Continuing the discussion from aa-genprof is broken on Whonix.:
Doesn’t only break aa-genproof.
sudo aa-enforce /etc/apparmor.d/home.tor-browser.start-tor-browser ; echo $?
ERROR: Values added to a non-existing variable @{HOMEDIRS}: /rw/home/ in tunables/home.d/live-mode 1
This makes debugging apparmor issues (currently on Tor Browser 8.* won't launch - #3 by Patrick) cumbersome. Any workaround?
//cc @Algernon
Beyond commenting the lines or removing the file, currently not.
Why not keep it commented and only uncomment it when in live mode?
Then, users who aren’t using live mode won’t be affected by this bug.
madaidan via Whonix Forum:
Why not keep it commented and only uncomment it when in live mode?
Then, users who aren’t using live mode won’t be affected by this bug.
Sounds great!
Also that line could be moved to a separate file to make editing through
scripts easier.
Could you implement a systemd unit file that does that please?
What package?
since that package ships the offending file. Seems best fit.
I’m not sure if grepping /proc/cmdline for boot=live is the correct way to test for live mode or not but it works.
systemd
ConditionKernelCommandLine
But grep is also good since then I can add an else to undo.
I’ll port to str_replace.
Thanks!
Merged. And added a serious of commits on top.
Comparing 4.7-1...4.8-1 · Kicksecure/apparmor-profile-dist · GitHub
What are the advantages over sed?
When updating (with the developer repository), I now get this message
Configuration file ‘/etc/apparmor.d/tunables/home.d/live-mode’
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer’s version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** live-mode (Y/I/N/O/D/Z) [default=N] ?
Similar to /etc/machine-id. We should probably figure out a way to skip this if possible.
madaidan via Whonix Forum:
What are the advantages over sed?
No interpretation of special characters. Therefore and generally much
more easy to grasp syntax.
madaidan via Whonix Forum:
When updating (with the developer repository), I now get this message
Configuration file ‘/etc/apparmor.d/tunables/home.d/live-mode’
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer’s version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** live-mode (Y/I/N/O/D/Z) [default=N] ?Similar to /etc/machine-id.
Didn’t happen to me. Probably happen because you modified the file locally before the upgrade.
[1] This prompt would still happen when upgrading in live-mode since then “Modified (by you or by a script) since installation.” is true.
Should not happen in persistent-mode since then package default config gets replaced with newer package default config.
We should probably figure out a way to skip this if possible.
Would be worth figuring out anyhow generally. [1] is a good enough reason to do so.
It’s happening because the file is placed in /etc, therefore considered a configuration file.
Root causes: Debian isn’t stateless. Doesn’t have clean separation of distribution shipped files and user generated/modified files. It’s not possible to simply wipe /etc and /var to be back at the same state as everyone else using the same version. See these two blog posts for more detail to see what I mean:
Other root causes:
There is one approach (just an approach, not a solution).
Well, there is apt-get-noninteractive. See man apt-get-noninteractive.
In other words apt can pass option(s) to dpkg to make it run non-interactively. Question can be answered beforehand.
sudo apt-get -o Dpkg::Options::=--force-confnew
This (apt-get-noninteractive) works for most packages. Well, there are some non-free firmware packages which ask special questions which are non-trivial to cover (but covered in Whonix).
https://github.com/Whonix/whonix-legacy/blob/master/debian/whonix-legacy.preinst#L487-L491
Could also be set through a dpkg option but that would apply to all packages always installing package version and deactivating (move to backup file .dpkg-old (?) of locally modified configuration file version).
Something like /etc/dpkg/dpkg.cfg.d/50_user.cfg…
Dpkg::Options:: --force-unsafe-io;
… might work. But not a great solution.
Other than that, I currently have no idea how to avoid this.