with the last update (done yesterday), I can’t save files anymore to a shared folder.
I can’t save files in LiveVM, not enough memory.
Now I have to use persistent mode, but I have to leave the computer for hours.
My opinion: this isn’t save.
Saving files to shared folder is save, because I will not touch these files, and nothing will be done there (no indexing,…).
I shut down vms, and later I inspect these files. This seems for me secure enough.
How is it now possible to save bigger files?
Thank you in advance!
th_k
Fully updated Whonix-Workstation-XFCE
as of Sun 07 Aug 2022 03:00:00 PM UTC.
I used to be able to read and write my host shared directory /media/sf_vbox
in TorBrowser.
Unfortunately I can only show the current state, I didn’t look at directory/process permissions when it still worked.
user@host:~$ ls -lZ /media | grep -v 'total '
drwxrwx--- 1 root vboxsf ? 4096 Aug 7 15:14 sf_vbox
user@host:~$ ls -lZ /media/sf_vbox/ | grep test
-rwxrwx--- 1 root vboxsf ? 5 Aug 7 16:59 test-file.txt
user@host:~$ cat /media/sf_vbox/test-file.txt
hey
user@host:~$ grep 'user\|vboxsf' /etc/passwd
user:x:1000:1000:,,,:/home/user:/bin/bash
user@host:~$ grep 'user\|vboxsf' /etc/group
cdrom:x:24:user
sudo:x:27:user,root
audio:x:29:user,pulse
dip:x:30:user
plugdev:x:46:user
users:x:100:
user:x:1000:
console:x:102:user,root
ssh:x:103:user
vboxsf:x:107:user
debian-tor:x:108:sdwdate,user,canary,systemcheck
user@host:~$ sudo ps axfo pid,ppid,user,uid,fuser,group,gid,fgid,fgroup,flags,stat,start,cgroup,lxc,args | grep 'COMMAND\|firefox\|torbrowser\|tor-browser\|Thunar' | grep -v grep
PID PPID USER UID FUSER GROUP GID FGID FGROUP F STAT STARTED CGROUP LXC COMMAND
1134 948 user 1000 user user 1000 1000 user 0 Sl+ 15:35:03 0::/user.slice/user-1000.sl - \_ Thunar --daemon
1642 1134 user 1000 user user 1000 1000 user 0 S+ 15:35:32 0::/user.slice/user-1000.sl - | \_ /bin/bash /usr/bin/torbrowser
1674 1642 user 1000 user user 1000 1000 user 0 S+ 15:35:32 0::/user.slice/user-1000.sl - | \_ bash /home/user/.tb/tor-browser/Browser/start-tor-browser --verbose --allow-remote
1685 1674 user 1000 user user 1000 1000 user 4 Sl+ 15:35:32 0::/user.slice/user-1000.sl - | \_ ./firefox.real --class Tor Browser --name Tor Browser -profile TorBrowser/Data/Browser/profile.default --allow-remote
1812 1685 user 1000 user user 1000 1000 user 4 Sl+ 15:35:35 0::/user.slice/user-1000.sl - | \_ /home/user/.tb/tor-browser/Browser/firefox.real -contentproc -childID 2 -isForBrowser -prefsLen 332 -prefMapSize 249635 -jsInit 285636 -parentBuildID 20220607020101 -appdir /home/user/.tb/tor-browser/Browser/browser 1685 tab
1867 1685 user 1000 user user 1000 1000 user 4 Sl+ 15:35:36 0::/user.slice/user-1000.sl - | \_ /home/user/.tb/tor-browser/Browser/firefox.real -contentproc -childID 3 -isForBrowser -prefsLen 467 -prefMapSize 249635 -jsInit 285636 -parentBuildID 20220607020101 -appdir /home/user/.tb/tor-browser/Browser/browser 1685 tab
1990 1685 user 1000 user user 1000 1000 user 4 Sl+ 15:36:11 0::/user.slice/user-1000.sl - | \_ /home/user/.tb/tor-browser/Browser/firefox.real -contentproc -childID 5 -isForBrowser -prefsLen 1174 -prefMapSize 249635 -jsInit 285636 -parentBuildID 20220607020101 -appdir /home/user/.tb/tor-browser/Browser/browser 1685 tab
Yikes. The current policy in that link:
owner /media/sf_vbox/ r,
owner /media/sf_vbox/** rwl,
… resulted in 10K 0-byte files trying to download a PDF to /media/sf_vbox/
I’ll retry with rw,
and rwlk,
later tonight.
No dice. “fixed” by sudo aa-disable /etc/apparmor.d/home.tor-browser.firefox
I created a virtual disk image (.vdi file, on the host system) using the VM manager and assigned it to the Workstation on Settings as if it were an external hard drive. Tor Browser could no longer save to it because of AppArmor but I’ve successfully modified the profile to:
owner /path/to/mounted/disk/ rw,
owner /path/to/mounted/disk/** rwl,
Not working.
I added this
/media/sf_vbox/ rw,
/media/sf_vbox/** rwl,
This works. Is this big security risk, without “owner”?
I doubt that.
After the latest update when I try to save a file from the Tor Browser to a shared folder I get this message:
“Could not read the contents of downloads
Error opening directory '/media/sf_Shared/ - downloads”: Permission denied"
But I can switch to File Manager and open/edit/delete files there with no problems.
I found this thread:
But I can’t figure out what to do with it. I was googling trying to edit my profile to add those permissions, but couldn’t figure it out, (sorry, not a techie). I thought about trying the command line for disabling the app armor thing, but wasn’t sure if that would cause me bigger problems later.
If anyone can tell me how to add the permissions to the browser to access the shared folder again I’d very much appreciate it.
You found the documentation and you have the solution.
If you are afraid of running commands, then read the manual pages to see what they do:
man aa-enforce
Any tested solution at the moment?
Any? Tested?
No. As it looks, unless someone contributes it likely won’t be done. This someone could be you?
Add write permissions
sudo chmod 666 /etc/apparmor.d/home.tor-browser.firefox
Open and edit the file. Insert after all the text, before the last closing bracket. xYz the name of your shared folder, everyone has it individually
Two spaces before the first /
/media/sf_xYz/** w,
Restore the original permissions -rw-r--r--
sudo chmod 644 /etc/apparmor.d/home.tor-browser.firefox
Now you can reboot the virtual machine, or forcibly reapply the AppArmor profile
sudo aa-enforce /etc/apparmor.d/home.tor-browser.firefox
Not needed.
sudoedit /etc/apparmor.d/home.tor-browser.firefox
/media/sf_xYz/** w,
Now it looks different:
/media/sf_xYz/ rw,
/media/sf_xYz/* rw,