the following issues exists in debian-12, debian-12-minimal and in whonix.
I want to create my own apparmor profile with aa-genprof. For that i installed
sudo apt install apparmor-utils rsyslog auditd
apparmor-utils is obviously needed for aa-genprof, rsyslog is needed because otherwise there doesn’t exist /var/log/syslog which is needed and I am not sure if I need auditd, but it won’t hurt.
So when I do e.g. aa-genprof firefox then this results in an nearly empty profile:
ser@test-12345:/var/log$ sudo cat /etc/apparmor.d/usr.bin.firefox
# Last Modified: Wed Aug 7 19:01:24 2024
abi <abi/3.0>,
include <tunables/global>
/usr/bin/firefox {
include <abstractions/base>
include <abstractions/bash>
/usr/bin/dash ix,
/usr/bin/firefox r,
}
If i try to start firefox, it won’t even start because it can’t access the things it needs. The same happens with all other programs i tried.
I start aa-genprof before i start the program & while the programe is active, I do everything as usual - but the scan in aa-genprof NEVER returns anything. It seems like it can’t scan, even though /var/log/syslog has many things it could use. aa-logprof also doesn’t change anything.
PS:
on debian-12-minimal i set the kernel params nopat apparmor=1 security=apparmor.
What did I miss to install or what did I do wrong?
I may answer a bit off, but I recommend you to try to use firejail to start Firefox in a sandbox, it should also provide an apparmor profile for Firefox. Sandboxing it is a daunting task as it requires a lot of file access and privileges.
If you have no objection about flatpak, Firefox is correctly sandboxed and can only access files through xdg-portal. I think it is the most easy to use and reliable sandboxed Firefox available on Linux.
Hi, thanks for you recommendation. I think snaps’ security is based on apparmor and snaps are basically not much or not protected if you aren’t using debian / ubuntu. Does this also apply to flatpak & selinux?
Flatpak is meant to be distribution agnostic and relies on bubblewrap which uses namespaces and seccomp which are basic security features available directly in the linux kernel.
Would someone be willing to spend his valuable time and try out whether aa-genprof works perfectly?
This is a very important topic for me & I tried to reinstall the templates a few times, tried everything on an debian machine and it works as usual. there If someone could confirm it’s running, I’d reinstall QubesOs.
If you have installation instructions that work, you should post them so someone can try without asking and may give feedback. This would be great to have in a community guide.
While if you wait for someone to poke at you to ask for the instructions, this is less likely to happen I think
Well, unfortunately I don’t have installation instructions that work ^^ Gonna post them as soon as i solved the problem, but I am currently really stuck.
However, if you want to try it:
create a new debian-12 template, let’s call it apparmor-test
run:
sudo apt install apparmor-utils rsyslog auditd
auditd may not be needed
3. install the application you want to create a profile for
sudo apt install firefox-esr
firefox is just used as an example. it is probably better to use install the flatpak verison of firefox
4. run
sudo aa-genprof firefox
& do some things in firefox (for testing purposes, I did connect it to the internet. However, this is not advised.)
5. afterwards: hit S for scan and normally there should pop up a text asking you if you want to grant permission for xyz. However, this is not happening on my tests. If you have the same error as me, hit F afterwards. Now the - nearly empty - apparmor profile should be applied
6. run firefox - you should see that you can’t even start it because apparmor doesn’t grant any permission
I don’t use Qubes OS myself, but I’ve registered here just to share my experience with Debian 12 Bookworm.
Some minutes ago I’ve had the same problem that you have. Fortunately, I have another machine with a very similar installation, but in which aa-genprof works fine. After some trials and comparisons, I’ve removed (purged) the packages auditd and libauparse0 and then I’ve installed them again. Now, aa-genprof and aa-logprof work fine.
I guess something was messed-up in some file or configuration. I hope your issue is the same as mine.