It is true that I have to be careful with the files I deny in the profiles, but the ones you submitted are not in my version of the Workstation. In this regard, the question is: should I allow or deny them? It certainly does not open a security threat in the case of fontconfig or kate-2.desktop, so the answer is to allow them. But why are our versions different? I have to write the profiles for the majority of the users, and I assume that they have downloaded and are using the same Whonix 8 as mine.
I will review the profiles after your remarks. I think the first batch of denied files (/etc/resolv.conf, /etc/passwd…) was in the right line. For the rest, especially the DE specific ones, it should be safe to allow everything. And sooner or later, I am sure there will be alternative to KDE, be it Xfce or LXDE (I cannot imagine somebody in her right mind wanting to use Gnome3). I have build a terminal-only Workstation and installed Xfce4, but I must have missed a step, because I cannot run whonixchek. More on that in the proper thread. As far as I know, Xfce uses some Gnome features, and I will have to add them in all the profiles so that they can be used regardless of the environment.
Browser fingerprinting. When I started with the TBB profile, I was allowing only the required files dealing with the fonts. I checked the fingerprint with ip-check.info once in a while during the process, confined and open. No difference.* Some new messages were flashing as I was testing, so I included <abstractions/fonts>. From a standardization point of view, it makes sense. And then, should I put the fontconfig line in <abstractions/fonts>, instead of leaving it as a lone reference to the fonts in the profile?
I have not rechecked the fingerprint since, I will do.
- There are some parts of the test that are not displayed in ip-check.info, because it needs a plug-in (probably Flash).