Whonix in chroot

Patrick · February 24, 2014, 1:18pm

Done.
(Template: https://www.whonix.org/wiki/Template:AppArmorProfileWarning)

No malicious edits until now. Trolling unfortunately gets more problematic as the project grows.

troubadour · February 25, 2014, 8:20am

In this particular case, we could also move the AppArmor profile to a template, and import it in the Advanced Security Guide. Then you'd only get notification for profiles changes, not for other changes to that page.

Could you briefly explain how to create a template and import it in the page? I think we could create a new subsection in the Advanced Security Guide (‘AppArmor Profiles’ or something) and edit it from the template. For the moment, we would put Pidgin and TBB there. Later on, Icedove (I am working on it) and any network facing application you and others might think of. I’d be happy to try to confine them. Now, if someone wants to join, she/he is welcome.

Patrick · February 25, 2014, 12:49pm

I tested the Tor Browser profile on Whonix 7.7.9.8. Doesn’t work there. Got logged out and needed to re-login in KDM.

host kernel: [ 1863.979503] type=1400 audit(1393331307.160:34): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/etc/gnome-vfs-2.0/modules/" pid=14333 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Have you tested it on Debian-stable based Whonix already (7.7.9.8)? 7.7.9.8 will most likely soon become Whonix 8 unless someone reports a severe bug.

Could you briefly explain how to create a template and import it in the page?

Create a page https://www.whonix.org/wiki/Template:SomethingX and in some other page such as https://www.whonix.org/wiki/Pagename you can use {{SomethingX}} as a magic word then.

I think we could create a new subsection in the Advanced Security Guide ('AppArmor Profiles' or something) and edit it from the template. For the moment, we would put Pidgin and TBB there. Later on, Icedove (I am working on it) and any network facing application you and others might think of. I'd be happy to try to confine them.

Could do. Alternative suggestion. What do you think about creating an own page for AppArmor profiles? Looks like we're overloading the Advanced Security Guide and we have enough content to justify an own AppArmor page. (The AppArmor page would of course be linked form Advanced Security Guide and other important pages such as Documentation.)

I am happy for any work on AppArmor profiles. Already thinking about creating a separate package for them or even one package per profile. (Profile installation can be simplified for users as in “sudo apt-get install apparmor-torbrowser” or so.)

A quick thought, my personal wishlist for most endangered, network facing applications is (starting with most important): TBB, Icedove, Pidgin, XChat, timesync.

troubadour · February 25, 2014, 2:48pm

Have you tested it on Debian-stable based Whonix already (7.7.9.8 )? 7.7.9.8 will most likely soon become Whonix 8 unless someone reports a severe bug.

I have downloaded and verified 7.7.9.8, but I am still using 7.7.8.6. It should be fixed soon. That is a problem I have encountered already while testing TBB in the host. A new DE brings new denied messages. I have Debian wheezy with Gnome3, KDE, Xfce4 and LXDE in four different VMs. The plan is trying to write ‘universal’ profiles, but I prefer to work first on the tailored ones for Whonix.

Could do. Alternative suggestion. What do you think about creating an own page for AppArmor profiles? Looks like we're overloading the Advanced Security Guide and we have enough content to justify an own AppArmor page. (The AppArmor page would of course be linked form Advanced Security Guide and other important pages such as Documentation.)

That would be much better. I was actually thinking in the same line, but I thought it would be too big a step. The fact of linking the page from different places in the wiki would attract more attention from the users.

After the profiles are thoroughly tested, creating a separate package would of course be perfect.

I’ll update on the progress. Fisrt, Whonix 8.

Patrick · February 25, 2014, 3:39pm

I have downloaded and verified 7.7.9.8, but I am still using 7.7.8.6. It should be fixed soon. That is a problem I have encountered already while testing TBB in the host. A new DE brings new denied messages. I have Debian wheezy with Gnome3, KDE, Xfce4 and LXDE in four different VMs. The plan is trying to write 'universal' profiles, but I prefer to work first on the tailored ones for Whonix.

Sounds good.

That would be much better. I was actually thinking in the same line, but I thought it would be too big a step. The fact of linking the page from different places in the wiki would attract more attention from the users.

Not that a big step. The Advanced Security Guide has limited use for most users. It contains good inspiration and suggestions, but these are time intensive to learn and apply. A bit theoretic. While the AppArmor profiles are are very practical thing. Once fixed, they can be easily applied by quickly copying and pasting a few commands.

I’ve created an empty page:

troubadour · February 25, 2014, 9:04pm

I tested the Tor Browser profile on Whonix 7.7.9.8. Doesn't work there. Got logged out and needed to re-login in KDM.

In which environment were you logged? I am in Whonix 7.7.9.8 and the only choice I am given seems to be KDM.

Patrick · February 26, 2014, 12:19pm

Logged into the default desktop KDE / KDM.

troubadour · February 26, 2014, 8:35pm

I have started AppArmor, basically copying/pasting from the Advanced Security Guide with a new TBB profile. Please feel free to modify my preamble.

I had to add a few lines due to changing to Whonix 7.7.9.8. The apparmor message you report with ‘/etc/gnome-vfs-2.0/modules/’ does not happen here. The directory is not existing. I have added two lines for that, though, rather blindly. Which brings a question: “Why?”.

Patrick · February 26, 2014, 11:13pm

Generally speaking:
We don’t have to backport things to Whonix 7 when Whonix 8 is out. Support for Whonix 7 will be ended shortly after Whonix 8 is released.

In this particular case:
Backporting could be useful, because Whonix 7 is based on Debian testing (currently jessie) while Whonix 8 is based on Debian stable (currently wheezy). (jessie > wheezy) Some day Whonix will be based on jessie, having the profile ready is a good thing.

The profile itself:
I don’t know the answers. Can only say, the TBB profile doesn’t work for me, unfortunately. Still logs me out. No AppArmor messages in syslog. Does it work for you already?

troubadour · February 27, 2014, 8:04am

Ah, we might have a strange problem here. The profile works for me, just a couple of minor messages to fix. When using the Tor browser, I am actually well confined: VirtualBox in the host and TBB in Whonix are enforced.

I assume you are using a freshly built Whonix workstation. This is the only thing I see that can explain the difference between yours and mine, regarding AppArmor. So, either I take the plunge into git now (anyhow, I will have tot do it, sooner or later), or in the meantime, someone working with Whonix development, building on an everyday basis, takes ten minutes once in while to test the profile and forward the results in this thread.

I am not asking you, Patrick, I am sure you have enough to do. May be Occq? Cerberus?

Patrick · February 27, 2014, 12:45pm

I used the profile form AppArmor, I assume that was correct.

Works for me in a fresh Whonix 8 VM (also not when installing a fresh Tor Browser). Doesn’t work in an existing Whonix 8 VM (still logs me out).

Got a denied message now in my existing Whonix 8 VM.

apparmor="DENIED" operation="mkdir" parent=25970 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/home/user/tor-browser_en-US/.gnome2/" pid=25983 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

In my fresh Whonix 8 VM I got a different denied message.

apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/home/user/.cache/event-sound-cache.tdb.b08dfa6083e7567a1921a715000001fb.i486-pc-linux-gnu" pid=6881 comm="firefox" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000

Git would be good. If this is going to be a generic profile, please don’t add “whonix” into its repository name.

I am not sure that everyone else is reading this topic. The title and beginning of the topic was about something else. Perhaps we should close this topic? Could you create a new topic please? (Title perhaps: “Whonix Security Hardening: Help Test AppArmor Profiles” or something like that?) (Feel free to copy and paste anything useful.)

(Oh, and in case I didn’t say yet, don’t consider my wiki changes final. Always open for improvement.)

troubadour · February 27, 2014, 7:54pm

AppArmor thread continuation:

Edited by Patrick.

Patrick · April 29, 2014, 6:07pm

Whonix in chroot thread continuation:

Patrick · April 29, 2014, 6:07pm

I might not have been entirely correct in Whonix Forum about what I said about chroot/security in the begining of the thread.

Recently there has been an interesting discussion on the debian-security mailing list:

Links to:

Quite interesting.

mirimir · April 29, 2014, 11:25pm

What about LXC?

Would Tor in a LXC container on the host and a workspace VM provide adequate isolation?

Or even both Tor and workspace in separate LXC containers?

Patrick · April 30, 2014, 9:15am

Please see: