Background:
We can keep /var/log/tor/log to have a log that survives reboot. An additional (multiple instances of the “Log” command seem to be supported by Tor) /var/run/tor/log that only contains messages since last boot would be helpful as well. whonxicheck could grep it for clock related messages and warn if it found something.
Added the line to /etc/tor/torrc and restarted Tor. No complain from AppArmor, but the process system_tor is not enforced (the profile is is in enforce mode).
Tried to force it “sudo aa-enforce /etc/apparmor.d/system_tor” or “sudo apparmor_parser -r /etc/apparmor.d/system_tor”.
Yours must be. Could you check with “sudo aa-status”?
And by the way, I have never seen the process system_tor going in enforce mode in the Gateway. Perhaps in Whonix 9?
Tor’s AppArmor profile works differently. There is no global profile. It’s load by /etc/init.d/tor. At release time of Whonix 8 there was a bug in AppArrmor, so this profile needed to be deactivated. The AppArmor bug should be fixed when you have latest updates.
In /etc/default/tor comment out.
Then that profile will be load. Forgot to mention it.
You can see a bit more how /etc/init.d/tor works by running.
Are you sure AppArmor was in use on your test system? Check.
The last part of aa-status
1 processes have profiles defined.
1 processes are in enforce mode.
system_tor (2475)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The process is in enforce mode. That’s what matters.