Whonix AppArmor Profiles Development Discussion

Happening in VirtualBox during a race condition looks like.

sudo systemctl stop networking

sudo systemctl restart onion-grater

Log:

Aug 14 17:28:39 host systemd[1]: Starting Tor control port filter proxy...

Aug 14 17:28:39 host audit[18942]: AVC apparmor=“DENIED” operation=“open” profile=“/usr/lib/onion-grater” name=“/sys/devices/pci0000:00/0000:00:16.0/host4/port-4:0/end_device-4:0/target4:0:0/4:0:0:0/block/sda/queue/hw_sector_size” pid=18942 comm=“onion-grater” requested_mask=“r” denied_mask=“r” fsuid=114 ouid=0

Aug 14 17:28:39 host audit[18942]: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=7f470c3c61b8 a1=80000 a2=1b6 a3=20 items=1 ppid=1 pid=18942 auid=4294967295 uid=114 gid=119 euid=114 suid=114 fsuid=114 egid=119 sgid=119 fsgid=119 tty=(none) ses=4294967295 comm="onion-grater" exe="/usr/bin/python3.5" key=(null)
Aug 14 17:28:39 host audit: CWD cwd="/"
Aug 14 17:28:39 host audit: PATH item=0 name="/sys/block/sda/queue/hw_sector_size" inode=7729 dev=00:10 mode=0100444 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Aug 14 17:28:39 host audit: PROCTITLE proctitle=2F7573722F62696E2F707974686F6E33002D75002F7573722F6C69622F6F6E696F6E2D677261746572002D2D6465627567002D2D6C697374656E2D696E746572666163650065746831

Aug 14 17:28:39 host onion-grater[18942]: Traceback (most recent call last):
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 770, in <module>
Aug 14 17:28:39 host onion-grater[18942]:     main()
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 752, in main
Aug 14 17:28:39 host onion-grater[18942]:     ip_address = get_ip_address(global_args.listen_interface)
Aug 14 17:28:39 host onion-grater[18942]:   File "/usr/lib/onion-grater", line 193, in get_ip_address
Aug 14 17:28:39 host onion-grater[18942]:     struct.pack('256s', bytes(ifname[:15], 'utf-8'))
Aug 14 17:28:39 host onion-grater[18942]: OSError: [Errno 99] Cannot assign requested address
Aug 14 17:28:39 host systemd[1]: onion-grater.service: Main process exited, code=exited, status=1/FAILURE
Aug 14 17:28:39 host systemd[1]: Failed to start Tor control port filter proxy.

whonixcheck denied message in a corner case. How to reproduce:

Add exit 0 in second line in /usr/lib/qubes-whonix/init/network-proxy-setup in whonix-gw-14 TemplateVM, shut down TempalteVM, restart sys-whonix.

sudo ifdown --force eth0
sudo ifdown --force eth1
sudo systemctl restart onion-grater

Aug 14 20:57:08 host audit[2079]: AVC apparmor=“DENIED” operation=“capable” profile=“/usr/bin/whonixcheck” pid=2079 comm=“ifconfig” capability=16 capname=“sys_module”

https://github.com/Whonix/whonixcheck/blob/master/etc/apparmor.d/usr.bin.whonixcheck#L75

Dunno what to do best with…

/usr/bin/spectre-meltdown-checker cux,

What I want to say there is “scrub environment, execute /usr/bin/spectre-meltdown-checker with its profile if it exists but if it doesn’t exist, execute /usr/bin/spectre-meltdown-checker unconfined”.

https://github.com/Whonix/whonixcheck/commit/5873f4c3bb1665a6fb92224968805f561aca87e3

//cc @eyedeekay @0brand

Yay, this is coming.

You’ll probably like how fast we implemented your wish - it’s done since 8 months Nearly all abstractions in git master have a line like

#include if exists <abstractions/base.d>

This will be part of the next major release (2.14 or 3.0), therefore I’ll close this ticket as already implemented. If you think we should backport this to 2.12 and 2.13, please reopen and provide a good reason

port to /etc/apparmor.d/abstractions.d in Debian 11 bullseye
https://phabricator.whonix.org/T927

Sep 07 03:42:10 host kernel: audit: type=1400 audit(1567827730.866:126): apparmor=“DENIED” operation=“exec” profile=“/**/*-browser/Browser/firefox” name=“/usr/local/bin/dirname” pid=15407 comm=“firefox” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0

Not fixed. Created for it:

Nov 19 15:25:57 host audit[3273]: AVC apparmor=“DENIED” operation=“chmod” profile=“/usr/bin/whonixcheck” name=“/var/cache/fontconfig/” pid=3273 comm=“zenity” requested_mask=“w” denied_mask=“w” fsuid=110 ouid=0
Nov 19 15:22:44 host audit[4274]: AVC apparmor=“DENIED” operation=“chmod” profile=“/usr/bin/whonixcheck” name=“/var/cache/fontconfig/” pid=4274 comm=“zenity” requested_mask=“w” denied_mask=“w” fsuid=110 ouid=0

A post was merged into an existing topic: Current State of Kloak?

HexChat profile GitHub - Kicksecure/apparmor-profile-hexchat: AppArmor profile for HexChat IRC - https://www.kicksecure.com/wiki/AppArmor - for better security (hardening). upstreaming to either Debian and/or HexChat upstream failed as neither upstream uses AppArmor. References:

• hexchat AppArmor profile for better security · Issue #1577 · hexchat/hexchat · GitHub
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951331

I noticed hexchat is having trouble with current profiles. Wouldn’t make any connections without a rule added to abstractions/xchat-based for /etc/resolv.conf.anondist r,.

There’s also some DENIED entries for /etc/hosts, but didn’t seem to effect functionality yet. Not sure if this one is intentional since not explicitly denied.

Is there a better place to report these? Phabricator? Not familiar with it, but I made an account that’s waiting on approval.