[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Whonix AppArmor Profiles Development Discussion

The hexchat profile is now rather minimal.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951331#44

Current TB Apparmor profile show this:

root@host:~# /usr/sbin/apparmor-info -b
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/sys/bus/pci/devices/" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/1510/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/1595/cgroup" comm=46532042726F6B65722031353935 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/sys/bus/" comm=4950444C204261636B67726F756E64 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/sys/class/" comm=4950444C204261636B67726F756E64 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/2969/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/3032/cgroup" comm=46532042726F6B65722033303332 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/3740/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/3790/cgroup" comm=46532042726F6B65722033373930 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/4834/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/4886/cgroup" comm=46532042726F6B65722034383836 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/5690/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/5741/cgroup" comm=46532042726F6B65722035373431 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/6982/cgroup" comm=46532042726F6B65722036393832 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/7151/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/7202/cgroup" comm=46532042726F6B65722037323032 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/8126/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/8224/cgroup" comm=46532042726F6B65722038323234 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/8795/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/8845/cgroup" comm=46532042726F6B65722038383435 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/9628/cgroup" comm=46532042726F6B65722039363238 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/9807/cgroup" comm=46532042726F6B65722039383037 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/10148/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/10222/cgroup" comm=46532042726F6B6572203130323232 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/10618/cgroup" comm=46532042726F6B6572203130363138 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/10844/cgroup" comm=46532042726F6B6572203130383434 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/11662/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/11733/cgroup" comm=46532042726F6B6572203131373333 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/13758/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/13822/cgroup" comm=46532042726F6B6572203133383232 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/15356/cgroup" comm=46532042726F6B6572203135333536 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/15401/cgroup" comm=46532042726F6B6572203135343031 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/15462/cgroup" comm=46532042726F6B6572203135343632 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/22540/cgroup" comm=46532042726F6B6572203232353430 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/22859/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/22934/cgroup" comm=46532042726F6B6572203232393334 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/23224/cgroup" comm=46532042726F6B6572203233323234 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/23742/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/23794/cgroup" comm=46532042726F6B6572203233373934 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/52008/cgroup" comm=46532042726F6B6572203532303038 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/52842/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/52914/cgroup" comm=46532042726F6B6572203532393134 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/55673/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/55734/cgroup" comm=46532042726F6B6572203535373334 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/55996/cgroup" comm=46532042726F6B6572203535393936 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/57663/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/57712/cgroup" comm=46532042726F6B6572203537373132 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/58295/cgroup" comm=46532042726F6B6572203538323935 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/58705/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/58755/cgroup" comm=46532042726F6B6572203538373535 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/59049/cgroup" comm=46532042726F6B6572203539303439 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/61692/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/61763/cgroup" comm=46532042726F6B6572203631373633 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/62397/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/62446/cgroup" comm=46532042726F6B6572203632343436 requested_mask="r" denied_mask="r"
root@host:~#

similar to this:

1 Like

Following:

This is the Apparmor profile after changes:

# Last Modified: Sun Jun  5 17:30:59 2022
#include <tunables/global>

## Copyright (C) 2014 troubadour <trobador@riseup.net>
## Copyright (C) 2014 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.


/**/*-browser/Browser/firefox flags=(attach_disconnected) {
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/gnome>
  #include <abstractions/kde>
  #include <abstractions/totem>
  #include <abstractions/user-download>
  #include <abstractions/user-tmp>
  #include <local/home.tor-browser.firefox>

  capability sys_admin,
  capability sys_chroot,
  capability sys_ptrace,

  deny /etc/fstab r,
  deny /etc/group r,
  deny /etc/host.conf r,
  deny /etc/hosts r,
  deny /etc/mailcap r,
  deny /etc/nsswitch.conf r,
  deny /etc/passwd r,
  deny /etc/resolv.conf r,
  deny /etc/udev/udev.conf r,
  deny /run/udev/** r,
  deny /sys/devices/** r,
  deny /var/lib/dbus/machine-id r,
  deny @{PROC}/@{pid}/cmdline r,
  deny @{PROC}/@{pid}/mountinfo r,
  deny @{PROC}/@{pid}/net/arp r,
  deny @{PROC}/@{pid}/net/route r,
  deny @{PROC}/@{pid}/stat r,
  deny @{PROC}/@{pid}/task/ r,
  deny @{PROC}/@{pid}/task/** r,
  deny @{PROC}/sys/kernel/random/uuid r,
  deny @{PROC}/sys/vm/overcommit_memory r,

  /bin/dash rix,
  /bin/ps rix,
  /dev/dri/** r,
  /dev/shm/org.chromium.* rwk,
  /dev/shm/org.mozilla.ipc.* rwk,
  /dev/vboxuser rw,
  /etc/dconf/** r,
  /etc/debian_version r,
  /etc/ld.so.conf r,
  /etc/ld.so.conf.d/* r,
  /etc/mime.types r,
  /etc/wildmidi/wildmidi.cfg r, # gstreamer
  /etc/xfce4/defaults.list r,
  /run/**/**/dconf/ rw,
  /run/**/**/dconf/** rw,
  /run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock rw,
  /run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock rw,
  /run/firejail/lib/libpostexecseccomp.so mr,
  /run/resolvconf/resolv.conf r,
  /tmp/MozUpdater/bgupdate/updater rix,
  /usr/bin/apt-cache rix,
  /usr/bin/dash rix,
  /usr/bin/dirname rix,
  /usr/bin/kde4-config rix,
  /usr/bin/lsb_release rix,
  /usr/bin/ps rix,
  /usr/bin/pulseaudio rix,
  /usr/lib/*-linux-gnu/** mrix,
  /usr/lib/python*/lib-dynload/* mr,
  /usr/local/lib/python*/dist-packages/ r,
  /usr/local/lib/python*/dist-packages/** r,
  /usr/share/applications/** rk,
  /usr/share/doc/homepage/** r,
  /usr/share/fontconfig/conf.avail/* r,
  /usr/share/libthai/** r,
  /usr/share/mime/** r,
  /usr/share/poppler/cMap/** r,
  /usr/share/tb-profile-i2p/** r,
  /usr/share/themes/** r,
  /usr/share/xul-ext/foxyproxy-standard/** r,
  /var/cache/fontconfig/ rk,
  @{HOME}/ r,
  @{HOME}/* r,
  @{HOME}/.kde/share/config/* r,
  @{PROC}/*/environ r,
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pid}/gid_map rw,
  @{PROC}/@{pid}/setgroups rw,
  @{PROC}/@{pid}/status r,
  @{PROC}/@{pid}/uid_map rw,
  owner /**/*-browser/** mrwlkix,
  owner /proc/*/cgroup r,

}
1 Like
1 Like

A post was split to a new topic: install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure by default

1 Like

Now merged.

1 Like

I am going to give this a try, will report if i encounter any problem

1 Like

So far, absolutely no problems! everything works as expected

2 Likes

Thanks for everyone who has been testing this!

As a result, the next security improvement install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure by default could be moved forward.

1 Like

Old:

Previously the Enabling instructions only mentioned one example for one profile only:

  • sudo cp /usr/share/apparmor/extra-profiles/bin.netstat /etc/apparmor.d
  • sudo aa-enforce /etc/apparmor.d/bin.netstat

New:

The Enabling instructions have been edited by me just now.

  • Option B) Copy all profiles.
sudo cp /usr/share/apparmor/extra-profiles/* /etc/apparmor.d
  • Option B) Enable all profiles.
sudo aa-enforce /etc/apparmor.d/*

Call for Testers

  1. Did anyone test command…?
sudo cp /usr/share/apparmor/extra-profiles/* /etc/apparmor.d

and / or

  1. Did anyone test command…?
sudo aa-enforce /etc/apparmor.d/*

did both, it loaded a lot of profiles but at the end it printed this error
/etc/apparmor.d/usr.sbin.anondate-get doesn't contain a valid profile (syntax error?)

1 Like

That error is fixed in the stable repository.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]