I am going to give this a try, will report if i encounter any problem
So far, absolutely no problems! everything works as expected
Thanks for everyone who has been testing this!
As a result, the next security improvement install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure by default could be moved forward.
Old:
Previously the Enabling instructions only mentioned one example for one profile only:
sudo cp /usr/share/apparmor/extra-profiles/bin.netstat /etc/apparmor.d
sudo aa-enforce /etc/apparmor.d/bin.netstat
New:
The Enabling instructions have been edited by me just now.
- Option B) Copy all profiles.
sudo cp /usr/share/apparmor/extra-profiles/* /etc/apparmor.d
- Option B) Enable all profiles.
sudo aa-enforce /etc/apparmor.d/*
Call for Testers
- Did anyone test command…?
sudo cp /usr/share/apparmor/extra-profiles/* /etc/apparmor.d
and / or
- Did anyone test command…?
sudo aa-enforce /etc/apparmor.d/*
did both, it loaded a lot of profiles but at the end it printed this error
/etc/apparmor.d/usr.sbin.anondate-get doesn't contain a valid profile (syntax error?)
That error is fixed in the stable repository.
owner /**/*-browser/** mrwlkix,
This might be an issue?
Why *-browser
? Might be:
- tor-browser
- i2p-browser
- and soon maybe even mullvad-browser (Mullvad Browser support · Issue #25 · Kicksecure/tb-updater · GitHub)
Why /**/
?
The folder might be for example:
- /home/user/.tb/tor-browser
- /home/user/.tb/i2p-browser
- /home/user/.tb/mullvad-browser
- /var/cache/tb-binary/.tb/tor-browser (Qubes)
- /var/cache/tb-binary/.tb/i2p-browser (Qubes)
- /var/cache/tb-binary/.tb/mullvad-browser (Qubes)
How to best do that? Maybe better to just hardcode these few possibilities instead? Or is there some kind of variable to express multiple folders?
** mrwlkix,
is not very fine tuned either but anything else would be too to maintain as long as the profile isn’t maintained by The Tor Project which seems unlikely. The profile could then easily break on every update by Tor Browser’s internal updater.
Do you use aa-logprof
at all? For me it was a huge time safer. This is kinda how I use it:
AppArmor chapter Fix Profiles in Kicksecure wiki
Without it, I might have deprecated some apparmor profiles by Kicksecure / Whonix already due to too time-consuming maintenance.
Problem with aa-logprof is that it removes comments. Can this be disabled (persist comments) or should there be no comments?
//cc @roddhjav
They are multiple issues here:
-
As you guested, the profile attachment should not be
/**/*-browser/**
but closer to the actual path of the to browser. These can be made easy if we use some additional variable. See for example firefox:@{name} = {tor,i2p,mullvad}-browser @{lib_dirs} = @{HOME}/.tb/@{name} @{config_dirs} = @{HOME}/.tb/ @{cache_dirs} = @{user_cache_dirs}/tb/ @{exec_path} = @{lib_dirs}/@{name} profile tor-browser @{exec_path} {
-
Yes
mrwlkix,
should be a no go in any apparmor profile. As long as the tb does not update itself, you don’t need bothw
andmix
in@{lib_dirs}
. Andmix
should only be used in@{lib_dirs}
or@{lib}/*
,@{bin}/*
.
Regarding maintenance time, as the tb is based on firefox, both profile should be quite similar. That should speed up a lot. Furthermore, it can be simplified for Whonix (less DE to support, no hardware…).
Do you use
aa-logprof
at all? For me it was a huge time safer.
No, it asks too many questions and the generated profiles are really hard to maintain. Instead, I made my own tool for this: aa-log
(see Usage - AppArmor.d). aa-log -r
converts (and format) logs to apparmor rules, I just have to paste them in the profile with minor changes.
In Qubes Disposables we are bind mounting /var/cache/tb-binary/.tb
to /home/user/.tb
.
mount --bind -o nosuid,nodev "/var/cache/tb-binary/.tb" "/home/user/.tb"
(This is to have faster Tor Browser startup times to avoid the need to copy the folder.
Implemented in /usr/libexec/tb-updater/dispvm
.)
Also bind mounting /var/cache/tb-binary/.cache/tb
to /home/$user_name/.cache/tb
.
(Useful for ruining Tor Browser Updater by Whonix developers in Disposable. Not terribly useful since non-persistent but good to avoid a strange bug, development, testing.)
Therefore…
Does /var/cache/tb-binary/.tb
also need to be part of lib_dirs
?
No, /var/cache/tb-binary/.tb
does not need to be part of @{lib_dirs}. However, the full construction will have to be carefully tested anyway.
After a few tests, it /var/cache/tb-binary/.tb
is indeed not need. See the tobrowser profile. It is highly based on the firefox one.