Please feel free to add Whonix specific stuff to the bottom of apparmor-profile-anondist/etc/apparmor.d/abstractions/base.apparmor.
Minor glitch: I don’t like the displace extension “.apparmor”. “.anondist” would be nicer. I will ask on the config-package-dev list if this can be solved.
However, I tested the package. Seems fully functional.
My git training. Trying to package apparmor-profile-torbrowser after the latest updates, doing as follow:
git branch test
git checkout test
git status
git commit
./build
## I make the change to the profile here in etc/apparmor.d
git commit
./build
git checkout master
git merge --squash test
git status
git reset HEAD etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox
git add etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox
git status
git commit
git branch -D test
Now git status:
user@host:~/whonix-packages/apparmor-profile-torbrowser$ git status
# On branch master
# Your branch is ahead of 'origin/master' by 1 commit.
#
# Untracked files:
# (use "git add <file>..." to include in what will be committed)
#
# debian/apparmor-profile-torbrowser.debhelper.log
# debian/apparmor-profile-torbrowser.postinst.debhelper
# debian/apparmor-profile-torbrowser.postrm.debhelper
# debian/apparmor-profile-torbrowser.substvars
# debian/apparmor-profile-torbrowser/
# debian/files
nothing added to commit but untracked files present (use "git add" to track)
Updated the sdwdate profile. After the last commit and the first restart of sdwdate, some denied messages in the hundreds, complaining about /var/lib/apt/lists and /var/cache/apt/srcpkgcache.bin.
It’s strange you never had that. Are you using a separate Workstation VM for packaging?
[quote=“troubadour, post:183, topic:108”]Updated the sdwdate profile. After the last commit and the first restart of sdwdate, some denied messages in the hundreds, complaining about /var/lib/apt/lists and /var/cache/apt/srcpkgcache.bin.
It’s strange you never had that. Are you using a separate Workstation VM for packaging?[/quote]
I didn’t experience it. No.
About the accessed files, I am not surprised though. timesync_preprequisite [will be renamed in Whonix 9] checks 1) if Tor is enabled [Whonix-Gateway only] 2) that Tor is fully bootstrapped and 3) that there is currently no package manager running [by running sudo apt-get dist-upgrade --simulate].
removed abstractions/whonix from the Tor browser profile
It works fine.
Just managed to build it after running .build-steps.d/1100_prepare-build-machine (it installs a LOT of extras). I’ll come back after making the changes, rebuild and package it.
At this point, would the installation of build-steps.d /1200_create-debian-packages make sense?
removed abstractions/whonix from the Tor browser profile
It works fine.[/quote]
That’s not exactly how config-package-dev works.
It renames abstractions/base to abstranctions/base.apparmor-orig
it creates abstractions/base.apparmor
symlinks abstractions/base.apparmor to abstractions/base
But nevermind. config-package-dev will keep care of this and automate this later.
Just managed to build it after running .build-steps.d/1100_prepare-build-machine (it installs a LOT of extras).
Yeah. It prepares the whole machine for creating full Whonix images. Not just the tiny apparmor profile package. Therefore lots of extras. Normally, debian packages do not come with a build machine preparation script. Normally you have to look into debian/control and install build dependencies manually.
At this point, would the installation of build-steps.d /1200_create-debian-packages make sense?
No. It would only create packages as described in Whonix/debian/control. Using the old whonix_shared, whonix_workstation, whonix_gateway folders and packages. The new apparmor profiles are one of the first profiles that has been split from the main source code. So it is not yet build by the 1200_create-debian-packages build step.
I dismantled the whonix_shared, whonix_workstation, whonix_gateway folders on my local hdd. And reorganized every function into separate packages (list: https://github.com/Whonix/Whonix/issues/40#issuecomment-42343657). And made most of them non-Whonix specific, so functionality can be re-used by other projects such as QubesOS TorVM, Debian, etc. I am not clear yet how to put together all the packages again to build Whonix. Either the build script (Whonix folder) will git clone all the packages and then build them (new job for 1200_create-debian-packages) or if the spitted packages will become git submodules of the Whonix folder.
Yeah. It prepares the whole machine for creating full Whonix images. Not just the tiny apparmor profile package. Therefore lots of extras. Normally, debian packages do not come with a build machine preparation script. Normally you have to look into debian/control and install build dependencies manually.
So, since git and faketime were installed already, I just had to install config-package-dev? I should have read more litterature on git.
So, since git and faketime were installed already, I just had to install config-package-dev?
I don't know. You need to install debhelper [maybe that was a dependency of config-package-dev already] as well as debuild. Maybe the whole build-essential.
I should have read more litterature on git.
The build has more to do with debian packaging than git. Nevermind, git knowledge is good as well.
From https://github.com/Whonix/Whonix/issues/40#issuecomment-42343657, do you still want the AppArmor profiles as separate packages? If so, I could (try to) start packaging them locally from the apparmor-profile-torbrowser template.
Yes, that would be great. Just search the package for "torbrowser" and you know where to replace that string with "sdwdate" or else.
The build has more to do with debian packaging than git. Nevermind, git knowledge is good as well.
Yes, that's probably what I meant. Still a little confused in this maze, but it's getting clearer.
New extension will be ".anondist". I guess I will use that instead of ".whonix" for all generic packages.
".anondist" is better, as it is more generic.
By the way, I don’t know what the general feeling in the Tor community is towards Whonix. In a conversation on tor chat, a person who seems to have some influence there was saying: “The guy is selling snake oil” - that’s not a compliment - about Whonix claiming the user can safely install flash and use Iceweasel. Obviously, he had not checked, especially on Iceweasel, but the harm is done.
I guess best strategy would be asking for references. Please ask “where does Whonix claim user can safely install flash?”, “where Whonix does claim user can safely use iceweasel?” - When we get the references and may still edit the places, such as the wiki, we can make the confusing parts clearer.
You can also say "if you open iceweasel in Whonix 8, first thing you see is a warning sign and ‘Warning: Do not use this browser for anything other than downloading Tor Browser, unless you know what you are doing!’ which links to [url=Tips on Remaining Anonymous] And post a link to Browser Plugins - Whonix which comes first with head lines such as “Warning not to use them” and “Avoiding browser plugins”.
I have added the Whonix specific rules to etc/apparmor.d/abstractions/base.anondist at GitHub - troubadoour/apparmor-profile-anondist. Can you have a look. If it’s OK, I will push the updated apparmor-profile-torbrowser.
A quick question: how can I edit the “Squashed commit of the following:” on the etc line?
Then I should move the content of the local profiles in the main profiles. It would be a good thing, anyway, as those rules are not distribution specific. Originally, I put your testing stuff in the local profiles because it was not in my copy, but since, I have added packages of my own and had to allow a few files.
I have added the Whonix specific rules to etc/apparmor.d/abstractions/base.anondist at https://github.com/troubadoour/apparmor-profile-anondist.
Good.
Can you have a look. If it's OK, I will push the updated apparmor-profile-torbrowser.
Git looks okay. I will test the profile soon, but don't foresee any issues. Go ahead.
A quick question: how can I edit the "Squashed commit of the following:" on the etc line?
I suggest using a graphical editor for git commit messages. I for one am using kate. It’s good, because you can enable a spell checker. Add this to:
~/.gitconfig
[core]
editor = 'kate' -n
Feel free to use another editor of your choice. Then you can edit the whole commit message in a graphical editor and simply delete the squashed message.
Another topic… By the way, this is what I did to get your code.
[quote=“troubadour, post:194, topic:108”][quote author=Patrick link=topic=97.msg1857#msg1857 date=1399198789]
Debian is very picky. I am quite sure, they won’t allow shipping local profiles.
[/quote]
Then I should move the content of the local profiles in the main profiles. It would be a good thing, anyway, as those rules are not distribution specific. Originally, I put your testing stuff in the local profiles because it was not in my copy, but since, I have added packages of my own and had to allow a few files.[/quote]
Sounds good.
Trying to push apparmor-profile-torbrowser (no abstractions/whonix, no local profile). Repository not found.
Enter passphrase for key '/home/user/.ssh/id_rsa':
ERROR: Repository not found.
fatal: The remote end hung up unexpectedly
I have forked apparmor-profile-trobrowser and “troubadoour already exists”, as expected, when when I run ‘git remote add’. The package is built normally.
New extension will be “.anondist”. I guess I will use that instead of “.whonix” for all generic packages.