I’m using AppArmor with the Testing Repo as per the Whonix wiki.
Gwenview and Okular can be opened no problem, but AppArmor blocks the programs from opening images. I’ve tested it a bit and I have found that the only way to view images with these programs is to transfer the image to the desktop. If the image file is on the desktop, it can be opened. However, if the images are in a directory on the desktop, they cannot be opened.
How to reproduce:
Install KVM Whonix with Testing Repo and AppArmor as described in the wiki. Download any image with Tor Browser to Tor Browser’s downloads directory. Try to open the image with Okular or Gwenview. It fails with an AppArmor notification appearing. Now try transferring the image to the desktop and opening it. It works. Now create a directory on the desktop and transfer the image to that. Try opening it. It fails.
I imagine that this is a bug, right?
I’ve personally just disabled the AppArmor profiles for Gwenview and Okular, since I have no idea how to edit profiles.
Thanks for testing however I’ll move this to the Apparmor sub-forum where it makes more sense. I understand you are using KVM Whonix however these bugs don’t really have anything to do with the choice of hypervisor.
Okay, no problem. I thought it would be best to place it in KVM forum because I do not have this problem on Qubes Whonix which I also use with Testing Repo.
Strange. You should not be able to open images in /home/user/Desktop either. Did you make changes to your profile? Not being able to open images in subdirectories of Desktop is expected.
Here is the relevant section of the gwenview profile (/etc/apparmor.d/usr.bin.gwenview):
Ah, right. Looks like okular uses abstractions/user-download which seems unneccessarily strict from a usability point-of-view.
My own solution was this:
## Read-access to any non-dot file in /home/user/
## not contained in a /home/user/dot directory or private-files-strict
#include <abstractions/private-files-strict>
@{HOME}/ r,
@{HOME}/[a-z,A-Z,0-9]* r,
@{HOME}/[a-z,A-Z,0-9]*/ r,
@{HOME}/[a-z,A-Z,0-9]*/** r,
YMMV: I only use gwenview and okular as viewers, not editors (no write permissions).
Wondering if we should refactor this so they are on par with respect to
which folders they can read… I.e. allow the same folders.
Try to imagine what a compromised okular / gwenview could do. If it can
read all of the home folder, it can leak all home folder contents to the
internet. Not great. So if we go through the usability hassle of using
apparmor, I think it is better to restrict it to a few folders probably
not holding long term interesting documents.
What about both using abstractions/user-download?
I am not sure about read / write. Anything useful okular / gwenview
could write? I sometimes use gwenview to rotate images, I guess that
gets stored inside the image.
Makes sense. All of the pre-installed network-enabled document viewers should have same access:
tor-browser (already has user-download)
gwenview
okular
vlc (to be completed)
Yes. [I keep data on non-networked VMs but that’s probably not how a new user would start out.]
Ok, so… what should we use to view our interesting documents?
Would need documentation explaining that documents need to be copied to the Downloads or Desktop directory for viewing/editing. And that important documents should not be stored in those directories.
tags, orientation, crop/resize, plus whatever plugins do… Write is probably needed.
Let’s say it’s for example simple text files (lower attack surface) (probably no attack surface when self-written), then you just open them with your favorite text editor. Better to have them in a folder where higher attack surface applications such as an image viewer (gwenview) or a pdf reader (okular) have read access.
Could you please git pull request / wiki edit your suggestions?
