In Whonix 14, this
+++ cat /var/run/msgcollector/user/msgdispatcher_pidx
++ pid=1323
++ ps -p 1323
is causing
type=AVC msg=audit(1518277651.459:418): apparmor="DENIED" operation="ptrace" profile="/usr/bin/whonixcheck" pid=12582 comm="ps" requested_mask="trace" denied_mask="trace" peer="/usr/bin/whonixcheck"
How can we fix it?
Is that showing in VirtualBox/KVM ?
I could not reproduce it in VBox. The commands complete without error .
Cannot try in Qubes, no apparmor for the time being.
Qubes.
After last kernel upgrade kernel will have apparmor support. (Using dom0 testing repository. Might need a while until it moves to Qubes dom0 stable. dom0 testing may not be advisable. I update another installation on USB always first to see if nothing breaks.)
Updating frequently from dom0 testing repository. No new kernel.
After the thread http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/apparmor-and-kernel-4-14-18-1-creates-tons-of-kern-log-pop-ups/4811/5
I tried dom0 unstable, no change. The only available kernel is 4.14.13.1
Some Qubes issue, most likely.
I did not reboot the Qubes machine for a few days. In the mean time, I did update many times from dom0 testing.
Just rebooted, the latest kernel is installed.
This should be fixed in
troubadour:
This should be fixed in
fix ptrace denied message · troubadoour/whonixcheck@b714257 · GitHub
Merged! 
Great, would have taken me ages to figure out. Didn’t look easy. Neither
was easy to research.
VirtualBox AppArmor profile warning (Whonix 14)
From the Whonix 14 testing thread, note that the apparmor profile for VirtualBox (when installing apparmor-profiles-whonix) warns:
Warning from /etc/apparmor.d/usr/lib/virtualbox.VirtualBox (/etc/apparmor.d/usr.lib.virtualbox.VirtualBox line 50): Unconfined exec qualifer (ux) allows some dangerous environment variables to be passed to the unconfined process; ‘man 5 apparmor.d’ for details.
Probably low priority, but worthy of investigation.
From http://forums.kkkkkkkkkk63ava6.onion/t/long-wiki-edits-thread/3477/569
How about implementing this OnionShare AppArmor profile in Whonix?
Improve AppArmor profiles and enforce them. · onionshare/onionshare@6cceac3 · GitHub
Already has upstream.
https://github.com/micahflee/onionshare/tree/develop/apparmor
I think we should remove the VirtualBox profile from apparmor-profiles-whonix. This is a very early one, and it was meant to be used in the host.
If someone feels like installing AppArmor in their host, enforce the profile and start Whonix, they are welcome.
Good idea. Done.
https://github.com/Whonix/grub-live/pull/1
Why is alias / -> /rw/, not enough?
Why is explicitly…
alias /var/lib/ -> /rw/var/lib/,
alias /var/lib/tor/ -> /rw/var/lib/tor/,
additionally required?
In doubt, could you ask upstream apparmor developer mailing list please?
I think it belongs here apparmor-profile-dist/qubes-whonix-anondist at master · Kicksecure/apparmor-profile-dist · GitHub?
//cc @Algernon
These are known issues of apparmor + overlayfs. Some other examples:
https://github.com/subgraph/subgraph_desktop_stretch/issues/1
https://labs.riseup.net/code/issues/9045
Just using “alias / → /rw/,” will still lead to denied messages in some cases. The easy workaround is to also add the denied path as an alias.
If the live mode gets tested more some more denied messages could maybe be expected.At least every denied message with “/rw/” in the path would be related to overlayfs.
Can you please move to apparmor-profile-anondist, remove from your other two packages and reference Bug #888077 “alias rules being only partially applied” : Bugs : AppArmor in the comment?
I opened some pull request for this.
All merged.