Audio in TBB when process in enforced

GNUser · July 10, 2015, 3:34pm

After a long time away from GNU/Linux security, I have decided to check apparmor profiles again.
A few days ago I think I saw in whonix git a profile for tor browser that in the last lines said something like “it’s not enough to add abstractions/audio to get sound” and it had a special permission given to pulse in the next line. I can’t find it anymore and since one of my problems when I tried these profiles was exactly not getting sound in my TBB, I would like to know if this profile is still available?

GNUser · July 10, 2015, 10:31pm

I think i found what I was looking for.
But now I have a problem. I am using the profile as shown below (which is simpler I think than the one you have here), but it gives a warning

“Warning from torprofile (torprofile line 79): profile /home/*/tor-browser_en-US/Browser/firefox network rules not enforced”

And when I click start-tor-browser, it won’t give me anything (neither the launcher or the browser, nothing).

Any ideas?
My profile:

#include <tunables/global>

/home/*/tor-browser_en-US/Browser/firefox {
#include <abstractions/gnome>
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/user-tmp>
#include <abstractions/X>

Uncomment the following line if you don’t want the Tor Browser

to have direct access to your sound hardware. Note that this is not

enough to have working sound support in Tor Browser.

#include <abstractions/audio>

capability sys_ptrace,

#dbus,
network tcp,

deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/mailcap r,

deny /etc/machine-id r,
deny /var/lib/dbus/machine-id r,

@{PROC}/[0-9]/mountinfo r,
@{PROC}/[0-9]/stat r,
@{PROC}/[0-9]/task//stat r,
@{PROC}/sys/kernel/random/uuid r,

owner @{HOME}//tor-browser_en-US/ r,
owner @{HOME}//tor-browser_en-US/* r,
owner @{HOME}//tor-browser_en-US/.** rwk,
owner @{HOME}//tor-browser_en-US/Browser/.** rwk,
owner @{HOME}//tor-browser_en-US/Browser/ r,
owner @{HOME}//tor-browser_en-US/Browser/** r,
owner @{HOME}//tor-browser_en-US/Browser/.so mr,
owner @{HOME}//tor-browser_en-US/Browser/components/.so mr,
owner @{HOME}//tor-browser_en-US/Browser/browser/components/.so mr,
owner @{HOME}//tor-browser_en-US/Browser/firefox rix,
owner @{HOME}//tor-browser_en-US/Browser/TorBrowser/Data/Browser/profiles.ini r,
owner @{HOME}//tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/ r,
owner @{HOME}//tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/** rwk,
owner @{HOME}//tor-browser_en-US/Browser/TorBrowser/Tor/tor Px,
owner @{HOME}//tor-browser_en-US/Browser/TorBrowser/Tor/libstdc++.so.6 m,
owner @{HOME}//tor-browser_en-US/Browser/Desktop/ rw,
owner @{HOME}//tor-browser_en-US/Browser/Desktop/** rwk,
owner @{HOME}//tor-browser_en-US/Browser/Downloads/ rw,
owner @{HOME}//tor-browser_en-US/Browser/Downloads/** rwk,

/etc/mailcap r,
/etc/mime.types r,

/usr/share/ r,
/usr/share/mime/ r,
/usr/share/themes/ r,
/usr/share/applications/** rk,
/usr/share/gnome/applications/ r,
/usr/share/gnome/applications/kde4/ r,
/usr/share/poppler/cMap/ r,

/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/present r,
deny /sys/devices/virtual/block/*/uevent r,

Should use abstractions/gstreamer instead once merged upstream

/etc/udev/udev.conf r,
/run/udev/data/+pci:* r,
/sys/devices/pci[0-9]/**/uevent r,
owner /{dev,run}/shm/shmfd- rw,

}

troubadour · July 11, 2015, 3:57pm

Split this topic as it might be of interest to some users, and does not get buried in the profiles development discussion.

The profile you found seems to be a merge of a profile developed for torbrowser-launcher and the one developed in Whonix (there has been a try at some stage). Not surprisingly, it does not work any longer.

Regarding the audio, there is a strange issue: it works when Tor Browser is not enforced, and does not otherwise, but without AppArmor denied message. Furthermore, after starting an audio link, the firefox process does not exit, preventing Tor Browser to restart.

The workaround is to install pulseaudio.

I cannot explain it. Could you double check by leaving the original Whonix profile untouched and installing pulseaudio?

Note: the above is valid for Debian jessie based Whonix (from Whonix 11). There are some issues in Debian wheezy that we don’t want to deal with.

GNUser · July 15, 2015, 11:34am

Thank you for your kind reply.
Well, right now I am using Debian 7 Whezzy, so I don’t know how much good it will do to test it now. However, I will be replacing it with Debian 8 Jessie in about a month or so, and will continue testing then.

I have also been thinking, which should be considered more “dangerous” and more in a need of app armor profile. The Tor Browser or the Tor service itself. Because the way I see the Tor Browser can only be attacked by the websites who don’t know who I am, but the Tor service being attacked means I could be individually targeted by someone who had control over the Dir Authorities.

Am I right on this, or missing something?

EDIT: Btw, I do have pulseaudio installed. Though like I said, I am running Whezzy.

troubadour · July 16, 2015, 7:30pm

The Tor browser is confined by AppArmor in Whonix Wokstation, and the tor service is also confined in Whonix Gateway (system_tor profile)

troubadour · September 16, 2015, 8:47pm

No, it will not work.

troubadour · September 22, 2015, 4:25pm

The AppArmor messages should not have anything to do with audio.

On my side, for the time being, audio is not working at all in VirtualBox, period, and I have no time to investigate.

Regarding the messages, the location for “/usr/local” under “/rw” is non standard. AppArmor will report denied messages as long as this is not corrected . “/usr/local” should be in the root directory.

Patrick · September 22, 2015, 4:37pm

Similar / duplicate:
Whonix AppArmor Profiles Development Discussion - #594 by apparmor-woes

It’s Qubes specific. More on usr local:
Whonix AppArmor Profiles Development Discussion - #595 by Patrick

exacto · March 12, 2016, 5:35pm

The links above are broken.

Did anyone find a fix to missing audio when TBB apparmor profile enforced? I don’t want to install pulseaudio.

The little I can assume is firefox tries to find gstreamer and fails, and then falls back to pulse.

Patrick · March 12, 2016, 11:52pm

Links fixed.

exacto · March 14, 2016, 4:22am

Thanks…

I found a fix!

The following lines in /etc/apparmor.d/home.*.tor-browser_*.Browser.firefox:

    deny /etc/passwd r,
    deny /etc/group r,

have to be inverted to allow read:

    /etc/passwd r,
    /etc/group r,

so:

    sudo -s
    sed -ri 's#^(\s*)deny\s\s*(/etc/passwd r,)#\1\2#' '/etc/apparmor.d/home.*.tor-browser_*.Browser.firefox'
    sed -ri 's#^(\s*)deny\s\s*(/etc/group r,)#\1\2#' '/etc/apparmor.d/home.*.tor-browser_*.Browser.firefox'
    systemctl reload apparmor

After doing this, I get audio in TBB.

Granting passwd and group access is not great but better than disabling the whole profile.