Hi
I did try a lot of method to make work aa-logprof, with the explanations on installation guide with journalctl
With syslog-ng too
My log was full, aa-logprof is pointing on each try on correct file but never report something denied in a profile.
It’s damn incredible, the restrictions works, the log too, is it a special question of format or whatever?
Thanks a lot!
@Jench
aa-logprof is an interactive tool used to review AppArmor generated
messages and update AppArmor security profiles.
Running aa-logprof will scan the log file and if there are new AppArmor
events that are not covered by the existing profile set, the user will
be prompted with suggested modifications to augment the profile.
When aa-logprof exits profile changes are saved to disk. If AppArmor
is running, the updated profiles are reloaded and if any processes that
generated AppArmor events are still running in the null-complain-
profile, those processes are set to run under their proper profiles.
cheers . . . 
@Jench yeah app-armor is a great option if you don’t want (SE Linux or other Cyber Vendors micro-segmentation tools for enterprise) . AA is more for cybertech pros to use at home for linux systems due the simpler implementation.
When I was locking down wireshark, I had issues as the profile was a bit too restrictive so I had to generate the wireshark permissions from the scratch and yes it works like a charm.
Cheers,
Atreus
Hi
Thanks for your answers, I already use apparmor on an Ubuntu, I did make the same test for an application in both complain and enforced mode. aa-logprof did display the interactive screen.
But it doesn’t do it with Parrot.
Don’t want to bother you with that.
Sometimes I think I better have to put a docker in parrot or use Tomoyo. (SE Linux seems to be harder to master).
Many thanks
No worries @Jench but two suggestions
Try starting the application from the cli when using log-prof as I noticed some applications will not show in log-prof until you start if from the cli…
Try installing the profiles manually (Not interactive). More time consuming but some applications can be stubborn and will not be very compatible with aa-logprof that only manual profile creation is possible. seen some cases especially with Wireshark, Firefox and less known/custom made applications
I have not been able to try app-armor with parrot 6.0 due to partial support with raspberry pi5. It worked fine with pi4 tho. My current profile build of app-armor is with Kali… yeah SE-Linux (Red-hat + NSA) is q different beast on it’s own geared towards enterprise along with cyber-sec vendors implementations. Also supports a variety of OS types e.g Windows along with more granular lock-down policies e.g process micro-segmentation. I was involved in this with a Financial institution and yes its complex and tedious.
When using docker tho, don’t forget to use app-armor first on the Linux side to micro-segment Docker as a whole before moving to use it in docker. 2wice as nice 
… Condoms + Contraceptives means no pregnancy…#jokes #kidding.
Atreus
Hi.
Thanks for your answer.
audit.log (66.3 KB)
In the audit.log there is a DENIED line at the line 113 (used sudo aa-notify -p -f /var/log/audit/audit.log)
When I started manually qbittorent something interesting happens:
Traceback (most recent call last):
File "/usr/bin/aa-notify", line 545, in <module>
main()
File "/usr/bin/aa-notify", line 528, in main
n.show()
File "/usr/lib/python3/dist-packages/notify2.py", line 181, in show
nid = dbus_iface.Notify(appname, # app_name (spec names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dbus/proxies.py", line 72, in __call__
return self._proxy_method(*args, **keywords)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dbus/proxies.py", line 141, in __call__
return self._connection.call_blocking(self._named_service,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dbus/connection.py", line 634, in call_blocking
reply_message = self.send_message_with_reply_and_block(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
dbus.exceptions.DBusException: org.gtk.GDBus.UnmappedGError.Quark._notification_2ddaemon_2derror_2dquark.Code1: Exceeded maximum number of notifications
An unexpected error occoured!
For details, see /tmp/apparmor-bugreport-fai5qjzw.txt
Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues
and attach this file.```
[apparmor-bugreport-fai5qjzw.log|attachment](upload://xQtRwchz9HhZ7mNQQJVOkMOxN1c.log) (9.7 KB)
The version of apparmor is 3.0.8-3
However if the audit.log was buggy because of the aa-notify crash I just kept the line 113, without result too.
└──╼ $sudo aa-logprof
Updating AppArmor profiles in /etc/apparmor.d.
Reading log entries from /var/log/audit/audit.log.
I thinks there's a problem with parrot 6 using auditd and aa-logprof
Is there an another interactive tool than aa-logprof?
I'm gonne send the crash report to apparmor.
Have a wonderful day
Oooops forgot to close the preformatted text tag
@Jench no worries
personally I use the tor network, so using Bittorrent over tor is always a bad idea. 2010’s wisdom (Issues from reliability, speed and privacy)… You can read about this further if you use the tor network and not bother with torrent at all except you are on the surface net: Bittorrent over Tor isn't a good idea | The Tor Project
A particular deny rule in your qbittorent app-armor profile might be blocking the application access to that system call or not explicitly permitting it or as you mentioned, simply a bug. Usually one of those three. You can cross-check your profile with : Apparmor & qbittorrent …The profile does not seem to be system specific so maybe you might be lucky and it works. Iook at the policy from “1fallen” as it is quite detailed
Odin Atreus
Hi Óđinn Asgard’s God!
For torrent over tor, for sure it’s bad, tor is not made for that, I2P offer this kind of P2P.
I’ll use a VPN only
The big question is not for me to make qbittorent work with apparmor.
I like strange difficult stuffs that’s take a lot of time for nothing 
I changed to your indicated profiles, which seems to be quite cool more restrictive.
If you have time, please see this thread I created : on apparmor gitlab
As I mentioned, there is something interesting I didn’t try so far (to keep the suspense) on this Wiki page
I’m almost sure it’s the solution.
Anynone wanna test ? 
Have a sunny day
you got jokes man. That was very good @Jench …I took a look at it as yes it is a mismatch/error between aa-logprof and audit.log due to the flood of logs. I actually have that issue when I use Firefox over tor with different ip address change every 67seconds. aa-logprof just cannot handle it as the log from Firefox shows a new location somewhere in the world, so basically a new IP and Location and metadata dump from the browser every 30-60seconds.
My conclusion was the solution is for normal ip/ metadata request. working on a workaround (More permissive rule in that aspect) but conflicting priorities currently too … Nice catch at your end Jench as I see how qbitttorrent and Tor Ip changer are similar(You are pulling chunks of the downloading file from multiple seeders with different IP addresses/location/metadata per minute and my Tor is changing ip address/location/metadata to access the surface and darknet… aa-logprof cannot handle it). Both use cases are spitting out different metadata in 30-60 seconds for (surface and tor network) which leads me to believe apparmor does not like that… Nice catch at your end Jench 
FYI: Torrents and Tor use the same working concept for different levels of the web so that makes the issue inversely identical and explains why app-armor does not like it both. also it makes the bug super nice to discover as it shows consistency 
Yes I am aware of I2P, but the level of independent/community audit of the code for backdoor is not matured like tor(Since Tor is the birth child of the US Navy folks scrutinized it ) also I2P has far lesser nodes than Tor making it easier to run de-anonymizing nodes there. Tor’s very wide adoption makes random folks traffic easier to blend in. Not saying the attacks are impossible in tor, but the probability is lower.
Have an awesome day too buddy
Atreus Odin
@Jench I did find a workaround to the app-armor issue by using firejail!. It is a simpler version of app-armor. so basically I use app-armor to lock down majority of the common programs I use including VPN & tor, but use firejail for Firefox (Think of firejail as a sandbox). I think it is better to use firejail than over-permit a rule on app-armor profile when it does not support the feature which then negates the point of the lock down is my thought process.
I did check and qbittorrent has a preinstalled profile with firejail so maybe that logic might apply to you. Some major differences is firejail restricts the running capabilities of an application via Linux namespaces while app-armor does it at the kernel level.
Also you can start applications without firejail as it is not mandatory, while app-armor will not let the application after it has been micro segmented
This document has some differences in a simple manner AppArmor vs Firejail -| bsdnerds.org
Thought it might help, one thing is websites that did not check if I was a robot are now doing so, including parrot. I see the reason tho, but its super annoying. Not sure you will have that issue tho since it’s a download function and not surfing using tor. My next step is to get the sandboxed Firefox to utilize my user.js script for additional browser security
Atreus Odin
@therealavatar , Odin the All-Father Hello!
It’s quite fun you talk me about Firejail. My first target was to make apparmor and firejail work together correctly. So user and kernel level fully protected.
There is a perfect example of what I wanted to do, Kicksecure’s apparmor profile for torbrowser with firejail.
Tor browser without it (not even using firejails.default apparmor profile when starting firejail torbrowser-launcher ) :
┌─[parrot@parrot]─[~]
└──╼ $sudo jailcheck
[sudo] password for parrot:
Warning: invalid directory ~/.ssh, skipping...
4485:parrot::firejail torbrowser-launcher
Warning: AppArmor not enabled
Virtual dirs: /home/parrot, /tmp, /var/tmp, /dev, /etc, /bin,
/usr/share, /run/user/1000,
Networking: enabled
┌─[parrot@parrot]─[~]
Now with the kick secure profile, started the same way:
6147:parrot::firejail torbrowser-launcher
Virtual dirs: /home/parrot, /tmp, /var/tmp, /dev, /etc, /bin,
/usr/share, /run/user/1000,
Networking: enabled
This is great!
And now… qbittorrent started with firejail qbittorrent
Apparmor UNCONFINED it’s gross
Trying to force it using the correct apparmor profile using firejail --appamor=/etc/apparmor.d/usr.bin.qbittorrent
He don’t care.
May have you the super power to find out how make it work correctly as tor browser with kicksecure apparmor?
I’m probably not good enough, then I was thinking using apparmor +
Tomoyo?
bubblewrap?
chroot?
docker?
Thanks, you are my last hope 
Thanks and I enjoy this thread!
I forgot.
For aa-logprof I think I’ll try (when I’ll have the time) to test:
*Modify audit.rules to only put apparmor message violation, yeah bad overall log security
*grep only apparmor violations in a new file and aa-logprof to check it
*go back and use syslog-ng it perfectly work with it
++
@Jench thanks for the kind words and yes cool thread!. So our architecture is a bit different. I use Firefox over Tor and not using the full tor-browser like you due to Raspberry Pi’s hardware compatibility with Tor-browser (Raspberry pi does not support Tor-browser, so I have to be creative based on the threat model). I have connected two individual components (Firefox & Tor) using a manual proxy configuration. So I get to use individual security policies ( Firejail& apparmor for firefox and Apparmor only for Tor)
FYI- little know secret is You can separate Tor function from browser functionality. people just associate tor-browser as tor, but Tor is actually a network (onion Routing network)
Your usecase for Tor allows everything through the Torbrowser, so firejail and app-armor profiles are compatible with it simultaneously. when you use firejail profile for qbittorrent it worked because firejail supports it, but when you add the app-armor profile overlay it calls the same issue that you currently have, just that firejail is doing it on your behalf, The issue persists. So you have to solve the initial app armor profile issue if you want to use firejail & app-armor for qbittorrent. Think of it this way, firejail has a profile that would be evaluated, then apparmor will evaluate its own set of profiles. firejail does its best to seamlessly integrate both policies but does not work all the time. a good usecase for you that I selected is wireshark. Firejail confines it, but the wireshark app-armor policy is in complain mode so i get this:
If you use both technologies simultaneously there are many failure points, except for high risk applications which torrents is unfortunately part of…lol.
have an awesome one
Atreus Odin 
