apparmor and tor-browser

Hello ,
Updated today tor-browser to 7.0 , after it , it failed to show any web page including whonix default welcome page and apparmor error :-

Profile: /home/**/tor-browser*/Browser/firefox Operation: mknod Name: /dev/shm/org.chromium.0n7rD3 Denied: c Logfile: /var/log/kern.log For more information, please see: DebuggingApparmor - Ubuntu Wiki

I can confirm this for the AppArmor profile from the stable repository.

Adding user /dev/shm/org.chromium.* rw to the AppArmor profile fixes this.
(instead of * you could be more specific with [a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9])

AppArmor also complains that TB wants read access to /proc/*/net/route, I don’t know if it is safe to allow that.

1 Like

How? can you please tell step by step …

@Patrick

Hi @user0071

The following steps will patch your Tor-browser apparmor profile and make your browser usable.

1)

If using VirtualBox or KVM:  Make a clone of your whonix-ws virtual  machine for testing purposes. This way if you make a mistake you can start over with a fresh cloned vm.

If using Qubes OS: Create a clone of your whonix-ws template

2) Open up a terminal/konsole in whonix-ws

3) You want to make changes in your Tor-browser apparmor configuration file. You can find this in the /etc directory. You want to start by listing all of the files in /etc/apparmor.d directory using the following command

 ls -l /etc/apparmor.d

You should get a return like this

total 88
drwxr-xr-x 4 root root 4096 Jun 13 17:48 abstractions
drwxr-xr-x 2 root root 4096 Jun 13 18:24 cache
drwxr-xr-x 2 root root 4096 Dec 12  2014 disable
drwxr-xr-x 2 root root 4096 Dec 12  2014 force-complain
-rw-r--r-- 1 root root 4781 Jun 13 18:27 home.*.tor- browser_*.Browser.firefox
-rw-r--r-- 1 root root 1550 Aug 15  2013 home.*.tor-browser_*.Browser.start-tor-browser
drwxr-xr-x 2 root root 4096 Jun 13 18:24 local
-rw-r--r-- 1 root root  684 Jan 23 15:54 system_tor
drwxr-xr-x 5 root root 4096 Aug  5  2016 tunables
-rw-r--r-- 1 root root 1493 Aug 15  2013 usr.bin.okular
-rw-r--r-- 1 root root 8637 Apr 16 10:50 usr.bin.thunderbird
-rw-r--r-- 1 root root 6706 Aug 15  2013 usr.bin.whonixcheck
-rw-r--r-- 1 root root  189 Aug 15  2013 usr.bin.xchat
-rw-r--r-- 1 root root 5846 Aug 15  2013 usr.lib.icedove.icedove
-rw-r--r-- 1 root root  211 Aug 15  2013 usr.lib.sdwdate.url_to_unixtime
-rw-r--r-- 1 root root 4925 Jun  9  2015 usr.sbin.cupsd
  1. You want to make the changes in the Tor-browser apparmor profile so open up that in a text editor like nano

    sudo nano /etc/apparmor.d/home..tor-browser_.Browser.firefox

You should get a result like this

     Last modified: Sun May 18 19:22:08 UTC 2014
#include <tunables/global>

@{TBB} = @{HOME}*

/home/**/tor-browser*/Browser/firefox {
    #include abstractions/base>
    #include abstractions/fonts>
    #include abstractions/kde>
    #include abstractions/gnome>
    #include abstractions/audio>
    #include abstractions/user-download>
    #include abstractions/user-tmp>
    #include abstractions/X>

    deny /etc/host.conf r,
    deny /etc/hosts r,
    deny /etc/nsswitch.conf r,
    deny /etc/resolv.conf r,
    deny /etc/passwd r,
    deny /etc/group r,
    deny /etc/udev/udev.conf r,
    deny /etc/mailcap r,
    deny /etc/fstab r,

    deny @{PROC}/[0-9]*/stat r,
    deny @{PROC}/[0-9]*/mountinfo r,
    deny @{PROC}/[0-9]*/task/ r,
    deny @{PROC}/[0-9]*/task/** r,
    deny @{PROC}/sys/kernel/random/uuid r,
    deny @{PROC}/sys/vm/overcommit_memory r,
    
    deny @{PROC}/[0-9]*/cmdline r,

    @{PROC}/*/environ r,

    deny /run/udev/** r,
    deny /sys/devices/** r,

(I Truncated some of the output that is not necessary for this example)

4) Copy the patch from @Hexagon and paste it into the configuration file.

Copy this

  user /dev/shm/org.chromium.* rw

Paste into the config file in the place shown below < Here >

# Last modified: Sun May 18 19:22:08 UTC 2014

#include <tunables/global>

@{TBB} = @{HOME}*

/home/**/tor-browser*/Browser/firefox {
#include abstractions/base>
#include abstractions/fonts>
#include abstractions/kde>
#include abstractions/gnome>
#include abstractions/audio>
#include abstractions/user-download>
#include abstractions/user-tmp>
#include abstractions/X>

 *** << Paste it Here >> ***              

  deny /etc/host.conf r,
  deny /etc/hosts r,
  deny /etc/nsswitch.conf r,
  deny /etc/resolv.conf r,
  deny /etc/passwd r,
  deny /etc/group r,
  deny /etc/udev/udev.conf r,
  deny /etc/mailcap r,
  deny /etc/fstab r,

5) If you are using nano text editor and are satisfied with your changes press

 "Ctrl" + "X"  followed by "Y"  then "Enter"  to save your changes

Good Luck!

1 Like

Thanks @0brand and @Hexagon

i confirmed it is working but editing profile home.tor-browser.firefox … editing profile home..tor-browser_.Browser.firefox didn’t make it working … dont know the reason

regards

I should have mentioned that I’m using apparmor-profiles from the testers repository as suggested int the Whonix apparmor-wiki. Are you using apparmor-profiles from the tester repository or or from the stable repository?

testers

I just wanted to add that this was already fixed in master on 5th May.

Hello today Tor browser got updated to 7.0.7 internally , afterward when it start it show error page :- tab is crashed something like this and no browsing and no visibility of whonix offline home page

app-armor message

“Profile: /home/**/tor-browser*/Browser/firefox Operation: open Name: /dev/ Denied: r Logfile: /var/log/kern.log For more information, please see: DebuggingApparmor - Ubuntu Wiki

kindly help to fix it

@Hexagon
@0brand

@Patrick
@HulaHoop

Please don’t tag people unless you think they would be interested in your specific issue. (Participants in this thread already receive notifications). The forum exists to help with general support to begin with.

I also upgraded to 7.0.7 and received the same Denied notification. However, it didn’t affect my browsing at all. Ignore the /dev/ r denial for now.

That sounds like the symptom of the original post. Are you sure you applied the patch properly?


Our torbrowser profile needs a full review. Reference: Tails is using torbrowser-launcher’s profile and applying Tails’ patches to it. Both are more actively maintained than ours. It’s also time to revisit apparmor socket controls: Why is Tor Browser allowed to connect to /var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock by the current AppArmor profile?

2 Likes

OK got it
but tab crashing error ?

  1. Which Whonix platform? Version?
  2. Did you get any errors with 7.0.6?
  3. Have you modified Tor Browser in any way? settings? extensions? plugins?

Added instructions to AppArmor entry re: “Maintain a Functional Tor Browser” -> Done.

Added a few lines to the AppArmor Tor Browser profiles. It seems to fix all the denied messages preventing the browser to display any page.

2 Likes

Officially: Welcome back! :slight_smile:

Merged. (git cherry picked.)

Could you please git merge origin/master?

I would like to second that welcome to a major Whonix contributor. :grinning:

1 Like