Tor Browser Save Download to shared folder access on Whonix-Workstation-XFCE AppArmor Issue

with the last update (done yesterday), I can’t save files anymore to a shared folder.
I can’t save files in LiveVM, not enough memory.
Now I have to use persistent mode, but I have to leave the computer for hours.
My opinion: this isn’t save.
Saving files to shared folder is save, because I will not touch these files, and nothing will be done there (no indexing,…).
I shut down vms, and later I inspect these files. This seems for me secure enough.
How is it now possible to save bigger files?
Thank you in advance!
th_k

Fully updated Whonix-Workstation-XFCE as of Sun 07 Aug 2022 03:00:00 PM UTC.

I used to be able to read and write my host shared directory /media/sf_vbox in TorBrowser.

Unfortunately I can only show the current state, I didn’t look at directory/process permissions when it still worked.

user@host:~$ ls -lZ /media | grep -v 'total '
drwxrwx--- 1 root vboxsf ? 4096 Aug  7 15:14 sf_vbox
user@host:~$ ls -lZ /media/sf_vbox/ | grep test
-rwxrwx--- 1 root vboxsf ?        5 Aug  7 16:59 test-file.txt
user@host:~$ cat /media/sf_vbox/test-file.txt
hey
user@host:~$ grep 'user\|vboxsf' /etc/passwd
user:x:1000:1000:,,,:/home/user:/bin/bash
user@host:~$ grep 'user\|vboxsf' /etc/group
cdrom:x:24:user
sudo:x:27:user,root
audio:x:29:user,pulse
dip:x:30:user
plugdev:x:46:user
users:x:100:
user:x:1000:
console:x:102:user,root
ssh:x:103:user
vboxsf:x:107:user
debian-tor:x:108:sdwdate,user,canary,systemcheck
user@host:~$ sudo ps axfo pid,ppid,user,uid,fuser,group,gid,fgid,fgroup,flags,stat,start,cgroup,lxc,args | grep 'COMMAND\|firefox\|torbrowser\|tor-browser\|Thunar' | grep -v grep
    PID    PPID USER       UID FUSER    GROUP      GID  FGID FGROUP   F STAT  STARTED CGROUP                      LXC      COMMAND
   1134     948 user      1000 user     user      1000  1000 user     0 Sl+  15:35:03 0::/user.slice/user-1000.sl -                     \_ Thunar --daemon
   1642    1134 user      1000 user     user      1000  1000 user     0 S+   15:35:32 0::/user.slice/user-1000.sl -                     |   \_ /bin/bash /usr/bin/torbrowser
   1674    1642 user      1000 user     user      1000  1000 user     0 S+   15:35:32 0::/user.slice/user-1000.sl -                     |       \_ bash /home/user/.tb/tor-browser/Browser/start-tor-browser --verbose --allow-remote
   1685    1674 user      1000 user     user      1000  1000 user     4 Sl+  15:35:32 0::/user.slice/user-1000.sl -                     |           \_ ./firefox.real --class Tor Browser --name Tor Browser -profile TorBrowser/Data/Browser/profile.default --allow-remote
   1812    1685 user      1000 user     user      1000  1000 user     4 Sl+  15:35:35 0::/user.slice/user-1000.sl -                     |               \_ /home/user/.tb/tor-browser/Browser/firefox.real -contentproc -childID 2 -isForBrowser -prefsLen 332 -prefMapSize 249635 -jsInit 285636 -parentBuildID 20220607020101 -appdir /home/user/.tb/tor-browser/Browser/browser 1685 tab
   1867    1685 user      1000 user     user      1000  1000 user     4 Sl+  15:35:36 0::/user.slice/user-1000.sl -                     |               \_ /home/user/.tb/tor-browser/Browser/firefox.real -contentproc -childID 3 -isForBrowser -prefsLen 467 -prefMapSize 249635 -jsInit 285636 -parentBuildID 20220607020101 -appdir /home/user/.tb/tor-browser/Browser/browser 1685 tab
   1990    1685 user      1000 user     user      1000  1000 user     4 Sl+  15:36:11 0::/user.slice/user-1000.sl -                     |               \_ /home/user/.tb/tor-browser/Browser/firefox.real -contentproc -childID 5 -isForBrowser -prefsLen 1174 -prefMapSize 249635 -jsInit 285636 -parentBuildID 20220607020101 -appdir /home/user/.tb/tor-browser/Browser/browser 1685 tab

Documented just now:
Savings Files in Shared Folder

1 Like

Yikes. The current policy in that link:

owner /media/sf_vbox/        r,
owner /media/sf_vbox/**      rwl,

… resulted in 10K 0-byte files trying to download a PDF to /media/sf_vbox/

I’ll retry with rw, and rwlk, later tonight.

No dice. “fixed” by sudo aa-disable /etc/apparmor.d/home.tor-browser.firefox

I created a virtual disk image (.vdi file, on the host system) using the VM manager and assigned it to the Workstation on Settings as if it were an external hard drive. Tor Browser could no longer save to it because of AppArmor but I’ve successfully modified the profile to:

owner /path/to/mounted/disk/ rw,
owner /path/to/mounted/disk/** rwl,

Not working.

I added this
/media/sf_vbox/ rw,
/media/sf_vbox/** rwl,
This works. Is this big security risk, without “owner”?

I doubt that.

After the latest update when I try to save a file from the Tor Browser to a shared folder I get this message:
“Could not read the contents of downloads
Error opening directory '/media/sf_Shared/ - downloads”: Permission denied"

But I can switch to File Manager and open/edit/delete files there with no problems.

I found this thread:

But I can’t figure out what to do with it. I was googling trying to edit my profile to add those permissions, but couldn’t figure it out, (sorry, not a techie). I thought about trying the command line for disabling the app armor thing, but wasn’t sure if that would cause me bigger problems later.

If anyone can tell me how to add the permissions to the browser to access the shared folder again I’d very much appreciate it.

You found the documentation and you have the solution.

Tor Browser Advanced Topics

If you are afraid of running commands, then read the manual pages to see what they do:
man aa-enforce

Any tested solution at the moment?

Any? Tested?

No. As it looks, unless someone contributes it likely won’t be done. This someone could be you?

Add write permissions

sudo chmod 666 /etc/apparmor.d/home.tor-browser.firefox

Open and edit the file. Insert after all the text, before the last closing bracket. xYz the name of your shared folder, everyone has it individually

Two spaces before the first /

/media/sf_xYz/** w,

Restore the original permissions -rw-r--r--

sudo chmod 644 /etc/apparmor.d/home.tor-browser.firefox

Now you can reboot the virtual machine, or forcibly reapply the AppArmor profile

sudo aa-enforce /etc/apparmor.d/home.tor-browser.firefox

1 Like

Not needed.

sudoedit /etc/apparmor.d/home.tor-browser.firefox

/media/sf_xYz/** w,

Now it looks different:

/media/sf_xYz/ rw,
/media/sf_xYz/* rw,