i2prouter AppArmor profile in Whonix

i2peter · March 24, 2015, 7:24pm

Hello there,

I’ve installed i2p on the Whonix-Workstation, following the guide on i2p’s website.

I’ve startet it using “i2prouter start” and I get the following messages:

[code]Profile: /usr/bin/i2prouter
Operation: open
Name: /proc/1/comm
Denied: r
Logfile: /var/log/kern.log
For more information, please see:
https://wiki.ubuntu.com/DebuggingApparmor

Profile: /usr/bin/i2prouter
Operation: open
Name: /dev/pts/0
Denied: rw
Logfile: /var/log/kern.log
For more information, please see:
https://wiki.ubuntu.com/DebuggingApparmor

Profile: /usr/bin/i2prouter
Operation: open
Name: /proc/5261/
Denied: r
Logfile: /var/log/kern.log
For more information, please see:
https://wiki.ubuntu.com/DebuggingApparmor

Profile: /usr/bin/i2prouter
Operation: exec
Name: /usr/bin/sensible-browser
Denied: x
Logfile: /var/log/kern.log
For more information, please see:
https://wiki.ubuntu.com/DebuggingApparmor

Profile: /usr/bin/i2prouter
Operation: exec
Name: /usr/bin/xdg-open
Denied: x
Logfile: /var/log/kern.log
For more information, please see:
https://wiki.ubuntu.com/DebuggingApparmor

Profile: /usr/bin/i2prouter
Operation: exec
Name: /usr/bin/torbrowser
Denied: x
Logfile: /var/log/kern.log
For more information, please see:
https://wiki.ubuntu.com/DebuggingApparmor

Profile: /usr/bin/i2prouter
Operation: exec
Name: /usr/bin/firefox
Denied: x
Logfile: /var/log/kern.log
For more information, please see:
https://wiki.ubuntu.com/DebuggingApparmor[/code]

Does anyone know what to do and how to make it work? Any help is really appreciated. Many thanks in advance and thank you so much for Whonix.

Best regards,

i2peter

troubadour · March 25, 2015, 7:03pm

The AppArmor profile shipped with i2prouter is neither tested not supported in Whonix.

You can disable it with:

Patrick · March 26, 2015, 12:29am

Try contacting upstream (i2p).

troubadour · March 27, 2015, 10:22pm

There is no activity so far on irc (#i2p and #i2p-dev) and the mailing list is dead. Will keep trying.

I have installed i2prouter from Debian. In the meantime, we could write a local profile that we install by default. In the end, that will probably be the only solution. I do not see the i2p developers modifying their profile.

Also, In “dpkg-reconfigure i2p”, there is an option for not using AppArmor.

wasistdas · March 28, 2015, 9:55pm

You’re certainly not on irc2p or OFTC. If you are you’ve been awfully quiet and trying to get information via telepathy or something b/c I’ve been there for months and haven’t seen anyone ask about the apparmor profiles.

Per the the OP’s post none of that would stop I2P from running but it does stop I2P from spawning a browser.

The only problem I have had with I2P in Whonix was with an invalid default /etc/resolv.conf in the KVM images which prevented I2P from being able to bootstrap. Once the nameserver on the gateway was changed to 10.152.152.10 I2P it worked.

Note: I have I2P installed on the gateway so it’s not forced to go through Tor. Maybe the change to resolv.conf isn’t needed if I2P is installed on the workstation.

troubadour · April 3, 2015, 7:08pm

Yes, i have been on OFTC, but did not see any activity and did not post anything. Anyhow , if some users want to install i2prouter in Whonix workstation, the problem should be solved with a local profile .

It does not prevent i2p from running, but in Whonix, because of the AppArmor notifications, it keeps popping windows each time a denied message occurs. It goes probably unnoticed in other distributions.

Thanks for the tip on /etc/resolv.conf. Its outside the scope of this forum, but please feel free to step in the support forum should the need arise.