I don't know how well this answers your question. You tell me.
Well enough. The original purpose of the testers repository was forgotten sometime ago, it seems. But still, if it's not too much overwork, why not put the packages for the next release in the developers repository, and the ones that need upgrading between releases in the testers repository (from here, it looks easy :D)?
We could do this as a release goal for Whonix 11. Since we fully control these packages, this should be doable. If we well test this before release, there shouldn't be much need for AppArmor fixes then?
Yes. Actually, the package maintainer becomes the AppArmor profile maintainer, which makes sense. In Ubuntu, lots of profiles are included in the packages. https://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files/head:/ubuntu/15.04/ (see the files with ~220 bytes size). Most of the daemons, but also bigger clients like Evince.
[code]
apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.sdwdate
[/code]
Looks like it does that all for us automatically? No manual reload required?
I was not meaning a manual reload. I guess dh-apparmor is taking care of that (still in wonder with the debhelper magic), so it's fine.
Well enough. The original purpose of the testers repository was forgotten sometime ago, it seems. But still, if itâs not too much overwork, why not put the packages for the next release in the developers repository, and the ones that need upgrading between releases in the testers repository (from here, it looks easy :D)?[/quote]
That works for some time, but at some point we need testers who test if upgrading to the next major version would work.
Hello, I have installed a fresh Whonix Gateway 9.6, updated the packages, enabled testers repository, installed apparmor profiles, updated whonix packages to the testers versions and I got an apparmor denied message for whonixcheck, â/usr/share/tor/tor-service-defaults-torrc.anondistâ
Is this a known bug? It went away after I restarted the system
Got this on 10.0.0.5.0 using testers repository and âsudo apt-get install apparmor-profiles-whonixâ.
Setting up apparmor-profile-pidgin (3:1.0-1) ...
Warning from /etc/apparmor.d/usr.bin.pidgin (/etc/apparmor.d/usr.bin.pidgin line 92): profile /usr/bin/pidgin network rules not enforced
user@host:~$ sudo aa-enforce /etc/apparmor.d/usr.bin.pidgin
Setting /etc/apparmor.d/usr.bin.pidgin to enforce mode.
Yes. When the profile is installed by apt-get, itâs loaded in the kernel and it shows the ânetwork rulesâ message. Subsequent aa-enforce or apparmor_parser -r (replace) do not reload the profile if it was not changed. To get back the warning, you can try âsudo service apparmor reloadâ (or modify the profile and replace it with apparmor_parser).
That does not explain the ânetwork rules not enforcedâ message, but there is much more to it. After installing Pidgin, it does not not start because of a litany or denied messages. Itâs not making any sense, so I replaced the profile from Debian/Ubuntu (commit b56f71a) with the original one from Whonix. It works.
I have no idea why this is happening. The Debian profile is working without issue in jessie. I think weâll use it again when Whonix is based on jessie.
! In T304#4499, @HulaHoop wrote:
You probably agree the same stance should be taken for other components like apparmor profiles whenever upstream incorporates theirs in Debian.
It follows a summary of what troubadour and I agreed as far as I remember. troubadour, please correct me if anything is wrong.
we donât install any apparmor profiles by default as of Whonix 10
we do not plan on installing apparmor profiles by default for packages that are not developed under the Whonix umbrella such as for Tor Browser, pidgin, xchat, etc. (list: Whonix ¡ GitHub) - package upgrades that we donât control by upstream could make it impossible to start the application, lead to eventual fingerprinting issues, therefore installation of such apparmor profiles is manual for testers and advanced users
upstreaming such profiles is a very time consuming process, also a slow process (requires a new stable debian release), help welcome
for apparmor profiles developed under the Whonix such as sdwdate, whonixcheck, we plan in future for Whonix 12 or so on deprecating the separate apparmor profiles and installing those profiles by default, that is doable, because we control package upgrades
If this is correct, I would like to turn this into a blog post.
We do not install any longer the profiles from Debian (packages apparmor-profiles, apparmor-profiles-extra) since Whonix 9 (I believe) because of the noise they generate in this forum.
That was for wheezy based Whonix. Whonix 11 is based on jessie, and the issues are supposed to be fixed. Well, not completely, After installing the Debian profiles in Whonix 11.0.0.0.3, we still have some warnings (conlictiong x modifiers). Have not looked into it yet. For information, reloading AppArmor in the host (jessie) pops some errors too.