Using apparmor profiles in native Debian

Hello,

I am sorry if this is a stupid question, but I know nearly nothing about creating apparmor profiles, and would like to use apparmor on my Tor Browser Bundle, Icedove(with Torbirdy) and Pidgin (using Tor Proxy setting). I am running Debian 7, with Gnome in fallback mode.
Would it be possible to use those profiles in a native Debian, or were these designed so they will only work in Debian? I read some things around before asking this, but I got the impression that someone tried to make these work under debian so they would be universal, but I am unware if this is the current state or not.
I thank you in advance in any help you might give me. I am currently trying to learn about apparmor and profiles, but I would like to use a profile that is already created and then make some changes if I need them :slight_smile:

Also, even though I don’t use Whonix, I take the opportunity to thank all Whonix developers for their good work, specially with the good documentation they provide, for a new user like me it really makes a difference.

No stupid questions here, you are welcome.

At the moment, only the Tor Browser profile is tested in different environments with Debian 7 (Gnome 3 , Gnome Classic, KDE4 and Xfce4). Most of the test have been performed only for a short time in a virtual machine (VirtualBox), so it’s nice to have someone wishing to test the profiles “for real”.

It is at GitHub - troubadoour/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening).. I do not know if you are familiar with git. The profile is in etc → apparmor.d in the repository. Just copy the content of “home..tor-browser_.Browser.firefox” in an editor (most likely gedit for you). Save and copy it (as root) in /etc/apparmor.d

Then

sudo aa-enforce /etc/apparmor.d/home.*.tor-browser_*.Browser.firefox

or, to reload the profile in the kernel

sudo apparmor_parser -r home.*.tor-browser_*.Browser.firefox

AppArmor must be installed prior to using the profile. A quick reminder.

[code]
sudo apt-get install apparmor apparmor-utils

sudo nano /etc/default/grub[/code]

In /etc/default/grub

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="vga=0x0317"
#GRUB_CMDLINE_LINUX=" selinux=1 security=selinux"
GRUB_CMDLINE_LINUX="security=apparmor apparmor=1"

the last line shown should be edited.

sudo update-grub
sudo reboot

That should be it.

Please feel free to reports your issues in Whonix Forum.

Hello.
First, thank you so much for the clear explanation and help :slight_smile: Really made a world of a difference to me.

Well, I don’t mind using/testing the profiles in native Debian. From what I understand, in the worst case, my programs simply won’t run, there is no chance it will screw my anonymity through Tor… Right? :stuck_out_tongue:

As for my reply, I thought it would be confusing to mess with the discussion you have going on the other thread, since this is not about Whonix but Debian. If you want me to, I will post all future replies there, but I thought it would be better this way.

Well, I have given Tor Browser Bundle profile a run… And I even made some small changes. Right now I have achieved one of the things I wanted, to make sure that the Browser can only access it’s own folder. No access to home, Desktop, Downloads, etc. This way, if an attacker can mess with my browser, he will not be able to see any info that might be personal or files that might have been downloaded without Tor (thus revealing my identity).
However, I have two problems:

  1. Usually when I want to save an image, I just right click it, chose “save image” and a window opens for me to choose where to save it. Since I used apparmor profile, that window no longer opens and I am left without a way to save images.
  2. No audio. I can open videos on webpages but I get no audio. I checked the logs and noticed some entries like these:

localhost kernel: [11954.174134] type=1400 audit(1407421616.811:544): apparmor=“DENIED” operation=“file_lock” parent=12347 profile="/home//tor-browser_/Browser/firefox" name="/home/user/tor-browser_en-US/.pulse-cookie" pid=12423 comm=“pulseaudio” requested_mask=“k” denied_mask=“k” fsuid=1000 ouid=1000
localhost kernel: [11954.175087] type=1400 audit(1407421616.811:545): apparmor=“DENIED” operation=“mkdir” parent=12347 profile="/home//tor-browser_/Browser/firefox" name="/home/user/tor-browser_en-US/.pulse/" pid=12424 comm=“autospawn” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000

Any chance it might be solved?

Also, I thought it would be nice to put my changed profile here. Like I said, I am using it in Debian Whezzy 7.6, running Gnome in fallback mode.

# Last modified: Sun May 18 19:22:08 UTC 2014
#include <tunables/global>

/home/*/tor-browser_*/Browser/firefox {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/gnome>
#include <abstractions/audio>
#include <abstractions/user-download>
#include <abstractions/user-tmp>
#include <abstractions/X>

capability sys_ptrace,

deny @{HOME}/* r,
deny @{HOME}/.** r,

deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/udev/udev.conf r,
deny /etc/mailcap r,

deny @{PROC}/[0-9]*/stat r,
deny @{PROC}/[0-9]*/mountinfo r,
deny @{PROC}/[0-9]*/task/** r,
deny @{PROC}/sys/kernel/random/uuid r,

deny /run/udev/** r,
deny /sys/devices/** r,

@{HOME}/tor-browser_*/ rw,
@{HOME}/tor-browser_*/* rw,
@/{HOME}/tor-browser_*/Browser/** r,
@{HOME}/tor-browser_*/Browser/*.so mr,
@{HOME}/tor-browser_*/Browser/components/*.so mr,
@{HOME}/tor-browser_*/Browser/browser/components/*.so mr,
@{HOME}/tor-browser_*/Browser/firefox rix,
@{HOME}/tor-browser_*/Data/Browser/profiles.ini r,
@{HOME}/tor-browser_*/Data/Browser/profile.default/** rwk,
@{HOME}/tor-browser_*/Data/Tor/* rwk,
@{HOME}/tor-browser_*/Tor/* mr,
@{HOME}/tor-browser_*/Tor/tor rix,

/etc/mime.types r,

/usr/share/ r,
/usr/share/mime/ r,
/usr/share/mime/** r,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/applications/** rk,
/usr/share/poppler/cMap/ r,
/usr/share/poppler/cMap/** r,

## Not in abstractions/fonts ##
/usr/share/fontconfig/conf.avail/* r,
/var/cache/fontconfig/ rk,

## For systems used in VirtualBox ##
deny /var/lib/dbus/machine-id r,
@{PROC}/[0-9]*/fd/ r,
/dev/vboxuser rw,
/bin/ps rix,
/bin/dash rix,
/usr/bin/pulseaudio rix,
}

Ok, so, I decided to add these lines

@{HOME}/tor-browser_*/** rw,
@{HOME}/tor-browser_*/.*/ rw,
@{HOME}/tor-browser_*/.*/* rw,
@{HOME}/tor-browser_*/.*/** rw,

To my profile, in order to allow the folder “.pulse” to be created. I believe it is necessary to write files inside that folder when you want audio in the browser (I might be wrong).
However, it still didn’t solve the problem.
Am I doing something really stupid here?

Also, one question, is it possible to add “write” permissions without adding “reading” permissions? For example, I might want to give a program the power to write a new file in a folder, but not want to have the program reading the inside of other files in that same folder. Possible?

Thanks in advance.

Well, I don't mind using/testing the profiles in native Debian. From what I understand, in the worst case, my programs simply won't run, there is no chance it will screw my anonymity through Tor... Right? :P
Right. You can use [code]sudo aa-complain /etc/apparmor.d/profile.name[/code] if torbrowser is not starting. To see the log [code]sudo tail -f /var/log/kern.log[/code] and you can report the messages in code tags, it's easier to read.

It looks like your profile is not up to date, you should install the last one from GitHub - troubadoour/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening).. There is one line that should take care of the problem with pulse, and that might solve the issue with the audio.

For the time being, we can continue the debugging in this thread, but you are welcome to follow the development thread, to keep your profile in sync.

Can you please update your profile with the latest one in github? It should take care of the images saving (which is not recommended, but that is another subject).

And

  @{HOME}/tor-browser_*/** rw,
  @{HOME}/tor-browser_*/.*/ rw,
  @{HOME}/tor-browser_*/.*/* rw,
  @{HOME}/tor-browser_*/.*/** rw,

should be avoided.

Thanks for helping me out :slight_smile:
I am updating the profile right now, just a couple questions though…

  1. Why did you say that saving images is not a good idea?
  2. I realise that allowing full read and write permissions inside the Tor Browser Bundle folder is a BAD idea. I was using those lines so that the “.pulse” folder would be created (which I thought was the problem, turned out not to be it). I will try out the new profile, and let you know how it went.
  3. This profile is only confining the browser itself, it does nothing to Tor right? I was thinking that one could also use a tor profile for the Tor session launched with the Tor Browser Bundle (you know, just in case).
  4. What do you think of my idea of allowing the browser to only read (and write) inside the Tor Browser Bundle folder? Like I said, this way I feel safer in that even if an attacker pawns my browser he won’t access any data (personal data) that might be in my home and downloads folders. Is it a good idea, or am I being just paranoid here?

is this https://github.com/troubadoour/apparmor-profile-torbrowser/blob/master/etc/apparmor.d/home.*.tor-browser_*.Browser.firefox
the newer profile? Because it says it was last changed in May 18, but at the top of the page, it says Troubador made improvements 8 hours ago… Sorry, not really used to work with Git.

I don’t know if that was the updated profile (i believe it was, after checking around in git), but I am sorry to say it didn’t change anything :frowning:
Still no audio, and still can’t save images. I can right right click and choose (save link as) but not “save image”. Save link will sometimes not give image file, if the image is a link to other page for example. I will have to give this some thought, but for the sound part, I really don’t know what to do. Sorry.

1. Why did you say that saving images is not a good idea?
I am not an expert on this, but images can contain more than what is displayed. The list of possible malware-exploits is long. NoScript takes care of most of them, but there are new ones coming (especially with HTML5).

Anyhow, the latest update should fix downloads (and saves).

3. This profile is only confining the browser itself, it does nothing to Tor right? I was thinking that one could also use a tor profile for the Tor session launched with the Tor Browser Bundle (you know, just in case).
Good question. But do you mean the [torbrowser]/Tor/tor process? It is confined in the Tor Browser Bundle profile. It has no dependencies nor calls any external file. As an exercise, you can try to confine it yourself, and you'll see that the profile is quite short.

If you mean system/tor, it is not used in your Debian (or mine), but is installed by torbrowser-launcher in jessie to download the Tor Browser Bundle over tor. It seems that torbrowser-launcher will become a standard in the bundle. And system/tor is confined by AppArmor too.

4. What do you think of my idea of allowing the browser to only read (and write) inside the Tor Browser Bundle folder? Like I said, this way I feel safer in that even if an attacker pawns my browser he won't access any data (personal data) that might be in my home and downloads folders. Is it a good idea, or am I being just paranoid here?
Might be a good idea. I do not know what will be decided in the final (hopefully) version of the profile. For the moment, if you want to deny access to the home folder, you can comment out or delete [code] #include [/code]
No audio. I can open videos on webpages but I get no audio
Are you using flash to play videos?

I am aware that some times images can be used to serve exploits, although I believe it only works in windows (the examples I remember reading about were all about windows, there might be some to linux too).
That actually leads to another idea I once had about using a sandboxed downloads folder, that would be constantly kept on watch by ClamAV. Everytime tor browser bundle would download a file to that folder, ClamAV would check the file and warn if something was off. That way, even if you download a windows virus (not dangerous to linux) you could still know that the website you downloaded it from was actually serving fishy stuff. The sandboxed folder would prevent the file from calling home and such before (or during) ClamAV test.
But that is another story altogether. :stuck_out_tongue:

For now, I want to focus on working Tor Browser Bundle using apparmor profile.

What do you mean about tor becoming a standard install in jessie? Didn’t get that part.

Yes, I think it is safer to prevent the browser from accessing the home folders. Prevents identity leaks (at least some stupid ones, which would make us feel very stupid if they happened. If someone is gonna pawn us, at least let them work for it lol).

No, I am not using flash. Why would I want that? Lol, Tor cannot protect me if I use flash!
I am using youtube webm html5 videos to test it, but also tried with some videos in videos which are served in html5 and open formats. None of them gave me sound. If I disable the apparmor profile, it works fine.

Right now, using the latest profile, i can’t get sound or download images. I have read and re-read the profile and can’t see what could be the cause. I guess I need someone who is more experienced in the apparmor thing. :frowning:

[quote=“GNUser, post:1, topic:404”]One question: I have been thinking about installing linux-patch-grsecurity2 from Debian repos. However, I am afraid that it might break apparmor work, or even stop the OS from functioning. Does anyone know if that would be the case?
Also, would installing that patch be enough to improve somehow the security, or would it be necessary to go through a hard configuration process??
THANKS[/quote]
Moved to separate topic:

Thanks for the new topic. I didn’t wanted to create a new topic for just a small question. Thanks :slight_smile:

The apparmor profiles for Icedove and Pidgin, are they ready to be used in Debian, or do those need to be changed?

I would still like to try along with you guys, to get the TBB profile working properly. :slight_smile:

The apparmor profiles for Icedove and Pidgin, are they ready to be used in Debian, or do those need to be changed?
The best is tot try them by yourself, and report your problems/findings here, documented with error messages or anything technically relevant to AppArmor.