Whonix AppArmor Profiles Development Discussion

Now merged.

1 Like

I am going to give this a try, will report if i encounter any problem

1 Like

So far, absolutely no problems! everything works as expected


Thanks for everyone who has been testing this!

As a result, the next security improvement install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure by default could be moved forward.

1 Like


Previously the Enabling instructions only mentioned one example for one profile only:

  • sudo cp /usr/share/apparmor/extra-profiles/bin.netstat /etc/apparmor.d
  • sudo aa-enforce /etc/apparmor.d/bin.netstat


The Enabling instructions have been edited by me just now.

  • Option B) Copy all profiles.
sudo cp /usr/share/apparmor/extra-profiles/* /etc/apparmor.d
  • Option B) Enable all profiles.
sudo aa-enforce /etc/apparmor.d/*

Call for Testers

  1. Did anyone test command…?
sudo cp /usr/share/apparmor/extra-profiles/* /etc/apparmor.d

and / or

  1. Did anyone test command…?
sudo aa-enforce /etc/apparmor.d/*

did both, it loaded a lot of profiles but at the end it printed this error
/etc/apparmor.d/usr.sbin.anondate-get doesn't contain a valid profile (syntax error?)

1 Like

That error is fixed in the stable repository.

2 posts were split to a new topic: apparmor-profile-torbrowser allows access to user home folder

2 posts were split to a new topic: apparmor.d - Full set of AppArmor profiles (~ 1500 profiles)

GitHub - Kicksecure/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening).

owner /**/*-browser/** mrwlkix,

This might be an issue?

Why *-browser? Might be:

Why /**/?

The folder might be for example:

  • /home/user/.tb/tor-browser
  • /home/user/.tb/i2p-browser
  • /home/user/.tb/mullvad-browser
  • /var/cache/tb-binary/.tb/tor-browser (Qubes)
  • /var/cache/tb-binary/.tb/i2p-browser (Qubes)
  • /var/cache/tb-binary/.tb/mullvad-browser (Qubes)

How to best do that? Maybe better to just hardcode these few possibilities instead? Or is there some kind of variable to express multiple folders?

** mrwlkix, is not very fine tuned either but anything else would be too to maintain as long as the profile isn’t maintained by The Tor Project which seems unlikely. The profile could then easily break on every update by Tor Browser’s internal updater.

Do you use aa-logprof at all? For me it was a huge time safer. This is kinda how I use it:
AppArmor chapter Fix Profiles in Kicksecure wiki

Without it, I might have deprecated some apparmor profiles by Kicksecure / Whonix already due to too time-consuming maintenance.

Problem with aa-logprof is that it removes comments. Can this be disabled (persist comments) or should there be no comments?

//cc @roddhjav

They are multiple issues here:

  • As you guested, the profile attachment should not be /**/*-browser/** but closer to the actual path of the to browser. These can be made easy if we use some additional variable. See for example firefox:

    @{name} = {tor,i2p,mullvad}-browser
    @{lib_dirs} = @{HOME}/.tb/@{name}
    @{config_dirs} = @{HOME}/.tb/
    @{cache_dirs} = @{user_cache_dirs}/tb/
    @{exec_path} = @{lib_dirs}/@{name}
    profile tor-browser @{exec_path} {
  • Yes mrwlkix, should be a no go in any apparmor profile. As long as the tb does not update itself, you don’t need both w and mix in @{lib_dirs}. And mix should only be used in @{lib_dirs} or @{lib}/*, @{bin}/*.

Regarding maintenance time, as the tb is based on firefox, both profile should be quite similar. That should speed up a lot. Furthermore, it can be simplified for Whonix (less DE to support, no hardware…).

Do you use aa-logprof at all? For me it was a huge time safer.

No, it asks too many questions and the generated profiles are really hard to maintain. Instead, I made my own tool for this: aa-log (see Usage - AppArmor.d). aa-log -r converts (and format) logs to apparmor rules, I just have to paste them in the profile with minor changes.

1 Like

In Qubes Disposables we are bind mounting /var/cache/tb-binary/.tb to /home/user/.tb.

mount --bind -o nosuid,nodev "/var/cache/tb-binary/.tb" "/home/user/.tb"

(This is to have faster Tor Browser startup times to avoid the need to copy the folder.
Implemented in /usr/libexec/tb-updater/dispvm.)

Also bind mounting /var/cache/tb-binary/.cache/tb to /home/$user_name/.cache/tb.
(Useful for ruining Tor Browser Updater by Whonix developers in Disposable. Not terribly useful since non-persistent but good to avoid a strange bug, development, testing.)


Does /var/cache/tb-binary/.tb also need to be part of lib_dirs?

No, /var/cache/tb-binary/.tb does not need to be part of @{lib_dirs}. However, the full construction will have to be carefully tested anyway.

1 Like

After a few tests, it /var/cache/tb-binary/.tb is indeed not need. See the tobrowser profile. It is highly based on the firefox one.

1 Like