Apparmor repo

"It is highly recommend to switch to Whonix’s testers repository before installing them, because the profiles in the stable repository are much older and have some issues. Note, that switching to the testers repository would update also other packages from that testers repository unless you know how to avoid this (advanced users only). "

How can we avoid this ?

Either,

a)

  • Enable both repositories in apt sources manually. stable and testers.
  • Then use apt pinning. Configure apt preferences to prefer apparmor-profile-* packages from the testers repository and preferring the stable repository for everything else.
  • Mostly as per Whonix ™ - Anonymous Operating System.
  • Documentation contributions would be appreciated!

b)

  • do a usual upgrade first: Security Guide - Whonix
  • Temporarily, manually enable the testers repository.
  • Then “sudo apt-get install apparmor-profile-xchat”.
  • Before confirming, carefully read what apt-get is actually going to upgrade. If only apparmor packages, fine.
  • Switch back to stable repository.

c) Install the packages manually from source code:

Is it still the case that the Stable repo is outdated?

1 Like

At the moment it should be current.

If you’re looking for things to do over here, the apparmor profiles have not been reviewed / updated in quite some time. They tend to only get looked at when something breaks. A while back, I looked at the okular and gwenview profiles and noticed that it was fairly messy aesthetically - overlaps with abstractions, some unanswered questions, etc. They all may have room for tightening if you’re familiar with all those details (which I’m not). Also, we are missing profiles for vlc (which I’m supposed to be working on) and tor-messenger (which seems to have stalled in ioerror’s absence: Sandboxing Instantbird (#10943) · Issues · Legacy / Trac · GitLab). At the same time, none of this is high priority so your talents may be put to better use on more important tasks.

1 Like

I have been working on an improved Firefox profile since the Debian-supplied one is old and causes FF to freeze on certain pages. Yesterday, I was able to get it working without major glitches and am using it now, so I’ll post it to my github soon.

I will also see what I can do for vlc.

2 Likes

Needless to say, having a strong torbrowser profile should be the top priority.

Tails patches the one included in Debian torbrowser-launcher.
Debian -- Error
Tails - Application isolation

It would be a good idea to compare current Whonix with the latest Tails version. Perhaps see how your profile compares as well.

1 Like

The Whonix Tor Browser profile differs because it does not use the integrated Tor.

Also we are using something permissive

owner @{TBB}/tor-browser*/** mrlwkix,

rather than something restrictedly fine tuned

owner @{TBB}/tor-browser*/Browser/TorBrowser/Data/Browser/profile.default/** rwk,

Restrictedly fine tuned may sound great, but I don’t think that is useful.

Apparmor supposes that the application it is containing has been compromised. So imagine Tor Browser tries to break out to infect the whole system. Even restrictedly fine tuned, the malware can do whatever it wants. Such as persisting across browser restarts.

So if it can write into /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/ but not /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/something/ does not give us any advantage. Therefore it can do anything inside /home/user/.tb/tor-browser.

A restrictedly fine tune profile only causes more issues. Such as it breaks during Tor Browser internal updater and in other corner cases. Which causes maintenance overhead. So owner @{TBB}/tor-browser*/** mrlwkix, as is makes it very maintainable and I don’t see reasons to change that.

If you want to fine tune stuff outside of /home/user/.tb/tor-browser, that indeed can make sense.