Author Topic: Whonix AppArmor Profiles Development Discussion  (Read 24680 times)

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3115
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #195 on: May 08, 2014, 11:24:09 pm »
Debian is very picky. I am quite sure, they won't allow shipping local profiles.

Then I should move the content of the local profiles in the main profiles. It would be a good thing, anyway, as those rules are not distribution specific. Originally, I put your testing stuff in the local profiles because it was not in my copy, but since, I have added packages of my own and had to allow a few files.
Sounds good.
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

troubadour

  • Moderator
  • *****
  • Posts: 571
    • View Profile
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #196 on: May 09, 2014, 12:09:06 am »
Trying to push apparmor-profile-torbrowser (no abstractions/whonix, no local profile). Repository not found.

Code: [Select]
Enter passphrase for key '/home/user/.ssh/id_rsa':
ERROR: Repository not found.
fatal: The remote end hung up unexpectedly

I have forked apparmor-profile-trobrowser and "troubadoour already exists", as expected, when when I run 'git remote add'. The package is built normally.

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3115
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #197 on: May 09, 2014, 12:28:43 am »
Package build does not matter for pushing code. Also pushing buggy code to github works. (git doesn't care about if the code works or not.)

This is my.

Code: [Select]
git remote -v
Code: [Select]
adre    git@github.com:adrelanos/apparmor-profile-anondist.git (fetch)
adre    git@github.com:adrelanos/apparmor-profile-anondist.git (push)
origin  git@github.com:Whonix/apparmor-profile-anondist.git (fetch)
origin  git@github.com:Whonix/apparmor-profile-anondist.git (push)
troubadoour     https://github.com/troubadoour/apparmor-profile-anondist.git (fetch)
troubadoour     https://github.com/troubadoour/apparmor-profile-anondist.git (push)

Your "git remote -v" should include use ssh (git@ syntax) instead.

Code: [Select]
troubadoour    git@github.com/troubadoour/apparmor-profile-anondist.git (fetch)
troubadoour    git@github.com/troubadoour/apparmor-profile-anondist.git (push)

You get this data from github. When you are logged in, on github repo main page (https://github.com/troubadoour/apparmor-profile-anondist) it says "SSH clone URL".

To delete:
git remote rm troubadoour

Re-add:
git remote add troubadoour git@github.com/troubadoour/apparmor-profile-anondist.git

Please post your.

Code: [Select]
git remote -v
I am also on IRC right now.
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3115
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #198 on: May 09, 2014, 12:30:12 am »
You also need to add your ssh public key to github.
https://help.github.com/articles/generating-ssh-keys
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

troubadour

  • Moderator
  • *****
  • Posts: 571
    • View Profile
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #199 on: May 09, 2014, 12:42:02 am »
Quote
You also need to add your ssh public key to github.
https://help.github.com/articles/generating-ssh-keys
My ssh key was already there.

I have done:
Code: [Select]
git remote rm troubadoour
git remote add troubadoour git@github.com/troubadoour/apparmor-profile-anondist.git

It was pushed succesfully.

troubadour

  • Moderator
  • *****
  • Posts: 571
    • View Profile
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #200 on: May 09, 2014, 11:17:48 am »
Since you referred it in qubes-devel, I have updated https://www.whonix.org/wiki/AppArmor/Tor_Browser_Bundle to reflect the changes after apparmor-profile-anondist.

Added an "Updates" heading.
« Last Edit: May 09, 2014, 11:23:30 am by troubadour »

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3115
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #201 on: May 09, 2014, 01:34:33 pm »
In theory, we'd need to advice using the forked abstractions/base. Otherwise instructions to confine Tor Browser for Whonix users are incomplete. Depends on what we want to focus.

Some templates have been edited/created by me. I found out how to use variables in wiki templates. Quite simple.

Please have a glimpse at the wiki source code of:
https://www.whonix.org/wiki/Dev/Build_Documentation/apparmor-profile-torbrowser

Just by replacing package name, the others could be documented as well.

Since all Whonix packages are build in a similar way, we could easily make a build documentation page for every package. If that's worth it. I am not sure. Since build instructions are very similar for different packages, I am not sure it's worth it.
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

troubadour

  • Moderator
  • *****
  • Posts: 571
    • View Profile
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #202 on: May 09, 2014, 10:01:32 pm »
Quote
In theory, we'd need to advice using the forked abstractions/base. Otherwise instructions to confine Tor Browser for Whonix users are incomplete. Depends on what we want to focus.

Actually, we need to advise the Whonix users to install apparmor-profile-anondist prior to apparmor-profile-torbrowser. The Tor Browser profile will not work in Whonix as is. The same will apply to the upcoming profiles, except sdwdate, timesync and whonixcheck, as they deal with the core of Whonix.

There should be no problem with non anonymous distributions (Debian, Qubes...).

Quote
Please have a glimpse at the wiki source code of:
https://www.whonix.org/wiki/Dev/Build_Documentation/apparmor-profile-torbrowser

Just by replacing package name, the others could be documented as well.

Tried it, it's magic! Then it could become more generic, https://www.whonix.org/wiki/Dev/Build_Documentation/package-installation or something like that. The user has only to change the name in three commands , 'git clone', 'cd' and 'dpkg -i'. Seems reasonably affordable for a user who has gone as far as building a package.
« Last Edit: May 09, 2014, 10:04:01 pm by troubadour »

troubadour

  • Moderator
  • *****
  • Posts: 571
    • View Profile
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #203 on: May 09, 2014, 10:29:26 pm »
There should be no problem with non anonymous distributions (Debian, Qubes...).

I have just tried the profile in the host (Debian wheezy) and there is a (big?) problem. When starting Tor, there is a message from Tor Launcher: "Tor unexpetedly exited", without AppArmor messages or anything in the logs. I have the same problem when I install LightDM in Whonix. That could be tricky.

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3115
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #204 on: May 09, 2014, 11:08:53 pm »
Quote
Actually, we need to advise the Whonix users to install apparmor-profile-anondist prior to apparmor-profile-torbrowser.
Yes.

Quote
The Tor Browser profile will not work in Whonix as is.
Yes.

Quote
The same will apply to the upcoming profiles,
Yes.

Quote
except sdwdate, timesync and whonixcheck, as they deal with the core of Whonix.
By the way those will become standalone packages as well. Work is in progress. I think that comes handy, especially when sdwdate/timesync eventually are uploaded to Debian. Secure time sync on the host is important and at the moment we don't have anything we can advice.

Quote
Tried it, it's magic! Then it could become more generic, https://www.whonix.org/wiki/Dev/Build_Documentation/package-installation or something like that. The user has only to change the name in three commands , 'git clone', 'cd' and 'dpkg -i'.
Hm. The template with the variables by the way is:
https://www.whonix.org/wiki/Template:Build_Documentation_Build_Package
It's a good idea. Like a small menu on the top of that page, where you can choose the package name and then instructions change. No idea how to make such a menu. Template variables are as far I understand replaced when the parser runs. When the user views the page, the parser is already done. Maybe it could be implemented using raw html. Hopefully implementing such a feature won't depend on javascript. Perhaps we find out over time, eventually when a web dev supports us.

Quote
Seems reasonably affordable for a user who has gone as far as building a package.
I agree. Even https://www.whonix.org/wiki/Template:Build_Documentation_Build_Package#Get_Build_Dependncies should suffice. For most other packages/projects, there is not nearly as much documentation available. You're left pretty much alone figuring out how to build it using rudimentary instructions.
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3115
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #205 on: May 09, 2014, 11:12:19 pm »
There should be no problem with non anonymous distributions (Debian, Qubes...).

I have just tried the profile in the host (Debian wheezy) and there is a (big?) problem. When starting Tor, there is a message from Tor Launcher: "Tor unexpetedly exited", without AppArmor messages or anything in the logs. I have the same problem when I install LightDM in Whonix. That could be tricky.
I guess making the profile work on Debian would require testing and extending the profile on Debian. The decision is up to you. You could also wait for testers, let them post denied messages and then just fix it as they come in.

As for LightDM, well, I guess there will be a few other things, when installed in conjunction with an apparmor profile showing apparmor denied messages. Eventually some abstraction is missing? (rhetoric question)
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

HulaHoop

  • Hero Member
  • *****
  • Posts: 668
  • Maintainer of Whonix KVM
    • View Profile
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #206 on: May 10, 2014, 02:47:49 am »
Hi Patrick and Troubadour, is there any plans to ship the next major Whonix release with Apparmor enabled out of the box? I think this would go a long way for protection of the entire userbase.

TAILS has this on their long term goals on their roadmap but we here have a head start  :)
« Last Edit: May 10, 2014, 03:01:03 am by HulaHoop »
Understand your freedom.  Assert it. | Resources: Whonix KVM Wiki & Whonix KVM Support Forum

Nothing can Five Eyes yield from the Onion field.

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3115
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #207 on: May 10, 2014, 04:18:47 pm »
Let's hope we get packaging done (very likely at current rate of progress) and these profiles ready for easier testing in Whonix 9 as simple as "sudo apt-get install apparmor-profile-*". When to install them by default is a difficult question, not sure discussing this is premature.

Perhaps in Whonix 10?

The problem with AppArmor profiles, that are not tested and maintained by upstream is, that any upgrades released by upstream (Tor Browser is a good example here) can lead to the application no longer functioning at all. Having Tor Browser break for all Whonix users due to the AppArmor profile would cause a giant wave of support requests and bad press, I think. Perhaps it's better if users are educated about the nature of the profiles, advised to install, and to keep in mind to temporarily remove them (and how!) in case of upgrade/failure. Or if we try to get upstream to takeover maintenance.

For applications developed by the Whonix team (sdwdate...) however, I guess pre-installing them in Whonix 9 or 10 should be easier, since there we know what changes will come and are able to test before release.
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3115
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #208 on: May 12, 2014, 01:46:53 am »
Small change in XChat profile to allow sound notification, please review:
https://www.whonix.org/w/index.php?title=AppArmor%2FXChat&diff=7854&oldid=7274
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

troubadour

  • Moderator
  • *****
  • Posts: 571
    • View Profile
Re: Join us testing new AppArmor Profiles! (Whonix Security Hardening)
« Reply #209 on: May 13, 2014, 12:17:39 am »
Just reinstalled apparmor-profile-anondist from github.

'ls -l /etc/apparmor.d/abstractions/base* gives
Code: [Select]
-rw-r--r-- 1 root root 4650 Jul 17  2012 base
-rw-r--r-- 1 root root 5111 Aug 15  2013 base.anondist
lrwxrwxrwx 1 root root   22 May 12 21:13 base.apparmor -> base.apparmor.anondist
when it was
Code: [Select]
lrwxrwxrwx 1 root root   13 May  5 22:38 /etc/apparmor.d/abstractions/base -> base.apparmor
-rw-r--r-- 1 root root 4771 Aug 15  2013 /etc/apparmor.d/abstractions/base.apparmor
-rw-r--r-- 1 root root 4650 Jul 17  2012 /etc/apparmor.d/abstractions/base.apparmor-orig

To get it working, I have to modify the Tor browser profile with 'include <abstractions/base.anondist>'.

Was there any change during my short period of absence? I cannot see any modification on github since my last commit.

 

Legal

Impressum Datenschutz Haftungsausschluss Contact

Links

Homepage Blog Issues Github

Misc

Contribute Donate Investors Free Support Professional Support