I moved a thread into this forum:
Did you get a notification? (Take your time. I am just wondering if I should ping you or if you get notifications. I wouldn’t wonder if the forum software “forgets” to dispatch notifications for moved threads.)
No notification, but I’m not subscribed to the forum. The best would be to ping me.
Maybe related, maybe not.
~ $ sudo apparmor_parser -r /etc/apparmor.d/home.\*.tor-browser_\*.Browser.firefox ; echo $?
sudo apparmor_parser -r /etc/apparmor.d/usr.lib.dovecot.*
Warning from /etc/apparmor.d/usr.lib.dovecot.deliver (/etc/apparmor.d/usr.lib.dovecot.deliver line 29): profile /usr/lib/dovecot/deliver network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.dovecot-auth (/etc/apparmor.d/usr.lib.dovecot.dovecot-auth line 23): profile /usr/lib/dovecot/dovecot-auth network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap (/etc/apparmor.d/usr.lib.dovecot.imap line 27): profile /usr/lib/dovecot/imap network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap-login (/etc/apparmor.d/usr.lib.dovecot.imap-login line 23): profile /usr/lib/dovecot/imap-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.managesieve-login (/etc/apparmor.d/usr.lib.dovecot.managesieve-login line 22): profile /usr/lib/dovecot/managesieve-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3 (/etc/apparmor.d/usr.lib.dovecot.pop3 line 23): profile /usr/lib/dovecot/pop3 network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3-login (/etc/apparmor.d/usr.lib.dovecot.pop3-login line 21): profile /usr/lib/dovecot/pop3-login network rules not enforced
~ $ echo $?
/etc/apparmor.d/usr.lib.dovecot.pop3-login line 21 is the last empty line. So I am wondering what its complaining about.
It’s not related. It looks like apparmor_parser goes to the end of the profile before declaring “network rules not enforced”. We should not worry about it, the profiles still work with this warning.
But now, a bit on the cause of the AppArmor issues with the Debian profiles. As far as I know, all the profiles from the apparmor-profiles package were/are written by the Ubuntu team. Besides the apparently growing divergences between the distributions, I believe that the core issue stems from the different versions of AppArmor they use:
- Debian wheezy: 2.7.103-4
- Debian jessie: 2.8.08
- Ubuntu 14.04: 2.8.95~2430-0ubunt
Some examples. The network rules warning is not shown in Ubuntu (tried with the same profiles). A profile might work in Ubuntu, not in Debian, the other way around, or fail in both. That has been the case for torbrowser-launcher recently. I have not followed the development of the situation.
We don't have to fix all the upstream issues, but hopefully we didn't introduce issues through conflicting x modifies by apparmor-profile-anondist.
No, we did’nt. There is a conflicting x modifiers issue in the chromium-browser profile. “/usr/lib/chromium-browser/chromium-browser” is declared twice, once with "ix " mask in the parent profile, and once with “Px” mask in a child profile.
In Whonix Gateway and Workstation, run:
sudo aa-disable /etc/apparmor.d/usr.bin.chromium-browser
Reboot. The red “failed!” error should not show.
I’m wondering about the pertinence of installing the apparmor-profiles package in Whonix. On this side I cannot spot that sort of problem because I move the Debian profiles outside /etc/apparmor.d (inside in a sub directory, they can still mess up aa-genprof). For the moment, they are only a source of noise and annoyance, so I think we’d be better off concentrating on our own profiles. If we ever need one of them, we can easily fork it wherever it comes from.