Tor Browser 7.0a3 & Apparmor

Tor Browser 7.0a3 works flawlessly now in Qubes-Whonix without Apparmor.

But with Apparmor enabled, it is completely unusable. Logs consistently show two errors:

apparmor=“DENIED” operation=“open”
profile=“/home/**/tor-browser*/Browser/firefox”
name=“/proc/1923/net/route” pid=[redacted] comm=[redacted crazy numbers and letters] requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

x1

apparmor=“DENIED” operation=“mknod”
profile=“/home/**/tor-browser*/Browser/firefox”
name=“/dev/shm/org.chromium.FzXY5G” pid=[redacted] comm=[redacted crazy numbers and letters] requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000

x many messages

1 Like

Same problem emerges in 7.0a4.

It works fine in Qubes-Whonix Whonix-WS without AppArmor though (good sign, since Selfrando is baked in).

apparmor=“DENIED” operation=“open” profile=“/home/**/tor-browser*/Browser/firefox” name=“/proc/16843/net/route” pid=XXXXX comm=XXXXXXXXXXXXXXXXXX requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

x1

apparmor=“DENIED” operation=“mknod” profile=“/home/**/tor-browser*/Browser/firefox” name=“/dev/shm/org.chromium.V7E4wc” pid=XXXXX comm=XXXXXXXXXXXXXXXXX requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000

x many

That phabricator item listed this AppArmor issue as “fixed”? Did an update get pushed out (since same permissions are denied)?

This policy isn’t documented anywhere, so I cannot be surprised this causes confusion.

Tickets fixed in phabricator don’t indicate that upgraded packages are pushed to the stable (or even developer) version of Whonix. I seldom do Whonix stable upgrades. They’re risky. (Risk to mess up the apt-get upgrading so that everyone has to enter commands manually to fix it. No other dangers.) I am trying to provide a stable experience, that is not push stable upgrades that mess up things.

Of course, had we more devs and a stable release manager, then this of course should have been in an upgrades package. Specifically the apparmor packages don’t get upgrades in Whonix stable. The fix gets easily available only after the next stable release of Whonix (Whonix 14).

Meanwhile, this fix has to be manually applied. That’s why AppArmor unfortunately is “advanced users only” and not pre-installed by default since it wouldn’t work well with a stable version Whonix experience.

review in phabricator means, “so far done in the latest source code version of Whonix” (no release) but should be tested if it works for real in the next Whonix developers-only or testers-only release.

resolved in phabricator means, done in the development version of Whonix.

We don’t have anything to indicate status in the stable release of Whonix.

1 Like

Add “Whonix Package Update Policy” to “Bugs” wiki chapter -> Fixed

1 Like