Did not see your previous message. Edited whonixcheck too.
I am wondering, that youâre not getting these messages. Really strange indeed. Here are some more denied messages.
Mar 9 22:18:34 host kernel: [31275.607523] type=1400 audit(1394403514.192:405): apparmor="DENIED" operation="exec" parent=22729 profile="/usr/bin/whonixcheck" name="/usr/bin/gawk" pid=22731 comm="whonixcheck" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Mar 9 22:18:34 host kernel: [31275.607548] type=1400 audit(1394403514.192:406): apparmor="DENIED" operation="open" parent=22729 profile="/usr/bin/whonixcheck" name="/usr/bin/gawk" pid=22731 comm="whonixcheck" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 9 22:18:34 host kernel: [31275.809930] type=1400 audit(1394403514.396:407): apparmor="DENIED" operation="open" parent=22712 profile="/usr/bin/whonixcheck" name="/home/user/.whonix/msgdispatcher-error.log" pid=22878 comm="msgcollector" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
Mar 9 22:18:34 host kernel: [31275.869057] type=1400 audit(1394403514.456:408): apparmor="DENIED" operation="open" parent=22712 profile="/usr/bin/whonixcheck" name="/home/user/.whonix/msgdispatcher-error.log" pid=22944 comm="msgcollector" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
Mar 9 22:18:41 host kernel: [31283.081228] type=1400 audit(1394403521.668:409): apparmor="DENIED" operation="exec" parent=23268 profile="/usr/bin/timesync" name="/usr/bin/gawk" pid=23270 comm="timesync" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Mar 9 22:18:41 host kernel: [31283.081259] type=1400 audit(1394403521.668:410): apparmor="DENIED" operation="open" parent=23268 profile="/usr/bin/timesync" name="/usr/bin/gawk" pid=23270 comm="timesync" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Yes, it is strange.
awk and gawk in both timesync and whonixcheck. Adding the rest.
â@{HOME}/.whonix/â in both profiles.
Must be
/usr/bin/gawk rix,
/usr/bin/awk rix,
instead of
/user/bin/gawk rix,
/user/bin/awk rix,
If I catch such minor things should I just fix it? (To avoid you undo these things when you copy changes from your hdd. This oculd be avoided by using show changes before storing.)
Few more denied messages when running whonixcheck --verbose.
Mar 10 00:21:34 host kernel: [38655.327176] audit_printk_skb: 201 callbacks suppressed
Mar 10 00:21:34 host kernel: [38655.327179] type=1400 audit(1394410894.320:609): apparmor="DENIED" operation="exec" parent=4867 profile="/usr/bin/whonixcheck" name="/usr/bin/whoami" pid=4869 comm="whonixcheck" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Mar 10 00:21:34 host kernel: [38655.327198] type=1400 audit(1394410894.320:610): apparmor="DENIED" operation="open" parent=4867 profile="/usr/bin/whonixcheck" name="/usr/bin/whoami" pid=4869 comm="whonixcheck" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 10 00:22:01 host kernel: [38682.101506] type=1400 audit(1394410921.096:611): apparmor="DENIED" operation="open" parent=10632 profile="/usr/bin/whonixcheck" name="/home/user/tor-browser_en-US/Docs/sources/versions" pid=10633 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
The timesync profile works for me (apart form the small user/usr issue).
Could you write a profile for sdwdate please? sdwdate is the actual daemon that is connecting to servers. timesync is âonlyâ the monitor and gui of it.
(Sdwdate can be restarted using âsudo service sdwdate restartâ, that might help with debugging.)
Got some more denied messages.
Mar 10 02:10:01 host kernel: [45162.663304] type=1400 audit(1394417401.276:614): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/home/user/.local/share/gvfs-metadata/home-8441bd4a.log" pid=4463 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 10 04:04:59 host kernel: [52059.805282] type=1400 audit(1394424299.336:615): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/home/user/.thumbnails/normal/35cdbed13b7e224cf1ea1c86494529e3.png" pid=22355 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 10 04:05:36 host kernel: [52097.281758] type=1400 audit(1394424336.812:616): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/home/user/.local/share/gvfs-metadata/home-929f6d5c.log" pid=22120 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
I have updated the TBB and whonixcheck profiles.
If I catch such minor things should I just fix it?
For that sort of mistyping, please do. I am watching the pages, so Iâll have a mail and I can update my local profile. Iâll try to avoid it.
The fontconfig related denied messages are back.
Mar 10 18:00:49 host kernel: [ 179.480054] type=1400 audit(1394474449.823:34): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/fontconfig/conf.avail/10-scale-bitmap-fonts.conf" pid=6569 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 10 18:00:49 host kernel: [ 179.480352] type=1400 audit(1394474449.823:35): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/fontconfig/conf.avail/20-unhint-small-vera.conf" pid=6569 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 10 18:00:49 host kernel: [ 179.480373] type=1400 audit(1394474449.823:36): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/fontconfig/conf.avail/30-metric-aliases.conf" pid=6569 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 10 18:00:49 host kernel: [ 179.480386] type=1400 audit(1394474449.823:37): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/fontconfig/conf.avail/30-urw-aliases.conf" pid=6569 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 10 18:00:49 host kernel: [ 179.480397] type=1400 audit(1394474449.823:38): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/fontconfig/conf.avail/40-nonlatin.conf" pid=6569 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 10 18:00:49 host kernel: [ 179.480409] type=1400 audit(1394474449.823:39): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/fontconfig/conf.avail/45-latin.conf" pid=6569 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 10 18:00:49 host kernel: [ 179.480427] type=1400 audit(1394474449.823:40): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/fontconfig/conf.avail/49-sansserif.conf" pid=6569 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 10 18:00:49 host kernel: [ 179.480440] type=1400 audit(1394474449.823:41): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/fontconfig/conf.avail/50-user.conf" pid=6569 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 10 18:00:49 host kernel: [ 179.480451] type=1400 audit(1394474449.823:42): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/fontconfig/conf.avail/51-local.conf" pid=6569 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 10 18:00:49 host kernel: [ 179.481880] type=1400 audit(1394474449.823:43): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/fontconfig/conf.avail/60-latin.conf" pid=6569 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Fixed. I had removed the line. I look at the changes, now, before publishing.
Reading the threads in âWhonix Developmentâ, It looks like Pidgin will be replaced by TIMB, once the people at tor have implemented OTR in it. I suppose we have no idea when that might happen. I continue with Pidgin anyhow. You said the fonts are changing when when you confine it. Is it still usable?
I indeed donât know when TIMB will come, could take a while, I think. Pidgin is still usable. And we can still package that profile as well. Pidgin will always have many fans.
I had a new denied message with Icedove. I have updated both TBB and Icedove profiles, trying to make them more robust with new applications, again.
I will do sdwdate, finish Pidgin, and I will take a break with writing profiles. I still maintain them on request, of course. Iâd like to start packaging myself, that would be easier for everybody, I think.
Also, Iâd like to start to start with Qubes. From my preliminary readings, it looks like just converting Whonix images from â.vdmkâ to â.imgâ and import them in Qubes, but I can foresee there will be more.than that.
Sounds good.
I suspect, that /etc/apparmor.d/local/home.user.tor-browser_en-US.Browser.firefox does not get sourced, is ignored.
Getting denied messages.
Mar 11 11:57:57 host kernel: [64606.193428] type=1400 audit(1394539077.763:151): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/usr/share/poppler/cMap/Adobe-Korea1/" pid=31557 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0Since Whonix 8, also signed qcow2 images are provided (or building them yourself is supported as well). Can be downloaded here:
Whonix download | SourceForge.net (as compressed .tar.gz)
I donât know if Qubes OS supports .qcow2, but I would speculate it does. And if not, that image format should be provided as well.
Youâre most welcome to work on running Whonix on top of Qubes OS. Please open a new topic when youâre ready. I am happy to support this cause.
Profiles updates (for future reference for me too).
-
home.user.or-browser_en-US.Browser.firefox
Put back the line #include <local/home.user.tor-browser_en-US.Browser.firefox>. It was removed at some stage, hence your denied messages. -
usr.bin.pidgin
Removed all the references to Launchpad and Gnome (commented). I think there are too many abstractions included. That could be cleaned too. -
usr.bin.timesync, usr.bin.whonixchek
Cleaned @{PROC} and removed cux permissions from the log files.
timesync is calling sdwdate. The process is permanently enforced after it has been started. I assume the daemon is running. So I have copied the timesync profile into a usr.bin.sdwdate profile. Running âservice sdwdate restartâ has the same effect as running timesync.
Iâll come back later for a batch of profiles we could plan to write in the near future.
In AppArmor/Whonixcheck: Difference between revisions - Whonix you reintroduced the usr / user error.
Also whonixcheck needs read access to /home/user/tor-browser_en-US/Docs/sources/versions because it checks Tor Browserâs version.
timesync / sdwdate: It depends. On boot, sdwdate starts on its own (by /etc/init.d/sdwdate). One could have timesync uninstalled and sdwdate would still work. (I plan to make these two separate packages. When timesync is manually started, it restarts and monitors sdwdate, hence the confusion. Also since sdwdate dispatches parts of timesync if available. Perhaps I must clean up the implementation, but it works fine for now.) However, /usr/bin/sdwdate needs a profile upon start.
(If you donât believe me or want to test it, edit /usr/bin/sdwdate and add a âecho test > /home/user/sdwdatetestâ below â#!/bin/bashâ. - I guess it would be able to do this unauthorized write.)
Since sdwdate is a deamon, I am not sure if we need to edit itâs init script. For example the /etc/init.d/tor (you can look at it on Whonix-Gateway) has native support for AppArmor. I am not sure, if we would need to do this for sdwdate as well. Probably not. Probably a profile for /usr/bin/sdwdate would be sufficient (I guess AppArmor doesnât really care if an init script or user starts an application).
In https://www.whonix.org/w/index.php?title=AppArmor/Whonixcheck&oldid=6794&diff=cur you reintroduced the usr / user error.Also whonixcheck needs read access to /home/user/tor-browser_en-US/Docs/sources/versions because it checks Tor Browserâs version.
Added /home/user/tor-browser_en-US/Docs/sources/versions. There was /home/user/tor-browser_en-US/Docs/version already in the profile. A bit confusing. Iâll test it with whonixcheck --verbose to make sure.
timesync / sdwdate: It depends. On boot, sdwdate starts on its own (by /etc/init.d/sdwdate). One could have timesync uninstalled and sdwdate would still work. (I plan to make these two separate packages. When timesync is manually started, it restarts and monitors sdwdate, hence the confusion. Also since sdwdate dispatches parts of timesync if available. Perhaps I must clean up the implementation, but it works fine for now.) However, /usr/bin/sdwdate needs a profile upon start.
Added the profile for sdwdate. I first added âUSE_AA_EXEC=âyesââ in â/etc/init.d/sdwdateâ, but since it starts as a deaemon at boot, it is not needed, it is automatically enforced.
I think I mentioned it before. I the Gateway, system_tor in no longer confined since Whonix 8. Ran âaa-enforce system_torâ and it still does not show in the list of enforced profiles. I did not take the time to check further. I will.
I am running
Then make a few empty spaces by pressing enter a few times, then run whonixcheck --verbose.
This is what I am getting when I press âcancelâ while it is running.
And I am also having apparmor-notifier installed, which will in KDE always flash a message once there is a new apparmor denied message.
This is what I get when running whonixcheck --verbose.
Mar 12 17:47:49 host kernel: [65813.172202] type=1400 audit(1394646469.128:84): apparmor="DENIED" operation="exec" parent=18608 profile="/usr/bin/whonixcheck" name="/usr/bin/whoami" pid=18610 comm="whonixcheck" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Mar 12 17:47:49 host kernel: [65813.172202] type=1400 audit(1394646469.128:85): apparmor="DENIED" operation="open" parent=18608 profile="/usr/bin/whonixcheck" name="/usr/bin/whoami" pid=18610 comm="whonixcheck" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 12 17:48:20 host kernel: [65845.022025] type=1400 audit(1394646500.976:86): apparmor="DENIED" operation="exec" parent=24312 profile="/usr/bin/whonixcheck" name="/usr/bin/tr" pid=24314 comm="whonixcheck" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Mar 12 17:48:20 host kernel: [65845.022044] type=1400 audit(1394646500.976:87): apparmor="DENIED" operation="open" parent=24312 profile="/usr/bin/whonixcheck" name="/usr/bin/tr" pid=24314 comm="whonixcheck" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Adding âUSE_AA_EXEC=âyesââ to sdwdateâs init script is most likely indeed not required. (FYI: âUSE_AA_EXEC=âyesââ isnât a magic word. Just a standard shell script variable. It would require additional implementation to react depending on the contents of USE_AA_EXEC, you can see this in Torâs init script if you search that script for USE_AA_EXEC.)
When I am running âsudo service sdwdate restartâ, I am getting this.
Mar 12 17:51:17 host kernel: [66032.669869] type=1400 audit(1394646677.848:89): apparmor="DENIED" operation="capable" parent=29668 profile="/usr/bin/sdwdate" pid=29669 comm="sdwdate" capability=1 capname="dac_override"
Mar 12 17:51:58 host kernel: [66073.429962] type=1400 audit(1394646718.612:90): apparmor="DENIED" operation="file_mmap" parent=30019 profile="/usr/bin/sdwdate" name="/lib/i386-linux-gnu/security/pam_cap.so" pid=30030 comm="sudo" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
Also sdwdate needs access to /usr/lib/whonix/curl_exit_codes.
Otherwise sdwdate seems functional.
We are using the same testing setup (âsudo tail -f /var/log/kern.logâ, make a few spaces after updating/saving the profile and running âsudo apparmor_parser -r profile_nameâ, restart the package).
With âwhonixcheck --verboseâ, I could see the message after pressing cancel, plus a few others denying /et/apparmor.d.
With sdwdate, I could not recreate the error after restarting the service. Strange, again, but itâs not a surprise , Iâve been doing that the whole day (well, almostâŚ).
Both profiles are updated.