIED" operation="open" parent=13309 profile="/usr/bin/timesync" name="/etc/security/capability.conf" pid=13369 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Profile edited. Yet, it 's strange.

Also added ‘/ r,’. Got a denied message.