Issues with aa-genprof

Hi,

the following issues exists in debian-12, debian-12-minimal and in whonix.

I want to create my own apparmor profile with aa-genprof. For that i installed

sudo apt install apparmor-utils rsyslog auditd

apparmor-utils is obviously needed for aa-genprof, rsyslog is needed because otherwise there doesn’t exist /var/log/syslog which is needed and I am not sure if I need auditd, but it won’t hurt.

So when I do e.g. aa-genprof firefox then this results in an nearly empty profile:

ser@test-12345:/var/log$ sudo cat /etc/apparmor.d/usr.bin.firefox 
# Last Modified: Wed Aug  7 19:01:24 2024
abi <abi/3.0>,

include <tunables/global>

/usr/bin/firefox {
  include <abstractions/base>
  include <abstractions/bash>

  /usr/bin/dash ix,
  /usr/bin/firefox r,

}

If i try to start firefox, it won’t even start because it can’t access the things it needs. The same happens with all other programs i tried.
I start aa-genprof before i start the program & while the programe is active, I do everything as usual - but the scan in aa-genprof NEVER returns anything. It seems like it can’t scan, even though /var/log/syslog has many things it could use.
aa-logprof also doesn’t change anything.

PS:
on debian-12-minimal i set the kernel params nopat apparmor=1 security=apparmor.

What did I miss to install or what did I do wrong?

Thanks.

Hi

I may answer a bit off, but I recommend you to try to use firejail to start Firefox in a sandbox, it should also provide an apparmor profile for Firefox. Sandboxing it is a daunting task as it requires a lot of file access and privileges.

If you have no objection about flatpak, Firefox is correctly sandboxed and can only access files through xdg-portal. I think it is the most easy to use and reliable sandboxed Firefox available on Linux.

Hi, thanks for you recommendation. I think snaps’ security is based on apparmor and snaps are basically not much or not protected if you aren’t using debian / ubuntu. Does this also apply to flatpak & selinux?

Flatpak is meant to be distribution agnostic and relies on bubblewrap which uses namespaces and seccomp which are basic security features available directly in the linux kernel.

1 Like

Would someone be willing to spend his valuable time and try out whether aa-genprof works perfectly?

This is a very important topic for me & I tried to reinstall the templates a few times, tried everything on an debian machine and it works as usual. there If someone could confirm it’s running, I’d reinstall QubesOs. :slight_smile:

1 Like

If you have installation instructions that work, you should post them so someone can try without asking and may give feedback. This would be great to have in a community guide.

While if you wait for someone to poke at you to ask for the instructions, this is less likely to happen I think :wink:

1 Like

Well, unfortunately I don’t have installation instructions that work ^^ Gonna post them as soon as i solved the problem, but I am currently really stuck.

However, if you want to try it:

  1. create a new debian-12 template, let’s call it apparmor-test
  2. run:
sudo apt install apparmor-utils rsyslog auditd

auditd may not be needed
3. install the application you want to create a profile for

sudo apt install firefox-esr

firefox is just used as an example. it is probably better to use install the flatpak verison of firefox
4. run

sudo aa-genprof firefox

& do some things in firefox (for testing purposes, I did connect it to the internet. However, this is not advised.)
5. afterwards: hit S for scan and normally there should pop up a text asking you if you want to grant permission for xyz. However, this is not happening on my tests. If you have the same error as me, hit F afterwards. Now the - nearly empty - apparmor profile should be applied
6. run firefox - you should see that you can’t even start it because apparmor doesn’t grant any permission

1 Like

I don’t use Qubes OS myself, but I’ve registered here just to share my experience with Debian 12 Bookworm.

Some minutes ago I’ve had the same problem that you have. Fortunately, I have another machine with a very similar installation, but in which aa-genprof works fine. After some trials and comparisons, I’ve removed (purged) the packages auditd and libauparse0 and then I’ve installed them again. Now, aa-genprof and aa-logprof work fine.

I guess something was messed-up in some file or configuration. I hope your issue is the same as mine.

Best regards.

Thanks for your reply!

Unfortunately, it didn’t work for me. I still have the same issue that aa-genprof doesn’t “find” anything.