- User Since
- May 1 2019, 12:18 AM (38 w, 5 d)
Dec 24 2019
This just prevents writing to /dev/kmsg. It doesn't stop kernel logs being displayed during boot.
We can use a sysctl.d drop-in and an initramfs hook in security-misc so non-initramfs users will still be mostly protected.
Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.
Why not use an initramfs hook in security-misc? Not everyone will have security-misc and apparmor-profile-everything installed. Users with just security-misc installed will still have some kernel logs shown during early boot.
/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.
Dec 23 2019
/boot/ is already unreadable.
Should this be set in the initramfs?
We should be able to create a drop-in file at /lib/systemd/system/user-.slice.d/ and add something such as
Nov 23 2019
I created the issue:
Oct 4 2019
It turns out, what I said only applies to the Debian package. The kernel patch and the package are actually two different things.
Jul 8 2019
Yay, we have ProtectSystem=strict now.
Jul 6 2019
https://github.com/Whonix/onion-grater/blob/master/lib/systemd/system/onion-grater.service currently works without ReadWritePaths. So let's not add?
Jul 4 2019
It's a file, not a folder.
Jul 3 2019
I just re-read the error message. Try adding
I can test it but I doubt lockdown will help at all.
That's weird. Onion-grater is trying to write to somewhere that's being mounted read-only by systemd.
Jun 25 2019
GUI isolation is very important, no?
Jun 24 2019
The problem is, xpra (actually xpra | xserver-xephyr | xvfb) isn't in the list of Recommends: of the firejail package by accident. We don't really know the rationale of that. Could be an optional dependency and without it, some things someone who knows firejail who is happy to find it installed would wonder why it actually does not work.
Jun 23 2019
Does it work after you comment ProtectSystem=strict and ReadWriteDirectories=? I think on Qubes-Whonix it is trying to write to a directory in /var/run (probably /var/run/qubes-service). I can't test as I don't use Qubes.
Does it work using this? It looks like it needs the openat syscall which it now allows.
Jun 20 2019
I don't think anything Debian does would modify any iptables rules nor Whonix ships any code to disable the firewall. So "disables the firewall for a minute" is non-existing. Would be bad if that happened.
May 12 2019
The way it is now looks fine. Why would it need to be changed?
We need to re-check this for Whonix Host. Since it gets installed using calamares (which handles partitioning) there could be an unwanted swap partition.
Seems quite hacky. What's the root cause for failing?
May 11 2019
https://lists.ubuntu.com/archives/apparmor/2016-February/009371.html says it is used for various things so it might break some things.
May 10 2019
Would it cause any issues if the machine-id was just deleted or replaced with a bunch of 0s?
My pull request enables all of these except martian packet logging which I doubt would be useful on Whonix.
You can create directories in tor-browser_en-US/Browser/TorBrowser/Data/Browser/ called (profile_name).default. Here will be all the configurations for the profile. It should have a custom user.js with proxy settings using privoxy and setting network.proxy.no_proxies_on to 0.
Alternatively, you could change the home page to the program's interface e.g. 127.0.0.1:7657 for I2P and start the browser with a script that creates a popup box using zenity or similar that tells the user the information.
Maybe disable it just for package upgrades?
There is none. You can run swapon -s or cat /proc/swaps to verify.
No, I mean the upstream repository thunar-volman by XFCE developers.
May 9 2019
Can you see from thunar-volman source code where defaults are configured? Would be good to watch for future versions.
May 8 2019
Automounting can be configured in /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/thunar-volman.conf