Whonix AppArmor Profiles Development Discussion




A new message in icedove when importing a key.




I saw an interesting concept in Micah’s torbrowser-launcher apparmor profile, he restricts access of the script/process to the interpreter running it. Its a good thing to have for scripts that permit it IMHO.

# This script doesn't really need to read the interpreter that's running it. deny /usr/bin/python{2,3}.[0-7]* r,



AppArmor used deny by default. White listing approach.


For https://github.com/Whonix/apparmor-profile-icedove

What do you think about adding the following?

Opening links seen in icedove using Tor Browser - https://phabricator.whonix.org/T113#5757.

Not sure it would be worth adding a tb-starter AppArmor profile for /usr/bin/torbrowser.

Not sure it would be worth adding a tb-starter AppArmor profile for /usr/bin/torbrowser.

I think it’s overkill too, but I had started on that a while ago , and the profiles are ready now.

If we want to use them, we would be consistent with what is done in torbrowser-launcher. I really don’t mind if we use rCUx for /usr/bin/torbrowser. It might not be “proper”:), but it could spare some maintenance.

For review:

Confines /usr/bin/torbrowser and open_link_confirmation.

Forked (and modified) from torbrowser-launcher.

Run /usr/bin/torbrowser under its profile.


rCUx seems fine to me. I understand it as “if there is a profile, it must be used, otherwise run without that profile”. Sounds fine to me. Sounds like lower maintenance. And the finial decision is up to you.

Haven’t tested yet, but…

I think some stuff should be merged in other packages:

rCUx seems fine to me.
It looks fine when reloading the profile with apparmor_parser, but fails when using aa-enforce, on any profile. rUx works, though. https://github.com/troubadoour/apparmor-profile-icedove/commit/0eea00a0f4cf889c2a62307c6648253aceb72aa3

[quote=“Patrick, post:547, topic:108”]I think some stuff should be merged in other packages:

We can merge usr.bin.torbrowser in tb-starter.
For start-tor-browser, do you mean creating a new package apparmor-profile-torbrowser?
No, because apparmor-profile-torbrowser is an already existing package: https://github.com/Whonix/apparmor-profile-torbrowser

It could include the start-tor-browser profile.


Merged usr,bin.torbrowser in tb-starter.

Added start-tor-browser profile to apparmor-profile-torbrowser.

There is a cosmetic commit in apparmor-profile-icedove.

Note that in the icedoce profile, torbrowser ir run with Px, implying that the two other profiles must exist. Might be sensible to leave Ux permission until Whonix 12.

Which leads to the updating of the profiles in Whonix stable repository: https://www.whonix.org/forum/index.php/topic,1312.msg8932.html#msg8932

If a developer decides to change the structure of a program without warning (we have seen that a lot with TBB, a couple of times with Icedove), we should be able to reflect the profile modifications to the user [best case, it flashes some notifications, worst case, it breaks the program]. That would mean that any change in AppArmor should be passed right away to the stable repository. I do not realize how much work that would involve, but it could become necessary if more users install the profiles.


All merged.

refactoring, use AppArmor's 'alias' mechanism, ship /etc/apparmor.d/tunables/home.d/anondist instead of using /etc/apparmor.d/abstractions/base, so uwt does not break any third party AppArmor profiles

- No longer required to white list .anondist/.anondist-orig extensions, because /etc/apparmor.d/tunables/home.d/anondist covers that now. - Additions for Whonix 12. - Additions for Qubes-Whonix. - Removed duplicates. - Refactoring.

How dangerous is the gdbus?

various fixes for Whonix 12, multi platform (amd64 [Qubes]) and multi language support

I don’t know if

is too permissive. But it was the only thing that I could quickly get done to ensure Tor Browser 5.x compatibility.

fix, make sure the profile /etc/apparmor.d/home.*.tor-browser_*.Browser.start-tor-browser gets added to Debian maintainer scripts so it gets actually enabled


Out commenting https://github.com/Whonix/apparmor-profile-torbrowser/blob/2fa40df26d3f25d2c40bc6627fb2857378d40000/etc/apparmor.d/home..tor-browser_.Browser.start-tor-browser#L24-L32 was a mistake by me. Had this while trying. If I enable that part, I get a conflicting x modifies error. But as of now, it works. Anyhow. Please look into it when you get a chance.


Actually, before in the new location it wasn’t even working.

more fixes

Now using.

Then it really doesn’t matter anymore where one installs Tor Browser.


Actually, it doesn’t work at all. For example the following does not work as intended.


If the purpose is to be able to install TBB in any subdirectory under HOME, that should work, with some exceptions.

An example with torbrowser-launcher, which installs in /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/

Original profile:

/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/ r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/* r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/.** rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/.** rwk,

Modified profile:

/home/**/tor-browser_*/Browser/firefox {
  owner @{HOME}/**/tor-browser_*/ r,
  owner @{HOME}/**/tor-browser_*/* r,
  owner @{HOME}/**/tor-browser_*/.** rwk,
  owner @{HOME}/**/tor-browser_*/Browser/.** rwk,

The exception to the above is when we try to execute a child profile. The line

fails with an “ERROR processing regexs for profile” from apparmor_parser.

This is valid only if TBB is intalled in a subdirectory. If installed directly in HOME, like in Whonix today, "@{HOME}//tor-browser" does ot work, because it tranlates to /home/user//tor-browser, I guess.

The Whonix profile works with:

/home/**/tor-browser_*/Browser/firefox {
   /home/**/tor-browser_*/ r,
   /home/**/tor-browser_*/* r, 
   /home/**/tor-browser_*/Browser/ r,
   /home/**/tor-browser_*/Browser/** rwk,

So at this stage, it seems that there is no universal solution. Will look further into it.


latest tails release
"Our AppArmor setup has been audited and improved in various ways which should harden the system. The network should now be properly disabled when MAC address spoofing fails."

maybe seeing their setup can help improve apparmor for whonix