It would be nice to know which package ie requiring this line.
Pushed a major revamp of the Tor Browser pfrofile. It has been completely rewritten.
So far, it is tested OK in Debian testing (Xfce4), Debian wheezy 7.6 (KDE and Gnome) and Whonix, of course. I have started in Ubuntu 14.04, but that might take more time. The goal is to come as close as possible to a “universal” profile for the Debian based distributions. You’ll see that, so far, it is still compact and certainly not too lax.
When the whole range of tests is completed, I think I will ring a bell, at Micah Lee’s repositories, probably. Or whatever you suggest.
Troubador can you please write a profile for this wishlist item before Whonix 9 final release? How hard is it? I’d be willing to help test anything you provide.
adrelanos: Whonix-Gateway's Dev/CPFP (Automatically started as an /etc/init.d service. Used by Tor Browser. Avoids about:tor error message. Fixes Tor Browser's New Identity feature in Whonix. /usr/bin/controlportfilt and /usr/lib/whonix/cpf-tcpserver)
This line...
[code]
/usr/share/applications/** rwk,
[/code]
Write access seems too much?
This line…
/var/cache/fontconfig/ rwk,
Possible without write access?
Yes, they are possible without write access. An habit when I see the ‘c’ mask denied (it’s not existing in the documentation). Thanks.
This line...
[code]
@{HOME}/tor-browser_*/** rwk,
[/code]
Do others that the same way? I guess it is required for the future when TBB gets a self-updater.
Not required as such for future updates, but certainly more robust in that regard. But with a fresh look at it (yours), I realize it is safer to allow write access only where it is required. One place is /Data/Tor/, where some .tmp files are created, but there is torrc there too. So I deny write access to it and allow the whole folder with ‘rwk’ (‘deny’ takes precedence over any other declaration).
This this work for (non-Whonix) TBB users as well who use bridges? I don't know if the tor-launcher add-on does modify torrc, but I would suppose so.
Even using bridges, are you supposed to modify torrc while Tor Browser is running?
torbrowser-launcher probably modifies torrc, I am just having a look. I will remove the line anyhow.
About torbrowser-launcher. It does not work in jessie (bug), but I tested it in wheezy. You probably know, but…
Regardless of the normal installation from torproject.org, it installs its own copy on the first run in ~/.torbrowser and check for updates on each subsequent launch, updates if necessary, keeping the profile (bookmarks…). That’s nice, but the best is that everything is confined by AppArmor from the start, transparently. That is: torbrowser-launcher itself, /start-torbrowser, /Tor/tor and /Browser/firefox. Except for a restriction on downloads, I could not see any problem with it.
I know we have tb-starter and tb-updater, but is there any reason why we could not use torbrowser-launcher in Whonix?
I didn't mean torbrowser-launcher. I really meant tor-launcher, a Firefox add-on. Screenshots:
https://www.whonix.org/wiki/Dev/whonixsetup
(Dev/whonixsetup is a confusing page name.)
It is confusing to have both, tor-launcher and torbrowser-launcher.
Regardless of the normal installation from torproject.org, it installs its own copy on the first run in ~/.torbrowser and check for updates on each subsequent launches, updates if necessary, keeping the profiles (bookmarks...).
Interesting.
However, in my previous post I wasn’t referring to updates by tb-updater or torbrowser-launcher. Tor Browser itself is going to get an updater. Just as Firefox can update itself [only on Windows], Tor Browser will be able to update itself. (Without help of torbrowser-launcher.)
Quote from: troubadour on July 27, 2014, 10:22:04 pm
[quote]
When installing Icedove for the first time, clicking a link in a message tries to start Iceweasel, which is not allowed (rightly) if Icedove is confined by AppArmor.
To use Tor Browser instead,
Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.http and
Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.https
have to be set to "true".
When a link is clicked, a popup asking for the preferred browser is shown, where one should select "/home/user/tor-browser_[your-language]/Browser/firefox".
Should we mention it somewhere in the wiki?[/quote]
I am not sure I 100% understand, but please feel free to document this.
When I switched to Whonix 8.6, I had to install Icedove, like everyone, I guess. Clicking a link in an email was opening Iceweasel directly. One can use right-click “Copy Link Location” and paste it in Torbrowser, but I modified the preferences in Icedove to open it in Torbrowser, on the ground that it is safer that way than opening both browsers at the same time or Iceweasel only, despite the ongoing discussion in tor-talk and -no-remote prevents using Tor Browser as default browser (#12763) · Issues · Legacy / Trac · GitLab.
When installing Icedove for the first time, clicking a link in a message tries to start Iceweasel, which is not allowed (rightly) if Icedove is confined by AppArmor.
Because we would have to allow Iceweasel in the Icedove profile, which does not make sense.
[quote=“troubadour, post:309, topic:108”][quote]
Quote from: troubadour on July 27, 2014, 10:22:04 pm
[quote]
When installing Icedove for the first time, clicking a link in a message tries to start Iceweasel, which is not allowed (rightly) if Icedove is confined by AppArmor.
To use Tor Browser instead,
Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.http and
Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.https
have to be set to "true".
When a link is clicked, a popup asking for the preferred browser is shown, where one should select "/home/user/tor-browser_[your-language]/Browser/firefox".
Should we mention it somewhere in the wiki?[/quote]
I am not sure I 100% understand, but please feel free to document this.[/quote]
When I switched to Whonix 8.6, I had to install Icedove, like everyone, I guess. Clicking a link in an email was opening Iceweasel directly. One can use right-click “Copy Link Location” and paste it in Torbrowser, but I modified the preferences in Icedove to open it in Torbrowser, on the ground that it is safer that way than opening both browsers at the same time or Iceweasel only, despite the ongoing discussion in tor-talk and Sign in · GitLab
Yes, that would be worth documenting.
Do you think we should somehow configure Icedove to use Tor Browser as default browser? Maybe some env var feature request for TorBirdy could implement this.
Pushed some updates to apparmor-profile-timesync and apparmor-profile-whonixcheck. Some new files in /usr/bin/ are required and “user” was replaced by “*” where necessary, because of the use of “–whoami” in msgcollector.
I am left with sdwdate. When enforced, it crashes without anything logged. The GUI result gives
ERROR: Network Time Synchronization (timesync) failed!!!
TIMESANITYCHECK_STATUS: Success
NO_PID_PROCESS Please report this bug!