[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

aa-genprof is broken on Whonix.


#1

I’m working on AppArmor profiles for Monero tools and right away I noticed aa-genprof is broken because of a Whonix file:

user@host:~$ sudo aa-genprof /usr/local/bin/monerod 

ERROR: Values added to a non-existing variable @{HOMEDIRS}: /rw/home/ in tunables/home.d/live-mode
user@host:~$ cat /etc/apparmor.d/tunables/home.d/live-mode 
## Copyright (C) 2018 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## Copyright (C) 2018 Algernon <33966997+Algernon-01@users.noreply.github.com>
## See the file COPYING for copying conditions.

@{HOMEDIRS}+=/rw/home/
alias / -> /rw/,
alias /var/lib/ -> /rw/var/lib/,
alias /var/lib/tor/ -> /rw/var/lib/tor/,

This is on Qubes 4/Whonix 14, testers repo.


#2

Looks like this bug:
https://bugs.launchpad.net/apparmor/+bug/1331856
https://bugs.launchpad.net/apparmor/+bug/1387775

But there is no real fix yet.
As a workaround you could try to comment the lines in the file and add them instead to tunables/home.


live mode /etc/apparmor.d/tunables/home.d/live-mode breaks aa-enforce