Whonix AppArmor Profiles Development Discussion

Edited the AppArmor profiles pages. Now it is “sudo apparmor_parser -r” to load the profile.

got some more XChat denied messages. You can reproduce them by using the sasl plugin.

Please check if adding…

	/usr/share/perl*/** mr,
	/usr/lib/perl*/** mr,

…would be sane.

It’s perfectly sane. Added to the profile.

I have yet to test the SASL plugin, though, with XChat, may be both the perl and python scripts. It should be tested with Pidgin and Tor, too.

XChat sasl (perl) works for me.

Patrick, how close does Whonix mimic TAILS’s system wide exploit protection mechanisms? Are we close to that yet. Apparently their work was so good that it gave the spooks hell when trying to crack it. Even though virtualization is a powerful layer, I think the more obstacles we add to a potential attack, the better. Especially ones that are known to work.

I don’t know what feature you are referring to. Haven’t seen it in their design.

They have plans and ideals in their design, but they have these for years. Same for Whonix. Long way to go from such plans and ideals to actual implementation. In meanwhile came Qubes OS.

Sure. AppArmor is one such layer and I am glad you’re helping with that! As for other stuff, such as kernel hardening and compiler hardening, well, it would be most desirable but it’s best implemented in Debian, difficult stuff and a long way to go.

I want to see if I get the gist of how to do this. Is it as simple as downloading the profile then asking apparmor to parse a certain profile?

As a AppArmor profile tester just a question of copy and paste commands. Very simple.

And once they are packaged, it gets’s as simple as “sudo apt-get install/remove apparmor-profile-torbrowser” etc.

And once they are packaged, it gets's as simple as "sudo apt-get install/remove apparmor-profile-torbrowser" etc.

Let’s say we are happy with a few profiles (TBB, Icedove…), would’nt it be better to have “sudo apt-get install/remove whonix-apparmor-profiles”? If we use only “apparmor-profiles”, it will install the default Debian profiles.

I think separate packages are better. For example, when there are updates in TBB that require to temporarily disable AppArmor, it is simpler to just uninstall that one package instead of all profiles.

We can however very easily make a package apparmor-profiles-whonix, that depend on apparmor-profile-torbrowser, apparmor-profile-xchat etc. So one could simply type “sudo apt-get install apparmor-profiles-whonix” and end up with all these profiles.

Its ok to have them all bundled in a package as long as they can be individually removed, if it happens that one of them breaks because of a program update, for example TBB.

Update:
Went through and ran the TBB profile and got this:

root@host:/home/user# sudo apparmor_parser -r /etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox AppArmor parser error for /etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox in /etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox at line 12: Could not open 'abstractions/whonix'

Went through and ran the TBB profile and got this:

[quote]
root@host:/home/user# sudo apparmor_parser -r /etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox
AppArmor parser error for /etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox in /etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox at line 12: Could not open ‘abstractions/whonix’
[/quote]

Most likely, you have not installed the file “abstractions/whonix”. See http://kkkkkkkkkk63ava6.onion/wiki/AppArmor/abstractions/whonix

I’ll update the profiles pages with a warning. Also, for the TBB downloads/uploads and the attachments in Icedove, you have to create the ~/Downloads directory.

@Patrick: If we choose Downloads (that can be any directory), could that be included in the next update, when the profiles are packaged.

What about my /** /etc/apparmor.d/whonix idea? (Whonix Forum)

~/Downloads folder:
I deleted my ~/Downloads and tested to create it using Tor Browser. Got some denied messages.

Apr  6 14:49:40 host kernel: [63623.752679] type=1400 audit(1396795780.127:50): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/home/user/Desktop/" pid=7951 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

This is probably because ~/Desktop is the first folder Tor Browser is looking into when ~/Downloads does not exist.

Apr  6 14:49:55 host kernel: [63639.616848] type=1400 audit(1396795795.987:51): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/home/user/Downloads/" pid=5672 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

This is probably because the profile does not allow “mkdir ~/Downloads”. I guess adding the “c” flag should do the trick?

you have to create the ~/Downloads directory.

@Patrick: If we choose Downloads (that can be any directory), could that be included in the next update, when the profiles are packaged.

What about my /** /etc/apparmor.d/whonix idea? (https://www.whonix.org/forum/index.php/topic,97.msg1370.html#msg1370)

It’s in the pipeline. Before re-testing, I just want to make sure my backup is 99% proof.

~/Downloads folder: I deleted my ~/Downloads and tested to create it using Tor Browser. Got some denied messages.

Apr  6 14:49:40 host kernel: [63623.752679] type=1400 audit(1396795780.127:50): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/home/user/Desktop/" pid=7951 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

This is probably because ~/Desktop is the first folder Tor Browser is looking into when ~/Downloads does not exist.

If the “~/Downloads” folder does not exist (and even if it exists), trying anywhere else will flash a message. If you try “File system”, you get “name=”/" pid=xxxx comm=“open” requested_mask=“r” denied_mask=“r”“. To get rid of the message, I would have to give read access to the whole disk (”/** r,").

[code] Apr 6 14:49:55 host kernel: [63639.616848] type=1400 audit(1396795795.987:51): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/home/user/Downloads/" pid=5672 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [/code] This is probably because the profile does not allow "mkdir ~/Downloads". I guess adding the "c" flag should do the trick?

I am not sure I understand. Did you create a folder from the Tor browser? Anyhow, you can create any folder under ~/Downloads, from a terminal or the file manager, and save the downloads there.

or next Whonix version the /home/user/Downloads folder could be created by default. Not in a AppArmor profile (to keep them generic), but in a Whonix specific postinst script. If that makes sense I go ahead and implement it?

It would be OK to create the folder by default. And then recommend the user to set “Save files to → Downloads” in the Tor browser “Edit/Preferences/General” dialog box. That might save some hassle.

It's in the pipeline. Before re-testing, I just want to make sure my backup is 99% proof.

I am not sure I understand. Did you create a folder from the Tor browser?

Anyhow, you can create any folder under ~/Downloads, from a terminal or the file manager, and save the downloads there.

It would be OK to create the folder by default. And then recommend the user to set "Save files to -> Downloads" in the Tor browser "Edit/Preferences/General" dialog box. That might save some hassle.

To get rid of the message, I would have to give read access to the whole disk ("/** r,").

“/** r” would be too much. Then the browser could read and leak any file on hdd. What about just “/ r”? Doing an “ls /” doesn’t leak anything useful.

Having apparmor-notifier flashing by default is bad, this would produce loads of bug reports. Not having apparmor-notifier installed on the other hand is also no good idea. There might be dysfunctional features without any indication what is going wrong.

I guess Ubuntu “solved” this by giving full read access to /home. Seems like there is no great solution.

Alright TBB profile works and no errors. Troubador, I think you should add the whoni/abstractions commands to the apparmor page on the clearnet too, so everything is available in one place. Will Whonix ship with a ~/Downloads folder to make the apparmor profile apply seamlessly?

There is no such thing as clearnet version.
cleanet wiki version = .onion wiki version
.onion is just a different domain for our server.

I think we agreed on that. But it will probably never work seamlessly due to technical challenges, unless well, I am not even sure what kind of feature request against AppArmor could be made. Eventually one against Firefox.

Troubador if you know how to add or activate apparmor profiles on a Debian Host, please post that here so I can add it to the KVM page.

Normally, Debian should come with AppArmor enabled. They ship some default profiles from their own.

For your profiles, put them in ‘/etc/apparmor.d’. For each profile, run

sudo apparmor_parser -r /etc/apparmor.d/profile_name

Check ‘/etc/default/grub’. In GRUB_CMDLINE_LINUX_DEFAULT or GRUB_CMDLINE_LINUX, it should read “security=apparmor apparmor=1”. If not. add it, the order does not matter, and run ‘update-grub’.

All the profiles in etc/apparmor.d, if they are not in the disable folder, are loaded at boot.

When using Whonix in Debian, the first package to confine with AppArmor should be VirtualBox: AppArmor. So we (should) have all the network facing packages in whonix apparmored, the virtualization layer with VirtualBox, and the hypervisor itself apparmored.

About KVM, according to Ubuntu where most of the AppArmor work is done, the profiles for libvirt are now part of the source packages. See Ubuntu – Error. From my experience, the profiles are seldom usable out of the box, but that might be worth having a look.