Went through and ran the TBB profile and got this:
[quote]
root@host:/home/user# sudo apparmor_parser -r /etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox
AppArmor parser error for /etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox in /etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox at line 12: Could not open ‘abstractions/whonix’
[/quote]
I’ll update the profiles pages with a warning. Also, for the TBB downloads/uploads and the attachments in Icedove, you have to create the ~/Downloads directory.
@Patrick: If we choose Downloads (that can be any directory), could that be included in the next update, when the profiles are packaged.
This is probably because the profile does not allow “mkdir ~/Downloads”. I guess adding the “c” flag should do the trick?
you have to create the ~/Downloads directory.
@Patrick: If we choose Downloads (that can be any directory), could that be included in the next update, when the profiles are packaged.
For next Whonix version the /home/user/Downloads folder could be created by default. Not in a AppArmor profile (to keep them generic), but in a Whonix specific postinst script. If that makes sense I go ahead and implement it?
This is probably because ~/Desktop is the first folder Tor Browser is looking into when ~/Downloads does not exist.
If the “~/Downloads” folder does not exist (and even if it exists), trying anywhere else will flash a message. If you try “File system”, you get “name=”/" pid=xxxx comm=“open” requested_mask=“r” denied_mask=“r”“. To get rid of the message, I would have to give read access to the whole disk (”/** r,").
[code]
Apr 6 14:49:55 host kernel: [63639.616848] type=1400 audit(1396795795.987:51): apparmor="DENIED" operation="mkdir" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/home/user/Downloads/" pid=5672 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[/code]
This is probably because the profile does not allow "mkdir ~/Downloads". I guess adding the "c" flag should do the trick?
I am not sure I understand. Did you create a folder from the Tor browser? Anyhow, you can create any folder under ~/Downloads, from a terminal or the file manager, and save the downloads there.
or next Whonix version the /home/user/Downloads folder could be created by default. Not in a AppArmor profile (to keep them generic), but in a Whonix specific postinst script. If that makes sense I go ahead and implement it?
It would be OK to create the folder by default. And then recommend the user to set “Save files to → Downloads” in the Tor browser “Edit/Preferences/General” dialog box. That might save some hassle.
It's in the pipeline. Before re-testing, I just want to make sure my backup is 99% proof.
Awesome!
I am not sure I understand. Did you create a folder from the Tor browser?
Yes.
Anyhow, you can create any folder under ~/Downloads, from a terminal or the file manager, and save the downloads there.
Giving mkdir ~/Downloads permissin Tor Browser shouldn't hurt anyway?
It would be OK to create the folder by default. And then recommend the user to set "Save files to -> Downloads" in the Tor browser "Edit/Preferences/General" dialog box. That might save some hassle.
Ideally it would be best if all that would be possible without editing any prefs.
To get rid of the message, I would have to give read access to the whole disk ("/** r,").
“/** r” would be too much. Then the browser could read and leak any file on hdd. What about just “/ r”? Doing an “ls /” doesn’t leak anything useful.
Having apparmor-notifier flashing by default is bad, this would produce loads of bug reports. Not having apparmor-notifier installed on the other hand is also no good idea. There might be dysfunctional features without any indication what is going wrong.
I guess Ubuntu “solved” this by giving full read access to /home. Seems like there is no great solution.
Alright TBB profile works and no errors. Troubador, I think you should add the whoni/abstractions commands to the apparmor page on the clearnet too, so everything is available in one place. Will Whonix ship with a ~/Downloads folder to make the apparmor profile apply seamlessly?
There is no such thing as clearnet version.
cleanet wiki version = .onion wiki version
.onion is just a different domain for our server.
I think we agreed on that. But it will probably never work seamlessly due to technical challenges, unless well, I am not even sure what kind of feature request against AppArmor could be made. Eventually one against Firefox.
Check ‘/etc/default/grub’. In GRUB_CMDLINE_LINUX_DEFAULT or GRUB_CMDLINE_LINUX, it should read “security=apparmor apparmor=1”. If not. add it, the order does not matter, and run ‘update-grub’.
All the profiles in etc/apparmor.d, if they are not in the disable folder, are loaded at boot.
When using Whonix in Debian, the first package to confine with AppArmor should be VirtualBox: AppArmor. So we (should) have all the network facing packages in whonix apparmored, the virtualization layer with VirtualBox, and the hypervisor itself apparmored.
About KVM, according to Ubuntu where most of the AppArmor work is done, the profiles for libvirt are now part of the source packages. See Ubuntu – Error. From my experience, the profiles are seldom usable out of the box, but that might be worth having a look.
"/** r" would be too much. Then the browser could read and leak any file on hdd. What about just "/ r"? Doing an "ls /" doesn't leak anything useful.
Added “deny / r,”. That does the job, the access is refused without apparmor message. Fine for me.
[quote]Anyhow, you can create any folder under ~/Downloads, from a terminal or the file manager, and save the downloads there.[/quote]
Giving mkdir ~/Downloads permissin Tor Browser shouldn't hurt anyway?
~/Downloads has read/write access already. Allowed /usr/bin/mkdir.
[quote]
It would be OK to create the folder by default. And then recommend the user to set "Save files to -> Downloads" in the Tor browser "Edit/Preferences/General" dialog box. That might save some hassle.[/quote]
Ideally it would be best if all that would be possible without editing any prefs.
Yes, it would be best, but i am facing a problem. I cannot know what the user has in the home folder, so clicking anywhere but the chosen downloads folder in the profile will flash a message. I don’t see a way around that.
I think we agreed on that. But it will probably never work seamlessly due to technical challenges, unless well, I am not even sure what kind of feature request against AppArmor could be made. Eventually one against Firefox.
Firefox is the most likely candidate.
I have added an abstraction (will probably add more) to make the profiles more readable for the maintainers. Also trying to deny access to the files that do not seem necessary to the good functioning of the packages. I put them at the beginning of the profile, for readability too.
All the profiles using X will follow on the same line.
I forgot to mention that I had another unrecoverable problem with a snapshot. I don’t remember exactly the sequence of events that led to the situation, but anyhow, I think It would be best to recommend against using them now. My [.vbox .vmdk ~/.VirtualBox] backup was unusable after the crash.
[quote=“Patrick, post:144, topic:108”][quote author=troubadour link=topic=97.msg1586#msg1586 date=1397252181]
I forgot to mention that I had another unrecoverable problem with a snapshot. I don’t remember exactly the sequence of events that led to the situation, but anyhow, I think It would be best to recommend against using them now. My [.vbox .vmdk ~/.VirtualBox] backup was unusable after the crash.
[/quote]
Done. Removed it everywhere in the wiki. Removed it from VirtualBox’s VM import text. (Will appear in Whonix 8.2. + 1.)
This bug can really be a pain.[/quote]
Correction 8.2.
Got a new denied message.
[code]apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/etc/group" pid=31425 comm=4D6564696120417564696F requested_mask="r" denied_mask="r" fsuid=1000 ouid=0[/code]
Fixed (with deny).
Added two abastractions (freedesktop.org and user-download) in Tor Browser, Icedove and Pidgin. The profiles look more standardized.
In Pidgin, removed some abstractions and fixed the “Network rules not enforced” message printed when replacing the profile with apparmor_parser.
I am still wary about testing the “/* {…}” profile to replace abstractions/whonix, but it will happen, eventually. In the meantime, more to come toward standardization. and a couple of other things, the help menu in Pidgin and Xchat amongst them.
There are a few Pidgin related denied messages, but those happened with the old as well as with the new profile. Those lead to Pidgin crashing, not finishing startup and exiting.
The Pidgin profile is updated. The usr/share/fontconfig/ and /home/user/.config/oxygen-gtk/ folders are not in my workstation. I 'll put them as default in a local profile for all the packages using an interactive GUI.
I am trying to build the apparmor-profile-torbrowser package. I have some problems and I might need some frequent help there, at least at he beginning.