Whonix AppArmor Profiles Development Discussion

troubadour · May 14, 2014, 8:54pm

I have built successfully the Icedove profile, replacing every reference to “torbrowser” with “icedove” in the pacakge folder. ‘./build’ reaches normal completion, as well as ‘dpkg -i’, but the file is not installed in /etc/apparmor.d.

Running ‘grep torbrowser *’ and ‘grep icedove *’ in their respective folders shoes one extra line in icedove"

apparmor-profile-icedove_0.1-1_i386.build:W: apparmor-profile-icedove: empty-binary-package

I don’t know if it’s relevant, but that’s all I could find. I checked that the file is not installed somewhere else.

Patrick · May 14, 2014, 9:59pm

[quote=“troubadour, post:221, topic:108”]I have built successfully the Icedove profile, replacing every reference to “torbrowser” with “icedove” in the pacakge folder. ‘./build’ reaches normal completion, as well as ‘dpkg -i’, but the file is not installed in /etc/apparmor.d.

Running ‘grep torbrowser *’ and ‘grep icedove *’ in their respective folders shoes one extra line in icedove"

apparmor-profile-icedove_0.1-1_i386.build:W: apparmor-profile-icedove: empty-binary-package

I don’t know if it’s relevant, but that’s all I could find. I checked that the file is not installed somewhere else.[/quote]
Please share what you got on github (new repository) and I’ll search & fix the bug.

troubadour · May 17, 2014, 10:52pm

Some problem with git.

I have built and installed apparmor-profile-icedove. When I first tried to push it, I had a problem with my public key, no longer in my ~/.ssh folder. Generated a new one and deleted and replaced the old one on github.

Now, I’m stuck with the following:

$ git remote add troubadour git@github.com:troubadour/apparmor-profile-torbrowser.git
fatal: remote troubadour already exists.

$ git remote rm troubadoour
error: Could not remove config section 'remote.troubadoour'

$ git push troubadoour master
fatal: 'troubadoour' does not appear to be a git repository
fatal: The remote end hung up unexpectedly

A sort of a vicious cycle…

z11 · May 18, 2014, 12:17am

I was experimenting with using multiple Tor Browsers, I believe it can really make traffic analysis harder if one of them continuously plays some music or video in background or other stuff.

Once the profile is ready this use case could benefit one’s anonymity with reasonable usability and security.

You could open up new browsers on same workstation which could have different settings like javascript on/off or custom plugins and different browsers would be hard to correlate to each other and benefit each other identity’s anonymity especially when online at the same time generating some traffic.

Just wanted to hear your opinions on this. I would gladly test the profile for this use case.

Other benefits, you could leave any tabs open and start fresh on a new browser.

New identity will only clear current browser.

Not sure about this, would new identity provide new circuits for other browsers/connections? (https://github.com/Whonix/Whonix/issues/102) That would be a good benefit

Patrick · May 18, 2014, 12:51am

[quote=“troubadour, post:223, topic:108”]Now, I’m stuck with the following:

$ git remote add troubadour git@github.com:troubadour/apparmor-profile-torbrowser.git
fatal: remote troubadour already exists.

$ git remote rm troubadoour
error: Could not remove config section 'remote.troubadoour'

$ git push troubadoour master
fatal: 'troubadoour' does not appear to be a git repository
fatal: The remote end hung up unexpectedly

A sort of a vicious cycle…[/quote]

Please post your .git/config.

Here is an example of mine.

(cd into apparmor-profile-icedove folder first)

[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote "origin"] url = git@github.com:Whonix/apparmor-profile-torbrowser.git fetch = +refs/heads/*:refs/remotes/origin/* [remote "adre"] url = git@github.com:adrelanos/apparmor-profile-torbrowser.git fetch = +refs/heads/*:refs/remotes/adre/* [remote "troubadoour"] url = https://github.com/troubadoour/apparmor-profile-torbrowser.git fetch = +refs/heads/*:refs/remotes/troubadoour/*

If I had a problem, I would manually delete the following section.

[remote "origin"]
        url = git@github.com:Whonix/apparmor-profile-torbrowser.git
        fetch = +refs/heads/*:refs/remotes/origin/*
[remote "adre"]
        url = git@github.com:adrelanos/apparmor-profile-torbrowser.git
        fetch = +refs/heads/*:refs/remotes/adre/*
[remote "troubadoour"]
        url = https://github.com/troubadoour/apparmor-profile-torbrowser.git
        fetch = +refs/heads/*:refs/remotes/troubadoour/*

(That is a working config by the way. If you replace “apparmor-profile-torbrowser” with “apparmor-profile-icedove” it should work as well.)

Eventually you did run git as root before and now try to run git as user? Always run git as user. Not root. If that is the case, to fix it, run.

(cd into apparmor-profile-icedove folder first)

And if all cords break, since you haven’t pushed apparmor-profile-icedove to any git repository yet, a very easy solution to get rid of this, you have the luxury of being able to get rid of your whole git folder (in case you don’t care about git history, which you probably do not at this point). [Later on there will be no such luxury, because then it would break the repo for others.]

(cd into apparmor-profile-icedove folder first)

Patrick · May 18, 2014, 1:08am

troubadour, can you look please into:

Looks like the apparmor profile shipped by torbrowser-launcher is using wildcards and can therefore support multiple languages, multiple folders and I guess therefore also multiple Tor Browser folders at the same time.

The profile is ready for testing. Looks like it doesn’t get any more ready than it currently is. Just needs more testing.

You could open up new browsers on same workstation which could have different settings like javascript on/off or custom plugins and different browsers would be hard to correlate to each other and benefit each other identity's anonymity especially when online at the same time generating some traffic.
Just wanted to hear your opinions on this.

I guess tor-talk would be the best place to discuss this. It’s called padding. See also:

Not sure about this, would new identity provide new circuits for other browsers/connections? (https://github.com/Whonix/Whonix/issues/102) That would be a good benefit

It wouldn't expire already and currently established connections. Only new ones. When sending newnym to Tor, all new(!) connections use new circuits. So for the browser, using the new identity feature is required so old states and connections are expired.

troubadour · May 18, 2014, 6:46pm

troubadour, can you look please into: - https://github.com/micahflee/torbrowser-launcher/blob/master/apparmor/torbrowser.start-tor-browser - https://github.com/micahflee/torbrowser-launcher/blob/master/apparmor/torbrowser.Browser.firefox
Looks like the apparmor profile shipped by torbrowser-launcher is using wildcards and can therefore support multiple languages, multiple folders and I guess therefore also multiple Tor Browser folders at the same time.

I do not know if did something wrong in my early tests or if the AppArmor team has added the feature (if so, I missed it), but it works and that’s good news. The profile is now called ‘home.user.tor-browser_*.Browser.firefox’. I will push it on github.

troubadour · May 18, 2014, 8:20pm

I have a tendency to get mixed up with the variations of my nickname (troubadour, troubadoour, trobador… I should have chosen something less common in the first place ), but eventually, I managed to push the new TBB profile on github. GitHub - troubadoour/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening).

Patrick · May 18, 2014, 8:38pm

Got the new profile. Testing it.

My first nickname was a bad choice. It was “proper”.

troubadour · May 18, 2014, 9:20pm

“proper” was really improper :). When I loose my temper, against git or myself for example, I’m thinking of changing mine to “buggrit”. It should not be too much in use.

Anyhow, I am trying to push apparmor-profile-icedove. The output:

$ git push troubadoour master
Warning: Permanently added the RSA host key for IP address '192.30.252.131' to the list of known hosts.
Enter passphrase for key '/home/user/.ssh/id_rsa': 
ERROR: Repository not found.
fatal: The remote end hung up unexpectedly

My .git/config

[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	fetch = +refs/heads/*:refs/remotes/origin/*
	url = https://github.com/troubadoour/apparmor-profile-torbrowser
[branch "master"]
	remote = origin
	merge = refs/heads/master
[remote "troubadoour"]
	url = git@github.com:troubadoour/apparmor-profile-icedove.git
	fetch = +refs/heads/*:refs/remotes/troubadoour/*

I have cloned GitHub - troubadoour/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening).. Should it be GitHub - troubadoour/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening). or do I have to create a new repository in github?

troubadour · May 18, 2014, 9:42pm

Should it be https://github.com/troubadoour/apparmor-profile-torbrowser.git

No, I have tried with the same result.

troubadour · May 18, 2014, 9:56pm

or do I have to create a new repository in github?

Yes. The profile is at GitHub - troubadoour/apparmor-profile-icedove. I’ll work on editing the comments for the files I have changed. For the moment, there is only my email.

Patrick · May 19, 2014, 12:31pm

Looks like you sorted out the git GitHub - troubadoour/apparmor-profile-icedove problem. Yes, you need to create a new repository using github website.

[hr]

It seems, once you have an ssh key that github knows about, using ssh or https for transport doesn’t matter a lot. I am testing a repository as example here, which I do not have access to.

Both, https

git clone https://github.com/piratelinux/Pirate-Linux.git

as well as ssh

git clone git@github.com:piratelinux/Pirate-Linux

seems to work.

So if you’re lazy, just copy and paste the https git clone link. For better security, manually create the ssh link and git clone that one. (ssh has lower probability to be mitm’ed than https.)

[hr]

As for editing comments, you can’t easily edit comments you already pushed to a remote repository. That would be altering git history. To push it, you would have to use --force. But then anyone trying to git fetch the repository would get confused. Since we’re just getting started, that would be okay. (For the Whonix/Whonix repository it wouldn’t be okay, since too many are using that already.)

Best thing you can do is writing proper comments when committing to the branch you actually want to push elsewhere. Since using terminal editors is inefficient for me, I am using a graphical editor.

This is my

~/.gitconfig

Has the following content.

[user]
        name = Patrick Schleizer
        email = adrelanos@riseup.net
        signingkey = 0x8D66066A2EEACCDA

[core]
        editor = 'kate' -n

Then you can use a graphical editor when committing (git commit). Without graphical editor = forget about useful comments, imho. At least that applies to me. If you’re a accustomed user for vim or something like that, okay, then use that one as git editor. You can also search for “change git editor” or something like that to configure your favorite editor.

I advise to view your comments after committing using “git log” (use up/down, left/right keys or “git log | cat”).

(And /home/user/misc/git-meld, if you want to use a graphical diff viewer, then “sudo apt-get install meld” and see: Redirecting…)

Patrick · May 19, 2014, 12:37pm

I see you retained git history for GitHub - troubadoour/apparmor-profile-icedove. Ha! Not bad. Now I see where the complication is comming from. I thought when creating a new apparmor-profile-xxx source folder (by copying an existing one as template) we just wipe the old apparmor-profile-xxx/.git folder and “git init”, “git add -A”, “git commit”, “git remote add …” a new repository. That would have been a bit simpler, because then you would not have had to remove old git remotes. Nevermind. I am fine either way.

Patrick · May 19, 2014, 12:53pm

apparmor-profile-icedove installed. Seems to work.

Patrick · May 19, 2014, 2:01pm

I pushed some packaging related improvements to apparmor-profile-torbrowser. (Log web interface: Commits · Kicksecure/apparmor-profile-thunderbird · GitHub) Please get them.

(To check, see if you end up with a ./build file which looks exactly like the one shown on the web https://github.com/Whonix/apparmor-profile-icedove/blob/master/build.)

troubadour · May 21, 2014, 9:54pm

Pushed GitHub - troubadoour/apparmor-profile-xchat: AppArmor profile for XChat IRC https://www.whonix.org/wiki/AppArmor, without history this time.

Patrick · May 21, 2014, 10:33pm

Works fine!
Small fix, that was fun to make:

Collaborative development is really fun!

troubadour · May 21, 2014, 10:48pm

Pushed pidgin too, before reading you last post.

Let me do the fixes (tomorrow), that’s real fun!

troubadour · May 22, 2014, 7:20pm

Pushed GitHub - troubadoour/apparmor-profile-pidgin: AppArmor profile for Pidgin with OTR https://www.whonix.org/wiki/AppArmor with minor fixes.

Will push the three remaining whonix profiles and update the wiki.