Hi @user0071
The following steps will patch your Tor-browser apparmor profile and make your browser usable.
1)
If using VirtualBox or KVM: Make a clone of your whonix-ws virtual machine for testing purposes. This way if you make a mistake you can start over with a fresh cloned vm.
If using Qubes OS: Create a clone of your whonix-ws template
2) Open up a terminal/konsole in whonix-ws
3) You want to make changes in your Tor-browser apparmor configuration file. You can find this in the /etc directory. You want to start by listing all of the files in /etc/apparmor.d directory using the following command
ls -l /etc/apparmor.d
You should get a return like this
total 88
drwxr-xr-x 4 root root 4096 Jun 13 17:48 abstractions
drwxr-xr-x 2 root root 4096 Jun 13 18:24 cache
drwxr-xr-x 2 root root 4096 Dec 12 2014 disable
drwxr-xr-x 2 root root 4096 Dec 12 2014 force-complain
-rw-r--r-- 1 root root 4781 Jun 13 18:27 home.*.tor- browser_*.Browser.firefox
-rw-r--r-- 1 root root 1550 Aug 15 2013 home.*.tor-browser_*.Browser.start-tor-browser
drwxr-xr-x 2 root root 4096 Jun 13 18:24 local
-rw-r--r-- 1 root root 684 Jan 23 15:54 system_tor
drwxr-xr-x 5 root root 4096 Aug 5 2016 tunables
-rw-r--r-- 1 root root 1493 Aug 15 2013 usr.bin.okular
-rw-r--r-- 1 root root 8637 Apr 16 10:50 usr.bin.thunderbird
-rw-r--r-- 1 root root 6706 Aug 15 2013 usr.bin.whonixcheck
-rw-r--r-- 1 root root 189 Aug 15 2013 usr.bin.xchat
-rw-r--r-- 1 root root 5846 Aug 15 2013 usr.lib.icedove.icedove
-rw-r--r-- 1 root root 211 Aug 15 2013 usr.lib.sdwdate.url_to_unixtime
-rw-r--r-- 1 root root 4925 Jun 9 2015 usr.sbin.cupsd
-
You want to make the changes in the Tor-browser apparmor profile so open up that in a text editor like nano
sudo nano /etc/apparmor.d/home..tor-browser_.Browser.firefox
You should get a result like this
Last modified: Sun May 18 19:22:08 UTC 2014
#include <tunables/global>
@{TBB} = @{HOME}*
/home/**/tor-browser*/Browser/firefox {
#include abstractions/base>
#include abstractions/fonts>
#include abstractions/kde>
#include abstractions/gnome>
#include abstractions/audio>
#include abstractions/user-download>
#include abstractions/user-tmp>
#include abstractions/X>
deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/udev/udev.conf r,
deny /etc/mailcap r,
deny /etc/fstab r,
deny @{PROC}/[0-9]*/stat r,
deny @{PROC}/[0-9]*/mountinfo r,
deny @{PROC}/[0-9]*/task/ r,
deny @{PROC}/[0-9]*/task/** r,
deny @{PROC}/sys/kernel/random/uuid r,
deny @{PROC}/sys/vm/overcommit_memory r,
deny @{PROC}/[0-9]*/cmdline r,
@{PROC}/*/environ r,
deny /run/udev/** r,
deny /sys/devices/** r,
(I Truncated some of the output that is not necessary for this example)
4) Copy the patch from @Hexagon and paste it into the configuration file.
Copy this
user /dev/shm/org.chromium.* rw
Paste into the config file in the place shown below < Here >
# Last modified: Sun May 18 19:22:08 UTC 2014
#include <tunables/global>
@{TBB} = @{HOME}*
/home/**/tor-browser*/Browser/firefox {
#include abstractions/base>
#include abstractions/fonts>
#include abstractions/kde>
#include abstractions/gnome>
#include abstractions/audio>
#include abstractions/user-download>
#include abstractions/user-tmp>
#include abstractions/X>
*** << Paste it Here >> ***
deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/udev/udev.conf r,
deny /etc/mailcap r,
deny /etc/fstab r,
5) If you are using nano text editor and are satisfied with your changes press
"Ctrl" + "X" followed by "Y" then "Enter" to save your changes
Good Luck!