[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

ERROR: Values added to a non-existing variable @{HOMEDIRS}: /rw/home/ in tunables/home.d/live-mode

sudo aa-enforce /etc/apparmor.d/tor_browser

ERROR: Values added to a non-existing variable @{HOMEDIRS}: /rw/home/ in tunables/home.d/live-mode

What to do?
Do I edit this?

## Missing in <abstractions/user-download> #######
# Without this line, access is denied to @{HOME},
# [dD]ownload{,s}, Desktop... for downloads.
@{HOME}/ r,
@{HOME}/* r,

When yes, which values?

Related:

You can try this workaround (not tested)

2 Likes

Removed: /etc/apparmor.d/tunables/home.d/live-mode

Now it’s working with:

#include <tunables/global>

/mnt/tor-browser-tmpfs/tor_browser/Browser/firefox flags=(attach_disconnected) {
    #include <abstractions/base>
    #include <abstractions/fonts>
    ##include <abstractions/kde>
    #include <abstractions/gnome>
    ##include <abstractions/audio>
    ##include <abstractions/user-download>
    #include <abstractions/user-tmp>
    #include <abstractions/X>

    signal,
    signal (send) peer=@{profile_name},

    deny /etc/host.conf r,
    deny /etc/hosts r,
    deny /etc/nsswitch.conf r,
    deny /etc/resolv.conf r,
    deny /etc/passwd r,
    deny /etc/group r,
    deny /etc/udev/udev.conf r,
    deny /etc/mailcap r,
    deny /etc/fstab r,

    deny @{PROC}/[0-9]*/stat r,
    deny @{PROC}/[0-9]*/mountinfo r,
    deny @{PROC}/[0-9]*/task/ r,
    deny @{PROC}/[0-9]*/task/** r,
    deny @{PROC}/sys/kernel/random/uuid r,
    deny @{PROC}/sys/vm/overcommit_memory r,
    deny @{PROC}/[0-9]*/cmdline r,

    /dev/shm/org.chromium.* rw,

    @{PROC}/*/environ r,
    @{PROC}/[0-9]*/status r,
    @{PROC}/[0-9]*/net/route r,
    @{PROC}/[0-9]*/net/arp r,
    @{PROC}/[0-9]*/uid_map rw,
    @{PROC}/[0-9]*/gid_map rw,
    @{PROC}/[0-9]*/setgroups rw,

    ## Added 20/12/2017
    deny @{PROC}/[0-9]*/net/route r,
    deny @{PROC}/[0-9]*/net/arp r,
    /dev/ r,
    /dev/shm/org.chromium.* rwk,

    ## Added 20/12/2017
    deny @{PROC}/[0-9]*/net/route r,
    deny @{PROC}/[0-9]*/net/arp r,
    /dev/ r,
    /dev/shm/org.chromium.* rwk,

    deny /run/udev/** r,
    deny /sys/devices/** r,

    ## Missing in <abstractions/user-download> #######
    # Without this line, access is denied to @{HOME},
    # [dD]ownload{,s}, Desktop... for downloads.
    #@{HOME}/ r,
    #@{HOME}/* r,
    ##################################################

    ## KDE 4 ##
    #@{HOME}/.kde/share/config/* r,

    ## Xfce4 ##
    #/etc/xfce4/defaults.list r,

    /etc/ld.so.conf.d/ r,
    /etc/ld.so.conf.d/* r,
    /etc/ld.so.conf r,
    /etc/debian_version r,

    /etc/mime.types r,
    #/etc/wildmidi/wildmidi.cfg r, # gstreamer

    ## VPN support.
    /run/resolvconf/resolv.conf r,

    /tmp/MozUpdater/bgupdate/updater rix,

    /usr/bin/ r,
    #/usr/bin/kde4-config rix,
    /usr/bin/lsb_release rix,
    /usr/bin/apt-cache rix,
    /usr/bin/dirname rix,

    /usr/lib/*-linux-gnu/** mrix,
    /usr/lib/python*/lib-dynload/* mr,

    /usr/local/share/applications/ r,
    /usr/local/share/applications/meminfo.cache r,
    /usr/local/share/applications/mimeinfo.cache r,

    /usr/local/lib/python*/dist-packages/ r,
    /usr/local/lib/python*/dist-packages/** r,

    /usr/share/ r,
    /usr/share/mime/ r,
    /usr/share/mime/** r,
    /usr/share/themes/ r,
    /usr/share/themes/** r,
    /usr/share/applications/** rk,
    #/usr/share/xfce4/applications/ r,
    /usr/share/poppler/cMap/ r,
    /usr/share/poppler/cMap/** r,
    /usr/share/libthai/ r,
    /usr/share/glib-2.0/schemas/gschemas.compiled r,
    /usr/share/libthai/** r,
    /usr/share/pyshared/lsb_release.py r,
    /usr/share/distro-info/debian.csv r,

    ## Distribution homepage
    #/usr/share/homepage/ r,
    #xul/usr/share/homepage/** r,

    #/usr/share/xul-ext/foxyproxy-standard/ r,
    #font/usr/share/xul-ext/foxyproxy-standard/** r,

    ## Not in abstractions/fonts ##
    #/usr/share/fontconfig/conf.avail/* r,
    /var/cache/fontconfig/ rk,

    ## For systems used in VirtualBox ##
    deny /var/lib/dbus/machine-id r,
    @{PROC}/[0-9]*/fd/ r,
    /dev/vboxuser rw,
    /bin/ps rix,
    /bin/dash rix,
    #/usr/bin/pulseaudio rix,
1 Like

I’m working on AppArmor profiles for Monero tools and right away I noticed aa-genprof is broken because of a Whonix file:

user@host:~$ sudo aa-genprof /usr/local/bin/monerod 

ERROR: Values added to a non-existing variable @{HOMEDIRS}: /rw/home/ in tunables/home.d/live-mode
user@host:~$ cat /etc/apparmor.d/tunables/home.d/live-mode 
## Copyright (C) 2018 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## Copyright (C) 2018 Algernon <33966997+Algernon-01@users.noreply.github.com>
## See the file COPYING for copying conditions.

@{HOMEDIRS}+=/rw/home/
alias / -> /rw/,
alias /var/lib/ -> /rw/var/lib/,
alias /var/lib/tor/ -> /rw/var/lib/tor/,

This is on Qubes 4/Whonix 14, testers repo.

1 Like

Looks like this bug:
https://bugs.launchpad.net/apparmor/+bug/1331856
https://bugs.launchpad.net/apparmor/+bug/1387775

But there is no real fix yet.
As a workaround you could try to comment the lines in the file and add them instead to tunables/home.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]