Whonix AppArmor Profiles Development Discussion

[quote=“troubadour, post:280, topic:108”]Denied message in Tor Browser.
Pushed https://github.com/troubadoour/apparmor-profile-anondist/commit/7a8dc23b5c7c60cf51225942103a9a5832310d95[/quote]
Merged, thanks!

Trying to push the modified profiles for whonixcheck and timesync to Whonix (still got a problem with sdwdate).

$ git remote add troubadoour git@github.com:Whonix/apparmor-profile-timesync.git
$ git push origin master
Username for 'https://github.com': troubadoour
Password for 'https://troubadoour@github.com': 
error: The requested URL returned error: 403 while accessing https://github.com/Whonix/apparmor-profile-timesync.git/info/refs
fatal: HTTP request failed

If I try to push in troubadoour (I am not sure I can do that):

$ git push troubadoour master
Enter passphrase for key '/home/user/.ssh/id_rsa': 
ERROR: Permission to Whonix/apparmor-profile-timesync.git denied to troubadoour.
fatal: The remote end hung up unexpectedly

There was a mistake. You getting confused by not using the conventional naming.

Let’s use
troubadoour git@github.com:troubadoour/apparmor-profile-timesync.git

and

origin git@github.com:Whonix/apparmor-profile-timesync.git
or
whonix git@github.com:Whonix/apparmor-profile-timesync.git

git remote add troubadoour git@github.com:Whonix/apparmor-profile-timesync.git

Should be.

git remote add troubadoour git@github.com:troubadoour/apparmor-profile-timesync.git

Please update and push your troubadoour first. If you wish, I can give you full write access to Whonix/* repositories. If you’re feeling ready for git.

intrigeri made some big changes. Might be interesting, maybe not:

Got a new denied message. Please fetch/merge latest git and fix.

Pushed updated profiles in
GitHub - troubadoour/apparmor-profile-whonixcheck and
GitHub - troubadoour/apparmor-profile-timesync

I cannot reproduce your last DENIED message, but normally, you should get a lot more. Can you please test with the new profiles?

Please update and push your troubadoour first. If you wish, I can give you full write access to Whonix/* repositories. If you're feeling ready for git.

For the time being, I think it’s better if I stay in my own repositories. Let’s play it safe :).

Pushed packaging · troubadoour/apparmor-profile-whonixcheck@4cda7ce · GitHub

/usr/lib/python2.7/hashlib.pyc has read/write permissions. It was the problem, most likely.

/usr/lib/python2.7/hashlib.pyc has read/write permissions.
Has write access? Do you mean needs write access?

You mean
write permission to /usr/lib/python2.7/ · troubadoour/apparmor-profile-whonixcheck@893a697 · GitHub - do you think whonixcheck having access to write to whole /usr/lib/python2.7/* is a good idea? I think this is a mistake. Files in that folder are owned by root. whonixcheck runs as user. I doubt write access is required or a good idea.

do you think whonixcheck having access to write to whole /usr/lib/python2.7/* is a good idea?

Definitely no. Pushed it in troubadoour without write access (the latest push is for the last modified date).

Not directly related to AppArmor, but…

When installing Icedove for the first time, clicking a link in a message tries to start Iceweasel, which is not allowed (rightly) if Icedove is confined by AppArmor.

To use Tor Browser instead,

Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.http and
Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.https

have to be set to “true”.

When a link is clicked, a popup asking for the preferred browser is shown, where one should select “/home/user/tor-browser_[your-language]/Browser/firefox”.

Should we mention it somewhere in the wiki?

intrigeri made some big changes. Might be interesting, maybe not: https://github.com/micahflee/torbrowser-launcher/pull/111

Some changes are interesting, some are more cosmetic. I have yet to test torbrowser-launcher and Tor Browser wit AppArmor in the host.

Pushed a new profile for Okular: GitHub - troubadoour/apparmor-profile-okular

It requires access to /usr/share/anon-kde-streamiso, so I pushed a modified apparmor-profile-anondist.

[quote=“troubadour, post:292, topic:108”]Pushed a new profile for Okular: GitHub - troubadoour/apparmor-profile-okular

It requires access to /usr/share/anon-kde-streamiso, so I pushed a modified apparmor-profile-anondist.
https://github.com/troubadoour/apparmor-profile-anondist[/quote]
Both merged, thanks!

Got some denied messages.

Jul 28 23:38:03 host kernel: [ 3966.744318] type=1400 audit(1406590683.419:54): apparmor="DENIED" operation="open" parent=4453 profile="/usr/bin/okular" name="/usr/share/fontconfig/conf.avail/10-scale-bitmap-fonts.conf" pid=2639 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 28 23:38:03 host kernel: [ 3966.744592] type=1400 audit(1406590683.419:55): apparmor="DENIED" operation="open" parent=4453 profile="/usr/bin/okular" name="/usr/share/fontconfig/conf.avail/20-unhint-small-vera.conf" pid=2639 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 28 23:38:03 host kernel: [ 3966.744605] type=1400 audit(1406590683.419:56): apparmor="DENIED" operation="open" parent=4453 profile="/usr/bin/okular" name="/usr/share/fontconfig/conf.avail/30-metric-aliases.conf" pid=2639 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 28 23:38:03 host kernel: [ 3966.744624] type=1400 audit(1406590683.419:57): apparmor="DENIED" operation="open" parent=4453 profile="/usr/bin/okular" name="/usr/share/fontconfig/conf.avail/30-urw-aliases.conf" pid=2639 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 28 23:38:03 host kernel: [ 3966.744636] type=1400 audit(1406590683.419:58): apparmor="DENIED" operation="open" parent=4453 profile="/usr/bin/okular" name="/usr/share/fontconfig/conf.avail/40-nonlatin.conf" pid=2639 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 28 23:38:03 host kernel: [ 3966.744646] type=1400 audit(1406590683.419:59): apparmor="DENIED" operation="open" parent=4453 profile="/usr/bin/okular" name="/usr/share/fontconfig/conf.avail/45-latin.conf" pid=2639 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 28 23:38:03 host kernel: [ 3966.744657] type=1400 audit(1406590683.419:60): apparmor="DENIED" operation="open" parent=4453 profile="/usr/bin/okular" name="/usr/share/fontconfig/conf.avail/49-sansserif.conf" pid=2639 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 28 23:38:03 host kernel: [ 3966.744668] type=1400 audit(1406590683.419:61): apparmor="DENIED" operation="open" parent=4453 profile="/usr/bin/okular" name="/usr/share/fontconfig/conf.avail/50-user.conf" pid=2639 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 28 23:38:03 host kernel: [ 3966.744686] type=1400 audit(1406590683.419:62): apparmor="DENIED" operation="open" parent=4453 profile="/usr/bin/okular" name="/usr/share/fontconfig/conf.avail/51-local.conf" pid=2639 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 28 23:38:03 host kernel: [ 3966.745055] type=1400 audit(1406590683.419:63): apparmor="DENIED" operation="open" parent=4453 profile="/usr/bin/okular" name="/usr/share/fontconfig/conf.avail/60-latin.conf" pid=2639 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[quote=“troubadour, post:290, topic:108”]When installing Icedove for the first time, clicking a link in a message tries to start Iceweasel, which is not allowed (rightly) if Icedove is confined by AppArmor.

To use Tor Browser instead,

Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.http and
Preferences -> Advanced -> Config Editor -> network.protocol-handler.warn-external.https

have to be set to “true”.

When a link is clicked, a popup asking for the preferred browser is shown, where one should select “/home/user/tor-browser_[your-language]/Browser/firefox”.

Should we mention it somewhere in the wiki?[/quote]
I am not sure I 100% understand, but please feel free to document this.

Pushed /usr/share/fontconfig/** r, · troubadoour/apparmor-profile-okular@d7e28c5 · GitHub

It would be nice to know which package ie requiring this line.

Pushed a major revamp of the Tor Browser pfrofile. It has been completely rewritten.

So far, it is tested OK in Debian testing (Xfce4), Debian wheezy 7.6 (KDE and Gnome) and Whonix, of course. I have started in Ubuntu 14.04, but that might take more time. The goal is to come as close as possible to a “universal” profile for the Debian based distributions. You’ll see that, so far, it is still compact and certainly not too lax.

When the whole range of tests is completed, I think I will ring a bell, at Micah Lee’s repositories, probably. Or whatever you suggest.

Merged.

Pushed a major revamp of the Tor Browser pfrofile. It has been completely rewritten. https://github.com/troubadoour/apparmor-profile-torbrowser
Merged, thanks!

This line…

	/usr/share/applications/** rwk,

Write access seems too much?

This line…

	/var/cache/fontconfig/ rwk,

Possible without write access?

This line…

	@{HOME}/tor-browser_*/** rwk,

Do others that the same way? I guess it is required for the future when TBB gets a self-updater.

Troubador can you please write a profile for this wishlist item before Whonix 9 final release? How hard is it? I’d be willing to help test anything you provide.

adrelanos: Whonix-Gateway's Dev/CPFP (Automatically started as an /etc/init.d service. Used by Tor Browser. Avoids about:tor error message. Fixes Tor Browser's New Identity feature in Whonix. /usr/bin/controlportfilt and /usr/lib/whonix/cpf-tcpserver)
This line... [code] /usr/share/applications/** rwk, [/code] Write access seems too much?

This line…

	/var/cache/fontconfig/ rwk,

Possible without write access?

Yes, they are possible without write access. An habit when I see the ‘c’ mask denied (it’s not existing in the documentation). Thanks.

This line... [code] @{HOME}/tor-browser_*/** rwk, [/code] Do others that the same way? I guess it is required for the future when TBB gets a self-updater.

Not required as such for future updates, but certainly more robust in that regard. But with a fresh look at it (yours), I realize it is safer to allow write access only where it is required. One place is /Data/Tor/, where some .tmp files are created, but there is torrc there too. So I deny write access to it and allow the whole folder with ‘rwk’ (‘deny’ takes precedence over any other declaration).


This this work for (non-Whonix) TBB users as well who use bridges? I don't know if the tor-launcher add-on does modify torrc, but I would suppose so.

This this work for (non-Whonix) TBB users as well who use bridges? I don’t know if the tor-launcher add-on does modify torrc, but I would suppose so.

This this work for (non-Whonix) TBB users as well who use bridges? I don't know if the tor-launcher add-on does modify torrc, but I would suppose so.

Even using bridges, are you supposed to modify torrc while Tor Browser is running?

torbrowser-launcher probably modifies torrc, I am just having a look. I will remove the line anyhow.

About torbrowser-launcher. It does not work in jessie (bug), but I tested it in wheezy. You probably know, but…

Regardless of the normal installation from torproject.org, it installs its own copy on the first run in ~/.torbrowser and check for updates on each subsequent launch, updates if necessary, keeping the profile (bookmarks…). That’s nice, but the best is that everything is confined by AppArmor from the start, transparently. That is: torbrowser-launcher itself, /start-torbrowser, /Tor/tor and /Browser/firefox. Except for a restriction on downloads, I could not see any problem with it.

I know we have tb-starter and tb-updater, but is there any reason why we could not use torbrowser-launcher in Whonix?