Hello.
First, thank you so much for the clear explanation and help
Really made a world of a difference to me.
Well, I don’t mind using/testing the profiles in native Debian. From what I understand, in the worst case, my programs simply won’t run, there is no chance it will screw my anonymity through Tor… Right? 
As for my reply, I thought it would be confusing to mess with the discussion you have going on the other thread, since this is not about Whonix but Debian. If you want me to, I will post all future replies there, but I thought it would be better this way.
Well, I have given Tor Browser Bundle profile a run… And I even made some small changes. Right now I have achieved one of the things I wanted, to make sure that the Browser can only access it’s own folder. No access to home, Desktop, Downloads, etc. This way, if an attacker can mess with my browser, he will not be able to see any info that might be personal or files that might have been downloaded without Tor (thus revealing my identity).
However, I have two problems:
- Usually when I want to save an image, I just right click it, chose “save image” and a window opens for me to choose where to save it. Since I used apparmor profile, that window no longer opens and I am left without a way to save images.
- No audio. I can open videos on webpages but I get no audio. I checked the logs and noticed some entries like these:
localhost kernel: [11954.174134] type=1400 audit(1407421616.811:544): apparmor=“DENIED” operation=“file_lock” parent=12347 profile="/home//tor-browser_/Browser/firefox" name="/home/user/tor-browser_en-US/.pulse-cookie" pid=12423 comm=“pulseaudio” requested_mask=“k” denied_mask=“k” fsuid=1000 ouid=1000
localhost kernel: [11954.175087] type=1400 audit(1407421616.811:545): apparmor=“DENIED” operation=“mkdir” parent=12347 profile="/home//tor-browser_/Browser/firefox" name="/home/user/tor-browser_en-US/.pulse/" pid=12424 comm=“autospawn” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
Any chance it might be solved?
Also, I thought it would be nice to put my changed profile here. Like I said, I am using it in Debian Whezzy 7.6, running Gnome in fallback mode.
# Last modified: Sun May 18 19:22:08 UTC 2014
#include <tunables/global>
/home/*/tor-browser_*/Browser/firefox {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/gnome>
#include <abstractions/audio>
#include <abstractions/user-download>
#include <abstractions/user-tmp>
#include <abstractions/X>
capability sys_ptrace,
deny @{HOME}/* r,
deny @{HOME}/.** r,
deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/udev/udev.conf r,
deny /etc/mailcap r,
deny @{PROC}/[0-9]*/stat r,
deny @{PROC}/[0-9]*/mountinfo r,
deny @{PROC}/[0-9]*/task/** r,
deny @{PROC}/sys/kernel/random/uuid r,
deny /run/udev/** r,
deny /sys/devices/** r,
@{HOME}/tor-browser_*/ rw,
@{HOME}/tor-browser_*/* rw,
@/{HOME}/tor-browser_*/Browser/** r,
@{HOME}/tor-browser_*/Browser/*.so mr,
@{HOME}/tor-browser_*/Browser/components/*.so mr,
@{HOME}/tor-browser_*/Browser/browser/components/*.so mr,
@{HOME}/tor-browser_*/Browser/firefox rix,
@{HOME}/tor-browser_*/Data/Browser/profiles.ini r,
@{HOME}/tor-browser_*/Data/Browser/profile.default/** rwk,
@{HOME}/tor-browser_*/Data/Tor/* rwk,
@{HOME}/tor-browser_*/Tor/* mr,
@{HOME}/tor-browser_*/Tor/tor rix,
/etc/mime.types r,
/usr/share/ r,
/usr/share/mime/ r,
/usr/share/mime/** r,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/applications/** rk,
/usr/share/poppler/cMap/ r,
/usr/share/poppler/cMap/** r,
## Not in abstractions/fonts ##
/usr/share/fontconfig/conf.avail/* r,
/var/cache/fontconfig/ rk,
## For systems used in VirtualBox ##
deny /var/lib/dbus/machine-id r,
@{PROC}/[0-9]*/fd/ r,
/dev/vboxuser rw,
/bin/ps rix,
/bin/dash rix,
/usr/bin/pulseaudio rix,
}