install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure by default

nurmagoz · June 8, 2022, 7:15am

Installing apparmor-profiles apparmor-profiles-extra kicksecure-profiles by default wont loose anything, Been using these packages as default since like 2 years or more no real/major/dysfunctional problem came out of it.

So i think its a good idea to have them installed.

Patrick · June 13, 2022, 10:17am

What do we do in strange crash issues most likely caused by upstream?
Such as this recent example:
Tor Browser crashing in Whonix VirtualBox since upgrade to Host Linux Kernel version 5.10.0-15

If package apparmor-profile-torbrowser was installed by default, it becomes more difficult to point at Generic Bug Reproduction as it is done in Attempt to Debug the Issue.

nurmagoz · June 13, 2022, 9:04pm

very easy to test something with and without apparmor specially apparmor is something separated from the running packages, so if its not working without apparmor then its not. (assuming the issue is not/cant be identifiable and need further investigations)

Patrick · June 29, 2022, 7:19am

github.com/Kicksecure/kicksecure-meta-packages

Install `apparmor-profiles-kicksecure` by default.

committed 07:10AM - 29 Jun 22 UTC

adrelanos

+14 -0

This results in installing the following packages by default: - apparmor-profil…es - apparmor-profiles-extra - apparmor-profile-thunderbird - apparmor-profile-torbrowser - apparmor-profile-hexchat This was implemented by adding `Depends: apparmor-profiles-kicksecure` to package `kicksecure-recommended-cli`. Also provide package `dummy-dependency-apparmor-profiles-kicksecure` as an easy opt-out. https://forums.whonix.org/t/install-apparmor-profiles-apparmor-profiles-extra-apparmor-profiles-kicksecure-by-default/13753

Added to https://www.whonix.org/wiki/AppArmor#Install_all_AppArmor_Profiles just now:

Note written on 29 June 2022: In a future Whonix ™ version 16.0.5.4 (unreleased at time of writing), the following packages will be installed by default. (forum discussion)

Patrick · June 29, 2022, 7:51am

Note:

The above git commits only abolish need for the user to run the Installation steps.
The Enabling part is not implemented by default for all AppArmor profiles.

In other words… This results in some AppArmor profiles enabled by default. These are:

Those AppArmor profiles by the Debian apparmor-profiles package where the Debian maintainers decided to put those into enforce mode by default.
- Profiles where Debian maintainers decided to put those into complain mode by default are not set to enforce by Kicksecure / Whonix yet and it is yet to be tested and decided if that will be a good idea. A call for testers will come soon.
apparmor-profile-thunderbird
apparmor-profile-torbrowser
apparmor-profile-hexchat

No profiles from the Debian apparmor-profiles-extra package are copied from the /usr/share/apparmor/extra-profiles folder to the /etc/apparmor.d by default yet.

Copying might be the wrong approach anyhow because then improvements/fixes by Debian maintainers are not applied when the package is updated.
Symlinks would be better in theory but I haven’t tested yet if AppArmor accepts symlinks in folder /etc/apparmor.d. Help welcome.

Patrick · June 29, 2022, 8:01am

nurmagoz · June 29, 2022, 8:38pm

yes i think better to leave debian profile in complain or enforce mode according to debian decision, but only enforce kicksecure profiles by default.

yep either symlink or keep out of use until upstream push it to /etc/apparmor.d

Patrick · August 7, 2022, 6:40pm

This is done and now in the stable repository.

Patrick · August 7, 2022, 7:24pm

One issue which was caused by this:
Tor Browser Save Download to shared folder access on Whonix-Workstation-XFCE AppArmor Issue