[quote=“troubadour, post:359, topic:108”]Update to the Tor Browser profile.
https://github.com/troubadoour/apparmor-profile-torbrowser/commit/fbc8cb93b45bb0d5378d575f979ddcdd44805cfa[/quote]
Merged.
Update to the Icedove profile.
Merged. 
Tried profiles from whonix wiki apparmor page and the github. Either way I get these messages when launching tor browser
apparmor="DENIED" operation="open" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/etc/resolv.conf.whonix" pid=8306 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="DENIED" operation="open" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/etc/resolv.conf.whonix" pid=8306 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="DENIED" operation="open" parent=1 profile="/home/*/tor-browser_*/Browser/firefox" name="/etc/hosts.whonix" pid=8306 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Tried profiles from whonix wiki apparmor page and the github. Either way I get these messages when launching tor browser
The wiki AppArmor pages were outdated. The profiles were changed too often to update the wiki at the same time as github. Now that they are “stabilized”, I have updated the wiki for Tor Browser, Icedove. Pidgin and XChat. (@Patrick, could you review and accept?). Will update the remaining profiles, and add Okular and Gwenview (when it’s ready)
Wherever you installed the the Tor Browser profile from, you should not get the reported error. It suggest that apparmor-profile-anondist is not installed. Which version of Whonix are you using?
Not a workable approach updating the wiki probably. Soon Whonix 9 will be released and then those profiles can be installed from Whonix’s apt repository or from source.
Done.
Not a workable approach updating the wiki probably. Soon Whonix 9 will be released and then those profiles can be installed from Whonix's apt repository or from source.
Yes. And apparmor-profile-anondist is not installed in Whonix 8.2. I did install it, but in Whonix 9, “/etc/resolv.conf.whonix” has been renamed “/etc/resolv.conf.anondist”, so the error messages are still popping.
I guess we could add a notice that using the profiles on Whonix 8 is not supported. Whonix 9 will be released very soon, so the effort for Whonix 8 maintenance would not be justified.
Ah yes I am using 8.2. Thank you both for the clarification.
Pushed a new profile for Gwenview. GitHub - troubadoour/apparmor-profile-gwenview
Had to update apparmor-profile-anondist too.
Thanks, both merged!
Added some minor fixes on top.
Getting a few gwenview related AppArmor denied messages.
Sep 18 22:14:21 host kernel: [85193.706919] type=1400 audit(1411078461.470:104): apparmor="DENIED" operation="open" parent=6412 profile="/usr/bin/gwenview" name="/usr/share/fontconfig/conf.avail/10-scale-bitmap-fonts.conf" pid=15918 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 18 22:14:21 host kernel: [85193.707173] type=1400 audit(1411078461.470:105): apparmor="DENIED" operation="open" parent=6412 profile="/usr/bin/gwenview" name="/usr/share/fontconfig/conf.avail/20-unhint-small-vera.conf" pid=15918 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 18 22:14:21 host kernel: [85193.707187] type=1400 audit(1411078461.470:106): apparmor="DENIED" operation="open" parent=6412 profile="/usr/bin/gwenview" name="/usr/share/fontconfig/conf.avail/30-metric-aliases.conf" pid=15918 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 18 22:14:21 host kernel: [85193.707199] type=1400 audit(1411078461.470:107): apparmor="DENIED" operation="open" parent=6412 profile="/usr/bin/gwenview" name="/usr/share/fontconfig/conf.avail/30-urw-aliases.conf" pid=15918 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 18 22:14:21 host kernel: [85193.707212] type=1400 audit(1411078461.470:108): apparmor="DENIED" operation="open" parent=6412 profile="/usr/bin/gwenview" name="/usr/share/fontconfig/conf.avail/40-nonlatin.conf" pid=15918 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 18 22:14:21 host kernel: [85193.707224] type=1400 audit(1411078461.470:109): apparmor="DENIED" operation="open" parent=6412 profile="/usr/bin/gwenview" name="/usr/share/fontconfig/conf.avail/45-latin.conf" pid=15918 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 18 22:14:21 host kernel: [85193.707236] type=1400 audit(1411078461.470:110): apparmor="DENIED" operation="open" parent=6412 profile="/usr/bin/gwenview" name="/usr/share/fontconfig/conf.avail/49-sansserif.conf" pid=15918 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 18 22:14:21 host kernel: [85193.707261] type=1400 audit(1411078461.470:111): apparmor="DENIED" operation="open" parent=6412 profile="/usr/bin/gwenview" name="/usr/share/fontconfig/conf.avail/50-user.conf" pid=15918 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 18 22:14:21 host kernel: [85193.707285] type=1400 audit(1411078461.470:112): apparmor="DENIED" operation="open" parent=6412 profile="/usr/bin/gwenview" name="/usr/share/fontconfig/conf.avail/51-local.conf" pid=15918 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 18 22:14:21 host kernel: [85193.707602] type=1400 audit(1411078461.470:113): apparmor="DENIED" operation="open" parent=6412 profile="/usr/bin/gwenview" name="/usr/share/fontconfig/conf.avail/60-latin.conf" pid=15918 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0Getting a few gwenview related AppArmor denied messages.
Profile is updated.
Merged. Please fetch and merge from origin. There is another one.
Now that Whonix 9 is out, these AppArmor wiki pages need to be updated. We just explain how to install the apparmor profiles from whonix apt repository?
Merged. Please fetch and merge from origin. There is another one.
Done. Updated the profile with last error.
Set “Remove trailing spaces” in kate. :-[
Updated the wiki AppArmor pages for Whonix 9 (changed the headers size, too).
I have added a link to the package in github for each profile, removing the "experimental’ line (not the “experimental” warning at the top of the page). I guess it’s OK.
Will update Dev/Build Documentation/security-misc - Whonix
Merged.
Is it still useful to have the profiles in the wiki?
Is it still useful to have separate wiki packages per profile?
By the way, they can also be installed all at once.
Is it still useful to have the profiles in the wiki? Is it still useful to have separate wiki packages per profile?
No. That was was some extra work for very little.
But before I rewrite the page, there is a warning that should be added, about usability. For the four packages that require working with user files, that is Tor Browser, Icedove, Okular and Gwenview, I will have to give read/write permission to the HOME directory (not its sub-directories) at the minimum for Tor Browser and Icedove (downloads and attachments), plus the ~/Documents, ~/Downloads and ~/Pictures directories, with full permissions, the two last being created willingly by the user.
I think we have to define a standard (this or anything else, like creating a dedicated folder during installation), and explicitly warn the user that it is the only constraint imposed by the use of AppArmor on those packages. If we do not, that might be a big source of complain in the case we manage to recruit 
an increasing number of users (one can dream), or if we enforce the profiles during the installation of Whonix.
So the current profiles in the stable repository are not suitable for installation and need changes before mass recommendation?
Those folders /home/user/Downloads and so forth could be created by a postinst script in Whonix 10 if necessary.
How do the Debian profiles manage this?
I’d welcome your help on this one.
sudo apt-get install --reinstall torReading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/1,408 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 85725 files and directories currently installed.)
Preparing to replace tor 0.2.5.8-rc-1~d70.wheezy+1 (using .../tor_0.2.5.8-rc-1~d70.wheezy+1_i386.deb) ...
[ ok ] Stopping tor daemon...done.
Unpacking replacement tor ...
Processing triggers for man-db ...
Setting up tor (0.2.5.8-rc-1~d70.wheezy+1) ...
profile system_tor: has merged rule /usr/bin/obfsproxy with conflicting x modifiers
ERROR merging rules for profile system_tor, failed to load
[ ok ] Starting tor daemon...done.Doesn’t only happen on --reinstall. Happens for users of Whonix-Gateway 9 that run a dist-upgrade. Then Tor fails to start for them.
So the general apparmor specific error here could be:
profile has merged rule with conflicting x modifiers
Any idea what could cause this in stuff we do with apparmor?
apparmor-profile-anondist (GitHub - Kicksecure/apparmor-profile-dist: AppArmor profile for Anonymity Linux Distributions - https://www.kicksecure.com/wiki/AppArmor - for better security (hardening).)?
anon-gw-anonymizer-config/system_tor.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub?