I think it would be best if sdwdate was allowed to exec all /usr/lib/whonix/timesync_... scripts unconstrained by AppArmor profiles while also preserving the environment variables. I don't think these scripts have potential to be exploited. I think what they need is unconstrained execute mode (ux) but I don't know enough about AppArmor. This is because the /usr/lib/whonix/timesync_... scripts need lots of permissions for themselves for notification stuff which may not be allowed by the current sdwdate AppArmor profile.
I have authorized all /usr/lib/whonix/timesync_… scripts, including the ones not required by apparmor plus msgcollector and msgprogress, to run unconfined.
/usr/lib/whonix/timesync_pre rwUx,
/usr/lib/whonix/timesync_post_error rwUx,
/usr/lib/whonix/timesync_prerequisite rwUx,
/usr/lib/whonix/timesync_post_success rwUx,
/usr/lib/whonix/usr/timesync_init_d rwUx,
/usr/lib/whonix/usr/timesync_post_failure rwUx,
/usr/lib/whonix/msgcollector rUx,
/usr/lib/whonix/msgprogress rUx,
To no avail. I had actually started in that direction.
In order to make a fresh start, all the profiles were moved in a tmp directory. Run “sudo service apparmor teardown” for good measure.
Here a digest of my tests.
Reboot the workstation.
- timesync notification OK
Run “service sdwdate restart” several times.
- timesync GUI, progress bar
- timesync notification OK
Wait after first sleep period. Run “sudo service sdwdate restart”
[@error]
- no timesync GUI
- timesync success notification
Run timesync.
[@OK]
- timesync GUI, progress bar
- timesync notification OK
Run “sudo service sdwdate restart” several times.[@OK]
Run sdwdate_simulator once (ctrl-c during the 15s sleep period) [@OK]
Run “sudo service sdwdate restart” several times.[@OK]
Let sdwdate_simulator run twice. [@error]
Run “sudo service sdwdate restart” . [@error]
Run timesync. [@OK]. And so on…