Some updates in apparmor-profile-icedove after Reviewed and adopted for "normal" Debian Jessie installation. by ypid · Pull Request #1 · Kicksecure/apparmor-profile-thunderbird · GitHub
Merged. Luckily was mergeable. Please fetch/merge from origin before making changes.
added missing packaging of apparmor profile:
Could you please port https://github.com/Whonix/tb-starter/blob/master/etc/apparmor.d/usr.bin.torbrowser to the new “@{TBB} = @{HOME}*” style, i.e. supporting the new folder(s)? Currently getting two denied messages.
Sep 18 22:27:17 localhost kernel: [343239.382352] audit: type=1400 audit(1442608037.089:152): apparmor="DENIED" operation="exec" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000
Sep 18 22:27:17 localhost kernel: [343239.382623] audit: type=1400 audit(1442608037.089:153): apparmor="DENIED" operation="open" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[quote=“Patrick, post:592, topic:108”]Could you please port https://github.com/Whonix/tb-starter/blob/master/etc/apparmor.d/usr.bin.torbrowser to the new “@{TBB} = @{HOME}*” style, i.e. supporting the new folder(s)? Currently getting two denied messages.
Sep 18 22:27:17 localhost kernel: [343239.382352] audit: type=1400 audit(1442608037.089:152): apparmor="DENIED" operation="exec" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000
Sep 18 22:27:17 localhost kernel: [343239.382623] audit: type=1400 audit(1442608037.089:153): apparmor="DENIED" operation="open" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[/quote]
Same thing here I am currently testing.
The latest apparmor profile commits are working good however apparmor shows:
denied for
/rw/usrlocal/share/applications/meminfo.cache
and
/rw/userlocal/share/applications
hope this helps!! I will post temporary workaround instructions on the thread i linked in my previous post thank you everyone for all the hard work
In Qubes /usr/local is a symlink to /rw/usrlocal/. Due to apparmor-profile-dist/qubes-whonix-anondist at master · Kicksecure/apparmor-profile-dist · GitHub shipping
alias /usr/local -> /rw/usrlocal/,
we don’t have to care about this a lot. Only note, if a user posts a denied message
/rw/usrlocal/share/applications/meminfo.cache
Then the one added to the AppArmor profile should be.
/usr/local/share/applications/meminfo.cache
So it will work for non-Qubes users as well.
apparmor-woes, can you please try test adding.
/usr/local/share/applications/meminfo.cache r,
to the profile and report if that fixes the denied message?
I have added the line above Patrick. I am still getting AppArmor errors. I would be more than happy to test any suggestions I am not too familiar with AppArmor but am happy to donate my time! Please let me know.
Here is the logs:
audit: type=1400 audit(1442672258.219:2): apparmor="STATUS" operation="profile_load" name="/home/**/tor-browser_*/Browser/firefox" pid=330 comm="apparmor_parser"audit: type=1400 audit(1442672258.650:3): apparmor=“STATUS” operation=“profile_replace” name=“/home/**/tor-browser_*/Browser/firefox” pid=330 comm=“apparmor_parser”
audit: type=1400 audit(1442672258.661:4): apparmor=“STATUS” operation=“profile_load” name=“/usr/bin/pidgin” pid=330 comm=“apparmor_parser”
audit: type=1400 audit(1442672258.664:5): apparmor=“STATUS” operation=“profile_load” name=“/usr/lib/virtualbox/VirtualBox” pid=330 comm=“apparmor_parser”
audit: type=1400 audit(1442672329.843:6): apparmor=“DENIED” operation=“open” profile=“/home/**/tor-browser_*/Browser/firefox” name=“/rw/usrlocal/share/applications/” pid=7026 comm=“firefox” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
audit: type=1400 audit(1442672329.843:7): apparmor=“DENIED” operation=“open” profile=“/home/**/tor-browser_*/Browser/firefox” name=“/rw/usrlocal/share/applications/mimeinfo.cache” pid=7026 comm=“firefox” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
home..tor-browser_.Browser.firefox
[code]#include <tunables/global>
@{TBB} = @{HOME}*
/home/**/tor-browser_*/Browser/firefox {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/kde>
#include <abstractions/gnome>
#include <abstractions/audio>
#include <abstractions/user-download>
#include <abstractions/user-tmp>
#include <abstractions/X>
deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/udev/udev.conf r,
deny /etc/mailcap r,
deny /etc/fstab r,
deny @{PROC}/[0-9]*/stat r,
deny @{PROC}/[0-9]*/mountinfo r,
deny @{PROC}/[0-9]*/task/** r,
deny @{PROC}/sys/kernel/random/uuid r,
deny @{PROC}/sys/vm/overcommit_memory r,
deny @{PROC}/[0-9]*/cmdline r,
deny /run/udev/** r,
deny /sys/devices/** r,
## Missing in <abstractions/user-download> #######
# Without this line, access is denied to @{HOME},
# [dD]ownload{,s}, Desktop... for downloads.
@{HOME}/ r,
@{HOME}/* r,
##################################################
owner @{TBB}/tor-browser_*/ r,
owner @{TBB}/tor-browser_*/* r,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/ rw,
##################################
owner @{TBB}/tor-browser_*/Browser/** rwk,
owner @{TBB}/tor-browser_*/Browser/*.so mr,
owner @{TBB}/tor-browser_*/Browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/firefox rix,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Tor/* mr,
owner @{TBB}/tor-browser_*/Data/Browser/Caches/** rwk,
owner @{TBB}/tor-browser_*/Data/Browser/profiles.ini r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/ r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/** rwk,
owner @{TBB}/tor-browser_*/Data/Tor/* rwk,
owner @{TBB}/tor-browser_*/Tor/* mr,
owner @{TBB}/tor-browser_*/Tor/tor rix,
owner @{TBB}/tor-browser_*/Browser/updates/ r,
owner @{TBB}/tor-browser_*/Browser/updates/** rwk,
owner @{TBB}/tor-browser_*/Browser/updates*.xml rwk,
owner @{TBB}/tor-browser_*/Browser/active-update*.xml rwk,
owner @{TBB}/tor-browser_*/update.test/ rwk,
owner @{TBB}/tor-browser_*/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/update.test/ rwk,
owner @{TBB}/tor-browser_*/Browser/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/updates/0/updater rix,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/updates/0/MozUpdater/bgupdate/updater rix,
##################################
owner @{TBB}/tor-browser_*/Browser/Desktop/ rw,
owner @{TBB}/tor-browser_*/Desktop/ rwk,
owner @{TBB}/tor-browser_*/Desktop/** rwk,
owner @{TBB}/tor-browser_*/Browser/Downloads/ r,
owner @{TBB}/tor-browser_*/Browser/Downloads/** rwk,
## Gnome2 and VirtualBox ##
owner @{TBB}/tor-browser_*/.** rwk,
## KDE 4 ##
@{HOME}/.kde/share/config/* r,
## Xfce4 ##
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
/etc/mime.types r,
/etc/wildmidi/wildmidi.cfg r, # gstreamer
/tmp/MozUpdater/bgupdate/updater rix,
/usr/bin/kde4-config rix,
## XXX
#/usr/lib/*-linux-gnu/libvisual-*/*.so mr,
#/usr/lib/*-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner rix,
/usr/lib/*-linux-gnu/** mrix,
/usr/share/ r,
/usr/share/mime/ r,
/usr/share/mime/** r,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/applications/** rk,
/usr/share/poppler/cMap/ r,
/usr/share/poppler/cMap/** r,
/usr/share/libthai/ r,
/usr/share/libthai/** r,
# Distribution homepage
/usr/share/homepage/ r,
/usr/share/homepage/** r,
/usr/local/share/applications/meminfo.cache r,
## Not in abstractions/fonts ##
/usr/share/fontconfig/conf.avail/* r,
/var/cache/fontconfig/ rk,
## For systems used in VirtualBox ##
deny /var/lib/dbus/machine-id r,
@{PROC}/[0-9]*/fd/ r,
/dev/vboxuser rw,
/bin/ps rix,
/bin/dash rix,
/usr/bin/pulseaudio rix,
}[/code]
home..tor-browser_.Browser.start-tor-browser
[code]#include <tunables/global>
@{TBB} = @{HOME}*
/home/**/tor-browser_*/Browser/firefox {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/kde>
#include <abstractions/gnome>
#include <abstractions/audio>
#include <abstractions/user-download>
#include <abstractions/user-tmp>
#include <abstractions/X>
deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/udev/udev.conf r,
deny /etc/mailcap r,
deny /etc/fstab r,
deny @{PROC}/[0-9]*/stat r,
deny @{PROC}/[0-9]*/mountinfo r,
deny @{PROC}/[0-9]*/task/** r,
deny @{PROC}/sys/kernel/random/uuid r,
deny @{PROC}/sys/vm/overcommit_memory r,
deny @{PROC}/[0-9]*/cmdline r,
deny /run/udev/** r,
deny /sys/devices/** r,
## Missing in <abstractions/user-download> #######
# Without this line, access is denied to @{HOME},
# [dD]ownload{,s}, Desktop... for downloads.
@{HOME}/ r,
@{HOME}/* r,
##################################################
owner @{TBB}/tor-browser_*/ r,
owner @{TBB}/tor-browser_*/* r,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/ rw,
##################################
owner @{TBB}/tor-browser_*/Browser/** rwk,
owner @{TBB}/tor-browser_*/Browser/*.so mr,
owner @{TBB}/tor-browser_*/Browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/firefox rix,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Tor/* mr,
owner @{TBB}/tor-browser_*/Data/Browser/Caches/** rwk,
owner @{TBB}/tor-browser_*/Data/Browser/profiles.ini r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/ r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/** rwk,
owner @{TBB}/tor-browser_*/Data/Tor/* rwk,
owner @{TBB}/tor-browser_*/Tor/* mr,
owner @{TBB}/tor-browser_*/Tor/tor rix,
owner @{TBB}/tor-browser_*/Browser/updates/ r,
owner @{TBB}/tor-browser_*/Browser/updates/** rwk,
owner @{TBB}/tor-browser_*/Browser/updates*.xml rwk,
owner @{TBB}/tor-browser_*/Browser/active-update*.xml rwk,
owner @{TBB}/tor-browser_*/update.test/ rwk,
owner @{TBB}/tor-browser_*/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/update.test/ rwk,
owner @{TBB}/tor-browser_*/Browser/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/updates/0/updater rix,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/updates/0/MozUpdater/bgupdate/updater rix,
##################################
owner @{TBB}/tor-browser_*/Browser/Desktop/ rw,
owner @{TBB}/tor-browser_*/Desktop/ rwk,
owner @{TBB}/tor-browser_*/Desktop/** rwk,
owner @{TBB}/tor-browser_*/Browser/Downloads/ r,
owner @{TBB}/tor-browser_*/Browser/Downloads/** rwk,
## Gnome2 and VirtualBox ##
owner @{TBB}/tor-browser_*/.** rwk,
## KDE 4 ##
@{HOME}/.kde/share/config/* r,
## Xfce4 ##
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
/etc/mime.types r,
/etc/wildmidi/wildmidi.cfg r, # gstreamer
/tmp/MozUpdater/bgupdate/updater rix,
/usr/bin/kde4-config rix,
## XXX
#/usr/lib/*-linux-gnu/libvisual-*/*.so mr,
#/usr/lib/*-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner rix,
/usr/lib/*-linux-gnu/** mrix,
/usr/share/ r,
/usr/share/mime/ r,
/usr/share/mime/** r,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/applications/** rk,
/usr/share/poppler/cMap/ r,
/usr/share/poppler/cMap/** r,
/usr/share/libthai/ r,
/usr/share/libthai/** r,
# Distribution homepage
/usr/share/homepage/ r,
/usr/share/homepage/** r,
/usr/local/share/applications/meminfo.cache r,
## Not in abstractions/fonts ##
/usr/share/fontconfig/conf.avail/* r,
/var/cache/fontconfig/ rk,
## For systems used in VirtualBox ##
deny /var/lib/dbus/machine-id r,
@{PROC}/[0-9]*/fd/ r,
/dev/vboxuser rw,
/bin/ps rix,
/bin/dash rix,
/usr/bin/pulseaudio rix,
}[/code]
Did you forget
after making changes?
I actually backed up the current profile and overwrote it. Then I rebooted Whonix+Qubes that method seemed to work for actually getting Tor browser to start when it previously did not. I will run
sudo aa-status
to make sure that the proper profile is being enforced and report back.
Profile tb-starter/etc/apparmor.d/usr.bin.torbrowser is currently very problematic. Because it gets installed by default. (part of package tb-starter) Because it’s currently broken. It needs to work whether apparmor-profile-torbrowser is installed or not.
I am quite certain to prevent any future unstartable Tor Browser, we would be better off moving tb-starter/etc/apparmor.d/usr.bin.torbrowser to apparmor-profile-torbrowser package? Otherwise we would have to carefully test all the different cases.
hot fixed apparmor profile for new folder ~/.tb - https://www.whonix.org/forum/index.php/topic,97.msg10298.html#msg10298https://github.com/Whonix/tb-starter/commit/860fd2fe05d9ba0729c4bfb9ed70fc29586f8aa9
(If we decide to move tb-starter/etc/apparmor.d/usr.bin.torbrowser to apparmor-profile-torbrowser package, we should rename the file to /etc/apparmor.d/usr_bin_torbrowser or so to prevent dpkg upgrade issues.)
Please say how likely you find it for this to cause issues. There are various cases to consider.
- Only tb-starter/etc/apparmor.d/usr.bin.torbrowser installed, but apparmor-profile-torbrowser package not.
- Only tb-starter/etc/apparmor.d/usr.bin.torbrowser installed, and apparmor-profile-torbrowser installed and enforced.
- Only tb-starter/etc/apparmor.d/usr.bin.torbrowser installed, and apparmor-profile-torbrowser installed and disabled.
- Any others?
In none of these cases tb-starter/etc/apparmor.d/usr.bin.torbrowser should prevent /usr/bin/torbrowser from starting Tor Browser.
apparmor profile fixeshttps://github.com/Whonix/tb-starter/commit/2959df2fd786861f87a7e7609d1ac2c74a401d1d
I think tb-starter/etc/apparmor.d/usr.bin.torbrowser is just too complex for installing it by default and enabling it by default. Because it interacts with msgcollector. And update-torbrowser. And worst, with software that we do not control, i.e. Tor Browser.
I do aggree with your last post. I’m currently trying to get tb-starter/etc/apparmor.d/usr.bin.torbrowser working, without success so far. It’s getting harder if we want to get it path insensitive, amongst other issues.
it looks like we are shooting our own foot for a minimal if not non-existing security gain. We would be much better off keeping apparmor-profile-torbrowser only, because the profiles relate to TBB only and can be adapted [relatively] easily. We have some experience with Tor browser changes…
Removed the profile:
Feel free to re-add it to apparmor-profile-torbrowser. However, I also fail to see the security gain by it.
Added /usr/local/share/applications/meminfo.cache to apparmor-profile-torbrowser.
Merged.