1) Tor Browser 6.5.2 with Apparmor
Runs like a dream. Including in a Whonix-WS DisposableVM.
2) Tor Browser 7.0a3 without Apparmor on Whonix-Workstation
- Websites OK.
- Tor Project IP address check OK
- .onions work.
- Tor Button Missing in Action (doesn’t appear), so can’t change security slider.
- Can’t interact with add-ons e.g preferences, updating fails with a HTTPS error.
- Seems to be running in low security slider (default) mode.
- Search engines dead, etc.
That is, not useable.
3) Tor Browser 7.0a3 without AppArmor on Whonix-Workstation and Whonix-Gateway
Exactly as above, defunct and not safely useable.
4) Tor Browser 7.0a3 running AppArmor on Whonix-Workstation and Whonix-Gateway
Doesn’t work at all:
- Whonix landing page doesn’t even appear.
- Can’t load any webpages at all.
- Apparmor goes crazy with:
apparmor=“DENIED” operation=“open” profile="/home/**/tor-browser*/Browser/firefox" name="/proc/1923/net/route" pid=[redacted] comm=[redacted crazy numbers and letters] requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
apparmor=“DENIED” operation=“mknod” profile="/home/**/tor-browser*/Browser/firefox" name="/dev/shm/org.chromium.FzXY5G" pid=[redacted] comm=[redacted crazy numbers and letters] requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
x a million messages.
Based on the scientific method from 1, 2, 3, and 4 above:
- Tor Browser AppArmor settings are a problem with the alpha series.
- ESR 52 (7.0a3 series) is currently incompatible with Whonix (no idea why).
- Logs aren’t showing any errors for tests 2 & 3 to provide more info.
- Users should stick to 6.5.2 for the time being, which also works fine in a DisposableVM & works with AppArmor.
- Note that the ESR 52 nightly from 6th April worked in Whonix (I checked, see wiki edits thread). So, something changed between then and now to break Whonix completely. e10s? Others?
Considering how many “critical” and “high” severity bugs were identified in this Tor Browser release, it might be time to try v0.0.6 of the sandboxed tor-browser again. Although, the upstream issue hasn’t been fixed for Qubes as I understand it.
With Debian Stretch almost due for release perhaps Whonix 14 isn’t far away too i.e. the updated port filter that was required for the sandbox?