[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#661

In Whonix 14, this

+++ cat /var/run/msgcollector/user/msgdispatcher_pidx
++ pid=1323
++ ps -p 1323

is causing

type=AVC msg=audit(1518277651.459:418): apparmor="DENIED" operation="ptrace" profile="/usr/bin/whonixcheck" pid=12582 comm="ps" requested_mask="trace" denied_mask="trace" peer="/usr/bin/whonixcheck"

How can we fix it?


#662

Is that showing in VirtualBox/KVM ?

I could not reproduce it in VBox. The commands complete without error .

Cannot try in Qubes, no apparmor for the time being.


#663

Qubes.

After last kernel upgrade kernel will have apparmor support. (Using dom0 testing repository. Might need a while until it moves to Qubes dom0 stable. dom0 testing may not be advisable. I update another installation on USB always first to see if nothing breaks.)


#664

Updating frequently from dom0 testing repository. No new kernel.

After the thread http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/apparmor-and-kernel-4-14-18-1-creates-tons-of-kern-log-pop-ups/4811/5

I tried dom0 unstable, no change. The only available kernel is 4.14.13.1


#665

Some Qubes issue, most likely.

I did not reboot the Qubes machine for a few days. In the mean time, I did update many times from dom0 testing.

Just rebooted, the latest kernel is installed.


#666

This should be fixed in


#667

troubadour:

This should be fixed in
https://github.com/troubadoour/whonixcheck/commit/b714257e39003f84fa95a3d68a3668592fbdbb55

Merged! :slight_smile:

Great, would have taken me ages to figure out. Didn’t look easy. Neither
was easy to research.


#668

VirtualBox AppArmor profile warning (Whonix 14)

From the Whonix 14 testing thread, note that the apparmor profile for VirtualBox (when installing apparmor-profiles-whonix) warns:

Warning from /etc/apparmor.d/usr/lib/virtualbox.VirtualBox (/etc/apparmor.d/usr.lib.virtualbox.VirtualBox line 50): Unconfined exec qualifer (ux) allows some dangerous environment variables to be passed to the unconfined process; ‘man 5 apparmor.d’ for details.

Probably low priority, but worthy of investigation.


#669

From http://forums.kkkkkkkkkk63ava6.onion/t/long-wiki-edits-thread/3477/569

How about implementing this OnionShare AppArmor profile in Whonix?

https://github.com/micahflee/onionshare/commit/6cceac3b3eca9ce2cc13cde4d16f7291b565c720


#670

Already has upstream.

https://github.com/micahflee/onionshare/tree/develop/apparmor


#671

I think we should remove the VirtualBox profile from apparmor-profiles-whonix. This is a very early one, and it was meant to be used in the host.

If someone feels like installing AppArmor in their host, enforce the profile and start Whonix, they are welcome.


#672

Good idea. Done.


#673

#674

#675

#676

Why is alias / -> /rw/, not enough?

Why is explicitly…

alias /var/lib/ -> /rw/var/lib/,
alias /var/lib/tor/ -> /rw/var/lib/tor/,

additionally required?

In doubt, could you ask upstream apparmor developer mailing list please?

I think it belongs here https://github.com/Whonix/apparmor-profile-anondist/blob/master/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist?

//cc @Algernon


Whonix live mode
#677

These are known issues of apparmor + overlayfs. Some other examples:


https://labs.riseup.net/code/issues/9045

Just using “alias / -> /rw/,” will still lead to denied messages in some cases. The easy workaround is to also add the denied path as an alias.
If the live mode gets tested more some more denied messages could maybe be expected.At least every denied message with “/rw/” in the path would be related to overlayfs.


#678

Can you please move to apparmor-profile-anondist, remove from your other two packages and reference https://bugs.launchpad.net/apparmor/+bug/888077 in the comment?


#679

I opened some pull request for this.


#680

All merged.