[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Whonix AppArmor Profiles Development Discussion

Pushed an update https://github.com/troubadoour/apparmor-profile-torbrowser/commit/a16fbc15c33fa4a933576401b18b7518ffea7a7e.

Denied message when opening a link from an external application (icedove or open-link-confirmation).

Merged.

Could you answer https://www.whonix.org/forum/index.php/topic,423.msg3081/boardseen.html#new please?

Pushed an update to the torbrowser profile (some files required by VirtualBox and Gnome in /tor-browser_*/ hidden folders).

Merged.

We should probable not hardcode “/home/user/”, but use “@{HOME}”?

We should probable not hardcode "/home/user/", but use "@{HOME}"?
Yes. Also replaced a @{HOME}/tor-browser_en-US with @{HOME}/tor-browser_*

For information, I have opened a new ticket https://github.com/micahflee/torbrowser-launcher/issues/119. The main profile was not working in jessie, so I propose some modifications.

Quote from: troubadour on July 27, 2014, 10:22:04 pm [quote] When installing Icedove for the first time, clicking a link in a message tries to start Iceweasel, which is not allowed (rightly) if Icedove is confined by AppArmor.
To use Tor Browser instead,
 
   Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.http and
   Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.https

have to be set to "true".

When a link is clicked, a popup asking for the preferred browser is shown, where one should select "/home/user/tor-browser_[your-language]/Browser/firefox".

Should we mention it somewhere in the wiki?[/quote]

I am not sure I 100% understand, but please feel free to document this.

When I switched to Whonix 8.6, I had to install Icedove, like everyone, I guess. Clicking a link in an email was opening Iceweasel directly. One can use right-click “Copy Link Location” and paste it in Torbrowser, but I modified the preferences in Icedove to open it in Torbrowser, on the ground that it is safer that way than opening both browsers at the same time or Iceweasel only, despite the ongoing discussion in tor-talk and https://trac.torproject.org/projects/tor/ticket/12763.

When installing Icedove for the first time, clicking a link in a message tries to start Iceweasel, which is not allowed (rightly) if Icedove is confined by AppArmor.

Because we would have to allow Iceweasel in the Icedove profile, which does not make sense.

Pushed https://github.com/troubadoour/apparmor-profile-torbrowser/commit/eba6652fd17c5628930e474e00fb965a8d2cb811

Some lines used in Micah’s profiles that should solve GNUser some GNUser issues.

Merged.

[quote=“troubadour, post:309, topic:108”][quote]
Quote from: troubadour on July 27, 2014, 10:22:04 pm

[quote]
When installing Icedove for the first time, clicking a link in a message tries to start Iceweasel, which is not allowed (rightly) if Icedove is confined by AppArmor.

To use Tor Browser instead,
 
   Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.http and
   Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.https

have to be set to "true".

When a link is clicked, a popup asking for the preferred browser is shown, where one should select "/home/user/tor-browser_[your-language]/Browser/firefox".

Should we mention it somewhere in the wiki?[/quote]

I am not sure I 100% understand, but please feel free to document this.[/quote]

When I switched to Whonix 8.6, I had to install Icedove, like everyone, I guess. Clicking a link in an email was opening Iceweasel directly. One can use right-click “Copy Link Location” and paste it in Torbrowser, but I modified the preferences in Icedove to open it in Torbrowser, on the ground that it is safer that way than opening both browsers at the same time or Iceweasel only, despite the ongoing discussion in tor-talk and https://trac.torproject.org/projects/tor/ticket/12763.[/quote]
Yes, that would be worth documenting.

Do you think we should somehow configure Icedove to use Tor Browser as default browser? Maybe some env var feature request for TorBirdy could implement this.

Pushed some updates to apparmor-profile-timesync and apparmor-profile-whonixcheck. Some new files in /usr/bin/ are required and “user” was replaced by “*” where necessary, because of the use of “–whoami” in msgcollector.

I am left with sdwdate. When enforced, it crashes without anything logged. The GUI result gives

ERROR: Network Time Synchronization (timesync) failed!!! 
TIMESANITYCHECK_STATUS: Success 
NO_PID_PROCESS Please report this bug!

Could that lead me somewhere for debugging?

I am on IRC at the moment.

Yeah, some paths changed in Whonix 9.

Added:
https://github.com/Whonix/apparmor-profile-whonixcheck/commit/67d044ccbbb3b320f2d2051ef9bd1d0f28611161
(worked)

Added:
https://github.com/Whonix/apparmor-profile-whonixcheck/commit/267bf2353a49becf1089a38c730d4e9b68f37aa1
didn’t work. Can you fix it please?

[quote=“Patrick, post:315, topic:108”]Added:
https://github.com/Whonix/apparmor-profile-whonixcheck/commit/267bf2353a49becf1089a38c730d4e9b68f37aa1
didn’t work. Can you fix it please?[/quote]
Fixed:
https://github.com/Whonix/apparmor-profile-whonixcheck/commit/f8e0e840ddd6035a4129843f72b7f006330197e9

Pushed some changes to various apparmor profiles. Timesync and sdwdate are now working without apparmor denied messages.

I think the timesync profile contains lots of duplication from the sdwdate profile. Maybe it would be best if the timesync profile would source abstractions/sdwdate so we have less duplication?

Pushed some changes to various apparmor profiles. Timesync and sdwdate are now working without apparmor denied messages.
Thanks. "make deb-pkg-install" works like a charm :).

I had to add a few permissions in the sdwdate profile, and I moved the “anon~~” permissions in abstractions/base.anondist. On that topic, we have some lines in base.anondist (I probably put them there) that do not look very specific to an anonymisation distribution.

  /usr/share/kde-lowfat/share/config/kdeglobals r,
  /usr/share/kde-mouse-doubleclick/share/config/kdeglobals r,
  /usr/share/torbrowser-default-browser/share/config/kdeglobals r,

I should probably move back them to where they belong.

I think the timesync profile contains lots of duplication from the sdwdate profile. Maybe it would be best if the timesync profile would source abstractions/sdwdate so we have less duplication?

I guess you mean “source abstractions/base.anondist”, or do we create a new abstraction?

[quote=“troubadour, post:318, topic:108”]On that topic, we have some lines in base.anondist (I probably put them there) that do not look very specific to an anonymisation distribution.

  /usr/share/kde-lowfat/share/config/kdeglobals r,
  /usr/share/kde-mouse-doubleclick/share/config/kdeglobals r,
  /usr/share/torbrowser-default-browser/share/config/kdeglobals r,

I should probably move back them to where they belong.[/quote]
Good point. Problem is there is no real alternative to base.anondist?

Those are only required when the related package (such as kde-lowfat […]) is installed. Which is the case on Whonix.

It depends on what we’re up to here. Putting them into a profile we would like to see getting merged into Debian is eventually counter productive to get them merged into Debian? Would confuse Debian maintainers? I guess having them in base.anondist is better as long as kde-lowfat […] does not enter Debian. I have no idea! What is the usual thing to do in such cases if there is such a thing as a usual thing here?

On the other hand, Debian maintainers may not care about an extra “/usr/share/kde-lowfat/share/config/kdeglobals r,” if there is no such file in Debian. Doesn’t worsen security and even if there is such a file one day in Debian, it would be required. So while I am very unsure about this, I tend to put them into the profile.

I guess you mean "source abstractions/base.anondist",
No.
or do we create a new abstraction?
Yes. One for sdwdate.

What timesync does is using “sudo service sdwdate” restart and then monitoring it.
Or somehow tell the timesync apparmor profile to run sdwdate using sdwdate’s profile?

As per http://wiki.apparmor.net/index.php/QuickProfileLanguage#Execute_permissions.

cx - the new process should run under a child profile that matches the name of the executable px - the new process should run under another profile that matches the name of the executable

Using either cx or px.

https://github.com/troubadoour/apparmor-profile-anondist/commit/39834997b993ea51f2448aa42afe57b95148a254

Why remove dh-apparmor?

Merged. (And reverted 39834997b993ea51f2448aa42afe57b95148a254 for now.)

Got various denied messages for the Tor Browser profile.

Aug 14 13:10:11 host kernel: [57667.819999] audit_printk_skb: 27 callbacks suppressed
Aug 14 13:10:11 host kernel: [57667.820035] type=1400 audit(1408021811.590:686): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_*/Browser/firefox" name="/etc/resolv.conf.anondist" pid=27385 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 14 13:10:11 host kernel: [57667.820546] type=1400 audit(1408021811.594:687): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_*/Browser/firefox" name="/etc/resolv.conf.anondist" pid=27385 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 14 13:10:11 host kernel: [57667.820658] type=1400 audit(1408021811.594:688): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_*/Browser/firefox" name="/etc/hosts.anondist" pid=27385 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 14 13:10:11 host kernel: [57667.885530] type=1400 audit(1408021811.658:689): apparmor="DENIED" operation="open" parent=27385 profile="/home/user/tor-browser_*/Browser/firefox" name="/usr/share/open-link-confirmation/share/config/kdeglobals" pid=27396 comm="kde4-config" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 14 13:10:11 host kernel: [57667.885590] type=1400 audit(1408021811.658:690): apparmor="DENIED" operation="open" parent=27385 profile="/home/user/tor-browser_*/Browser/firefox" name="/usr/share/kde-lowfat/share/config/kdeglobals" pid=27396 comm="kde4-config" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 14 13:10:11 host kernel: [57667.885624] type=1400 audit(1408021811.658:691): apparmor="DENIED" operation="open" parent=27385 profile="/home/user/tor-browser_*/Browser/firefox" name="/usr/share/kde-mouse-doubleclick/share/config/kdeglobals" pid=27396 comm="kde4-config" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 14 13:10:11 host kernel: [57667.885664] type=1400 audit(1408021811.658:692): apparmor="DENIED" operation="open" parent=27385 profile="/home/user/tor-browser_*/Browser/firefox" name="/usr/share/torbrowser-default-browser/share/config/kdeglobals" pid=27396 comm="kde4-config" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 14 13:10:11 host kernel: [57667.891448] type=1400 audit(1408021811.662:693): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_*/Browser/firefox" name="/usr/share/open-link-confirmation/share/config/kdeglobals" pid=27385 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 14 13:10:11 host kernel: [57667.891460] type=1400 audit(1408021811.662:694): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_*/Browser/firefox" name="/usr/share/open-link-confirmation/share/config/kdeglobals" pid=27385 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 14 13:10:11 host kernel: [57667.891508] type=1400 audit(1408021811.662:695): apparmor="DENIED" operation="open" parent=1 profile="/home/user/tor-browser_*/Browser/firefox" name="/usr/share/kde-lowfat/share/config/kdeglobals" pid=27385 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Already purged and reinstalled it. I am wondering why it rules by apparmor-profile-anondist are not in effect. Can you reproduce this?

Already purged and reinstalled it. I am wondering why it rules by apparmor-profile-anondist are not in effect. Can you reproduce this?

No. Far fetched, but may be there was a problem with you revert. I have pushed apparmor-profile-anondist with dh-apparmor back. If you merge it…

It depends on what we're up to here. Putting them into a profile we would like to see getting merged into Debian is eventually counter productive to get them merged into Debian? Would confuse Debian maintainers? I guess having them in base.anondist is better as long as kde-lowfat [...] does not enter Debian. I have no idea! What is the usual thing to do in such cases if there is such a thing as a usual thing here?

On the other hand, Debian maintainers may not care about an extra “/usr/share/kde-lowfat/share/config/kdeglobals r,” if there is no such file in Debian. Doesn’t worsen security and even if there is such a file one day in Debian, it would be required. So while I am very unsure about this, I tend to put them into the profile.

I don’t think there is yet such a thing as a usual thing in Debian where it concerns AppArmor, but may be there is a slight upturn (intrigeri is there and apparently the only one really active). See https://wiki.debian.org/AppArmor/Progress.

So, for our little problem, we say “back in the profile”? That cannot harm in any way the functioning of the package (on the contrary) or the security.

What timesync does is using "sudo service sdwdate" restart and then monitoring it. Or somehow tell the timesync apparmor profile to run sdwdate using sdwdate's profile?

As per http://wiki.apparmor.net/index.php/QuickProfileLanguage#Execute_permissions.

cx - the new process should run under a child profile that matches the name of the executable px - the new process should run under another profile that matches the name of the executable

Using either cx or px.

I believe you’ll agree that it is certainly neater to use a child profile instead of a new abstraction, so I assume I can start in that direction.

I am using a child profile in the Icedove profile.

	@{HOME}/tor-browser_*/Browser/firefox Px,

That is why we cannot start Iceweasel from Icedove when the packages are confined. Only Torbrowser is available to open the links in messages. https://www.whonix.org/forum/index.php/topic,97.msg3204.html#msg3204

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]