Page MenuHomePhabricator

AppArmorProject
ActivePublic

Members (1)

Watchers

  • This project does not have any watchers.
  • View All

Recent Activity

Sat, Nov 23

Patrick closed T938: request apparmor environment scrubbing whitelist from AppArmor upstream as Resolved.

Awesome!

Sat, Nov 23, 5:53 PM · apparmor-profile-everything, Whonix, AppArmor
madaidan added a comment to T938: request apparmor environment scrubbing whitelist from AppArmor upstream.

I created the issue:

Sat, Nov 23, 5:51 PM · apparmor-profile-everything, Whonix, AppArmor
Patrick triaged T938: request apparmor environment scrubbing whitelist from AppArmor upstream as Normal priority.
Sat, Nov 23, 5:23 PM · apparmor-profile-everything, Whonix, AppArmor
Patrick closed T936: apparmor-profile-everything breaks Qubes upgrading as Resolved.
Sat, Nov 23, 5:07 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor
Patrick added a project to T936: apparmor-profile-everything breaks Qubes upgrading : apparmor-profile-everything.
Sat, Nov 23, 5:07 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor
madaidan added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

https://github.com/Whonix/apparmor-profile-everything/pull/7

Sat, Nov 23, 4:44 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor
Patrick added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

Could you add to git please?

Sat, Nov 23, 4:41 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor
Patrick added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

Works.

Sat, Nov 23, 4:38 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor
madaidan added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

Try adding:

Sat, Nov 23, 4:20 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor
Patrick triaged T936: apparmor-profile-everything breaks Qubes upgrading as Normal priority.
Sat, Nov 23, 4:16 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor

Apr 6 2019

Patrick renamed T606: merge /etc/apparmor.d/abstractions/base.anondist from Debian bullseye from merge /etc/apparmor.d/abstractions/base.anondist from Debian buster to merge /etc/apparmor.d/abstractions/base.anondist from Debian bullseye.
Apr 6 2019, 4:34 PM · Debian version 11 codename Bullseye, AppArmor, Whonix

Mar 7 2018

Patrick closed T557: no longer install apparmor-notify by default as Resolved.
Mar 7 2018, 1:08 AM · user documentation, usability, AppArmor, Whonix 14, Whonix

Feb 6 2018

Patrick removed a project from T520: install fteproxy by default in Whonix-Gateway when porting to Debian stretch: Debian version 9 codename Stretch.
Feb 6 2018, 1:03 AM · systemd, AppArmor, research, user documentation, enhancement, Whonix, circumvention

Sep 8 2017

JasonJAyalaP closed T676: fix obfs4proxy AppArmor issue in Whonix 14 as Resolved.
Sep 8 2017, 1:54 AM · Whonix 14, Whonix, AppArmor, circumvention

Sep 6 2017

JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Ah I see.

Sep 6 2017, 8:23 PM · Whonix 14, Whonix, AppArmor, circumvention

Sep 5 2017

Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

I changed it to
NoNewPrivileges=No
That's the only thing I can imagine that would be causing that parsing error. Testing now
> torproject's stretch repository [1] does not contain tor_0.3.1.5 yet.
Once TPOs stretch repo contains the latest, this workaround will no longer be needed, correct?
Sep 5 2017, 12:04 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

with =no, I'm no longer getting the parsing error

sudo journalctl | grep workaround

but /lib/systemd/system/tor@default.service is unaffected

# Hardening
AppArmorProfile=system_tor
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
...
Sep 5 2017, 11:56 AM · Whonix 14, Whonix, AppArmor, circumvention

Sep 4 2017

JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

with =no, I'm no longer getting the parsing error

Sep 4 2017, 11:29 PM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

I changed it to
NoNewPrivileges=No
That's the only thing I can imagine that would be causing that parsing error. Testing now

Sep 4 2017, 11:11 PM · Whonix 14, Whonix, AppArmor, circumvention

Sep 3 2017

Patrick reopened T676: fix obfs4proxy AppArmor issue in Whonix 14 as "Open".
Sep 3 2017, 2:12 PM · Whonix 14, Whonix, AppArmor, circumvention

Jul 6 2017

Patrick added a comment to T662: AppArmor & FoxyProxy denied message.

Thanks for updating me! No, then this needs to be removed. And the sandboxed tor browser chanter moved to https://www.whonix.org/wiki/Deprecated.

Jul 6 2017, 6:21 PM · Whonix, AppArmor, Whonix 14
JasonJAyalaP added a comment to T662: AppArmor & FoxyProxy denied message.

According to their wiki that you linked to: "Active development is on indefinite hiatus." Do you still want FP to talk about and link to that?

Jul 6 2017, 6:09 PM · Whonix, AppArmor, Whonix 14
JasonJAyalaP closed T676: fix obfs4proxy AppArmor issue in Whonix 14 as Resolved.
Jul 6 2017, 5:57 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a project to T676: fix obfs4proxy AppArmor issue in Whonix 14: Whonix 14.

Please keep the Whonix 14 tag. I guess this can be closed, resolved?

Jul 6 2017, 2:35 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

Ok I created the workaround as you described:
https://github.com/Whonix/anon-gw-anonymizer-config/commit/bfe28e340d03cc4d77e4f49e24bcc0a9da42da06
Jul 6 2017, 2:28 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T662: AppArmor & FoxyProxy denied message.

After FoxyProxy is installed, you may see an app-armory warning you

about the denied creation of dconf/user. The current Debian profile for
Firefox does not yet include the modern temporary file location /run/user.

Jul 6 2017, 2:13 PM · Whonix, AppArmor, Whonix 14
Patrick added a comment to T662: AppArmor & FoxyProxy denied message.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

@Patrick 
the FP template says "Tor Browser will soon ship with sandboxing on an opt-in basis." Wasn't this rejected?
Jul 6 2017, 2:12 PM · Whonix, AppArmor, Whonix 14
Patrick added a comment to T662: AppArmor & FoxyProxy denied message.

JasonJAyalaP (Jason J. Ayala P.):

the FP template says "Tor Browser will soon ship with sandboxing on an opt-in basis." Wasn't this rejected?
Jul 6 2017, 2:09 PM · Whonix, AppArmor, Whonix 14
JasonJAyalaP removed a project from T676: fix obfs4proxy AppArmor issue in Whonix 14: Whonix 14.
Jul 6 2017, 12:25 AM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Debian bug report:

Jul 6 2017, 12:25 AM · Whonix 14, Whonix, AppArmor, circumvention

Jul 5 2017

JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Ok I created the workaround as you described:
https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/lib/systemd/system/tor@default.service.d/40_obfs4proxy-workaround.conf

Jul 5 2017, 11:36 PM · Whonix 14, Whonix, AppArmor, circumvention

Jul 4 2017

JasonJAyalaP closed T662: AppArmor & FoxyProxy denied message as Resolved.
Jul 4 2017, 11:28 PM · Whonix, AppArmor, Whonix 14
JasonJAyalaP added a comment to T662: AppArmor & FoxyProxy denied message.

@Patrick
the FP template says "Tor Browser will soon ship with sandboxing on an opt-in basis." Wasn't this rejected?

Jul 4 2017, 11:14 PM · Whonix, AppArmor, Whonix 14
JasonJAyalaP added a comment to T662: AppArmor & FoxyProxy denied message.

Reported but to app armor:
https://bugs.launchpad.net/apparmor/+bug/1702360

Jul 4 2017, 11:11 PM · Whonix, AppArmor, Whonix 14

Jul 1 2017

Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.
Two things work:

  1. Changing obfs4 execution permission in system_tor apparmor profile

(abstractions/tor) from PUx to ix.

  1. Keeping PUx but removing "NoNewPrivileges" from tor@default

systemd service (/lib/systemd/system)

Jul 1 2017, 11:57 AM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T662: AppArmor & FoxyProxy denied message.

JasonJAyalaP (Jason J. Ayala P.):

But it should be apart of abstractions/user-tmp. Are you comfortable doing this, Patrick?
Jul 1 2017, 10:42 AM · Whonix, AppArmor, Whonix 14
JasonJAyalaP added a comment to T662: AppArmor & FoxyProxy denied message.

I really think that "access to the temp folder" should be a basic AA allowance. In fact, it is right now with #include user-tmp. However, user-tmp is so old (I'm guessing) it doesn't have /run/user/[0-9]/**

Jul 1 2017, 3:51 AM · Whonix, AppArmor, Whonix 14
JasonJAyalaP added a comment to T662: AppArmor & FoxyProxy denied message.

Ok, the line should be:

Jul 1 2017, 3:48 AM · Whonix, AppArmor, Whonix 14
JasonJAyalaP reopened T662: AppArmor & FoxyProxy denied message as "Open".

I get the message after a reboot.

Jul 1 2017, 3:27 AM · Whonix, AppArmor, Whonix 14
JasonJAyalaP closed T662: AppArmor & FoxyProxy denied message as Resolved.

Ok. I added the commented line to home.tor-browser.firefox

Jul 1 2017, 2:56 AM · Whonix, AppArmor, Whonix 14
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Two things work:

Jul 1 2017, 2:42 AM · Whonix 14, Whonix, AppArmor, circumvention

Jun 30 2017

Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Pux (already Tor's default) is alright.

Jun 30 2017, 12:44 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T662: AppArmor & FoxyProxy denied message.

Ahh I see. I can setup i2p/freenet/zeronet and use FP to go through that.
I got zeronet working and browsing around. Latest aa profiles, aa-notify -p, journctl -f
No denied messages.

Jun 30 2017, 12:15 PM · Whonix, AppArmor, Whonix 14
JasonJAyalaP added a comment to T662: AppArmor & FoxyProxy denied message.

Ahh I see. I can setup i2p/freenet/zeronet and use FP to go through that.

Jun 30 2017, 5:28 AM · Whonix, AppArmor, Whonix 14
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

I commented out the lines in local/system_tor about obfsproxy. This caused obfsproxy to fail. Changing obfsproxy to rix didn't work. But I'm confused at what I'm seeing, and so I'm still looking at it.

Jun 30 2017, 3:57 AM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Comment that and obfs4proxy can run as PUx (instead of needing ix)

Jun 30 2017, 3:38 AM · Whonix 14, Whonix, AppArmor, circumvention

Jun 29 2017

Patrick closed T651: Tor Browser 7.0a2 broken in stretch based Whonix 14 - <jemalloc>: Corrupt redzone 0 bytes after 0x7f0503ede9d0 (size 80), byte=0x0, a subtask of T662: AppArmor & FoxyProxy denied message, as Resolved.
Jun 29 2017, 5:31 PM · Whonix, AppArmor, Whonix 14
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

To save you from somehow learning about systemd overrides the hard way...

Jun 29 2017, 2:34 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

In this case, a /local file can probably not do the trick.

Jun 29 2017, 2:30 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Ah. I didn't see the include. Makes sense.

Jun 29 2017, 2:14 PM · Whonix 14, Whonix, AppArmor, circumvention