Whonix AppArmor Profiles Development Discussion

Yes, we run /usr/bin/torbrowser unconfined. Tor Browser is still enforced.

Merged.
…

Minor.

Merged.

systemd AppArmorProfile= directive unavailable leads to not loading AppArmor profile on Debian jessie:

• https://trac.torproject.org/projects/tor/ticket/18294
• https://www.whonix.org/pipermail/whonix-devel/2016-February/000561.html

fix tor-controlport-filter AppArmor profile
https://phabricator.whonix.org/T587

Any changes from

required in https://github.com/Whonix/apparmor-profile-torbrowser/blob/master/etc/apparmor.d/home.tor-browser.firefox?

Anything we should apply to https://github.com/Whonix/apparmor-profile-torbrowser as well?

Post here as a record

https://github.com/Whonix/anon-gw-anonymizer-config/pull/7

Following the last post from @iry and the issue regarding /etc/torrc.d, an update to apparmor-profile-whonixcheck, including /usr/local/etc/apparmor.d just in case.

https://github.com/troubadoour/apparmor-profile-whonixcheck/commit/5648e78db3b11bdefbe44e84076a07e69729581e

Note.
After cloning my repository from github, I fetched and merged https://github.com/Whonix/apparmor-profile-whonixcheck, which is out of date. So I copied the installed profile in the package folder and then made the changes, hence the two commits.

apparmor-profile-whonixcheck does no longer exist. We integrated it into whonixcheck. (Please merge Whonix master please.)

That explains.

The same change in whonixcheck.

https://github.com/troubadoour/whonixcheck/commit/fb650ee096bf91aafdff994f20c39ae8a007b890

After installing the profile, whonixcheck does not complain after running anon-connection-wizard.

Merged.

Are you sure the following is required?

/etc/ r,
/etc/torrc.d/ r,
/usr/local/etc/torrc.d/ r,

I speculate the following alone would do?

/etc/torrc.d/* rw,
/usr/local/etc/torrc.d/* rw,

Wondering because we had /etc/tor/** r, without /etc/ r, and it always worked.