I guess it will work.
I am not sure it is a good idea to deny access to these files. As far I understand the AppArmor approach, the profile ought to allow every legitimate action of the confined application. For example, writing into /Download/Iceweasel might be a legitimate action. The idea is, should iceweasel get exploited, i.e. get controlled by a remote adversary, it will for example try to access ~/.gnupg/private_key to send the key to the adversary. Obviously iceweasel has no business doing so. AppArmor is our last line of defense here.
Denying access to which aren’t malicious is bad for two ideas.
- it can lead to instability, iceweasel could show error messages when a website or the user triggers a feature we haven’t triggered yet
- from an anonymity perspective (browser fingerprinting by destination servers), TBB AppArmor users want to look as TBB non-AppArmor users. For example, when we forbid reading fontconfig, this could result in firefox using fallback code or error handling code which is different from TBB non-AppArmor users.
(If everyone would use your profile, i.e. if TBB for non-Whonix users came with your profile by default enabled, then 2) wouldn’t apply to to a less extend, but that’s not the case yet.)
From a security perspective, reading the fontconfig folder that doesn’t include any private data doesn’t pose a risk, even if an adversary read it.
Forbidding access to a few files TBB has legitimate reason to read such as /etc/resolv.conf may be in exception to this. This is even more true for non-Whonix users. Those exceptions need to be carefully considered.
Could you please re-check your profiles for these conditions?
(Please feel free to challenge my thoughts on this topic. To get wider input for your profiles, the tor-talk mailing list would be a good place. No worries. I wouldn’t consider this an offense. Just saying. Only thing I am interested in here is best possible software.)
TBB also needs mkdir access for “~/tor-browser_en-US/.cache”.
Got another denied message.