Merged.
A new message in icedove when importing a key.
Merged.
I saw an interesting concept in Micahās torbrowser-launcher apparmor profile, he restricts access of the script/process to the interpreter running it. Its a good thing to have for scripts that permit it IMHO.
# This script doesn't really need to read the interpreter that's running it. deny /usr/bin/python{2,3}.[0-7]* r,
https://github.com/micahflee/torbrowser-launcher/blob/master/apparmor/usr.bin.torbrowser-launcher
AppArmor used deny by default. White listing approach.
[hr]
What do you think about adding the following?
/usr/bin/torbrowser rCUx,
Context:
Opening links seen in icedove using Tor Browser - ā T113 Install Icedove (Thunderbird) + TorBirdy + Enigmail.
Not sure it would be worth adding a tb-starter AppArmor profile for /usr/bin/torbrowser.
Not sure it would be worth adding a tb-starter AppArmor profile for /usr/bin/torbrowser.
I think itās overkill too, but I had started on that a while ago , and the profiles are ready now.
If we want to use them, we would be consistent with what is done in torbrowser-launcher. I really donāt mind if we use rCUx for /usr/bin/torbrowser. It might not be āproperā:), but it could spare some maintenance.
For review:
Confines /usr/bin/torbrowser and open_link_confirmation.
Forked (and modified) from torbrowser-launcher.
Run /usr/bin/torbrowser under its profile.
rCUx seems fine to me. I understand it as āif there is a profile, it must be used, otherwise run without that profileā. Sounds fine to me. Sounds like lower maintenance. And the finial decision is up to you.
Havenāt tested yet, butā¦
I think some stuff should be merged in other packages:
- apparmor-profile-tb-starter/usr.bin.torbrowser at master Ā· troubadoour/apparmor-profile-tb-starter Ā· GitHub ā tb-starter
- apparmor-profile-start-tor-browser/home.*.tor-browser_*.Browser.start-tor-browser at master Ā· troubadoour/apparmor-profile-start-tor-browser Ā· GitHub ā apparmor-profile-torbrowser
rCUx seems fine to me.It looks fine when reloading the profile with apparmor_parser, but fails when using aa-enforce, on any profile. rUx works, though. https://github.com/troubadoour/apparmor-profile-icedove/commit/0eea00a0f4cf889c2a62307c6648253aceb72aa3
[quote=āPatrick, post:547, topic:108ā]I think some stuff should be merged in other packages:
- apparmor-profile-tb-starter/etc/apparmor.d/usr.bin.torbrowser at master Ā· troubadoour/apparmor-profile-tb-starter Ā· GitHub ā tb-starter
- apparmor-profile-start-tor-browser/etc/apparmor.d/home.*.tor-browser_*.Browser.start-tor-browser at master Ā· troubadoour/apparmor-profile-start-tor-browser Ā· GitHub ā apparmor-profile-torbrowser[/quote]
We can merge usr.bin.torbrowser in tb-starter. For start-tor-browser, do you mean creating a new package apparmor-profile-torbrowser?
We can merge usr.bin.torbrowser in tb-starter.Yes.
For start-tor-browser, do you mean creating a new package apparmor-profile-torbrowser?No, because apparmor-profile-torbrowser is an already existing package: https://github.com/Whonix/apparmor-profile-torbrowser
It could include the start-tor-browser profile.
Merged usr,bin.torbrowser in tb-starter.
Added start-tor-browser profile to apparmor-profile-torbrowser.
There is a cosmetic commit in apparmor-profile-icedove.
Note that in the icedoce profile, torbrowser ir run with Px, implying that the two other profiles must exist. Might be sensible to leave Ux permission until Whonix 12.
Which leads to the updating of the profiles in Whonix stable repository: Whonix Forum
If a developer decides to change the structure of a program without warning (we have seen that a lot with TBB, a couple of times with Icedove), we should be able to reflect the profile modifications to the user [best case, it flashes some notifications, worst case, it breaks the program]. That would mean that any change in AppArmor should be passed right away to the stable repository. I do not realize how much work that would involve, but it could become necessary if more users install the profiles.
All merged.
refactoring, use AppArmor's 'alias' mechanism, ship /etc/apparmor.d/tunables/home.d/anondist instead of using /etc/apparmor.d/abstractions/base, so uwt does not break any third party AppArmor profileshttps://github.com/Whonix/apparmor-profile-anondist/commit/ad9af43077e907e5c68e8f2508392e1c74663d06
- No longer required to white list .anondist/.anondist-orig extensions, because /etc/apparmor.d/tunables/home.d/anondist covers that now. - Additions for Whonix 12. - Additions for Qubes-Whonix. - Removed duplicates. - Refactoring.https://github.com/Whonix/apparmor-profile-whonixcheck/commit/059dbab3dda11a28297cc3c1fea860494af48be6
How dangerous is the gdbus?
/usr/bin/gdbus rix,
various fixes for Whonix 12, multi platform (amd64 [Qubes]) and multi language supporthttps://github.com/Whonix/apparmor-profile-torbrowser/commit/2fa40df26d3f25d2c40bc6627fb2857378d40000
I donāt know if
+ /usr/lib/*-linux-gnu/** mrix,
is too permissive. But it was the only thing that I could quickly get done to ensure Tor Browser 5.x compatibility.
fix, make sure the profile /etc/apparmor.d/home.*.tor-browser_*.Browser.start-tor-browser gets added to Debian maintainer scripts so it gets actually enabledhttps://github.com/Whonix/apparmor-profile-torbrowser/commit/bdd223b2ca8fbccb80d6889104540b7c55d04e02
Out commenting [url=https://github.com/Whonix/apparmor-profile-torbrowser/blob/2fa40df26d3f25d2c40bc6627fb2857378d40000/etc/apparmor.d/home.*.tor-browser_*.Browser.start-tor-browser#L24-L32]apparmor-profile-torbrowser/home.*.tor-browser_*.Browser.start-tor-browser at 2fa40df26d3f25d2c40bc6627fb2857378d40000 Ā· Kicksecure/apparmor-profile-torbrowser Ā· GitHub was a mistake by me. Had this while trying. If I enable that part, I get a conflicting x modifies error. But as of now, it works. Anyhow. Please look into it when you get a chance.
Actually, before in the new location it wasnāt even working.
more fixeshttps://github.com/Whonix/apparmor-profile-torbrowser/commit/7deea174e12769bb8ead29ae572d67cdfd91e5f8
Now using.
/home/**/tor-browser_*/{Browser/,}start-tor-browser {
/home/**/tor-browser_*/Browser/firefox {
Then it really doesnāt matter anymore where one installs Tor Browser.
Actually, it doesnāt work at all. For example the following does not work as intended.
If the purpose is to be able to install TBB in any subdirectory under HOME, that should work, with some exceptions.
An example with torbrowser-launcher, which installs in /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/
Original profile:
/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/ r,
owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/* r,
owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/.** rwk,
owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/.** rwk,
~
Modified profile:
/home/**/tor-browser_*/Browser/firefox {
owner @{HOME}/**/tor-browser_*/ r,
owner @{HOME}/**/tor-browser_*/* r,
owner @{HOME}/**/tor-browser_*/.** rwk,
owner @{HOME}/**/tor-browser_*/Browser/.** rwk,
~
The exception to the above is when we try to execute a child profile. The line
fails with an āERROR processing regexs for profileā from apparmor_parser.
This is valid only if TBB is intalled in a subdirectory. If installed directly in HOME, like in Whonix today, "@{HOME}//tor-browser" does ot work, because it tranlates to /home/user//tor-browser, I guess.
The Whonix profile works with:
/home/**/tor-browser_*/Browser/firefox {
/home/**/tor-browser_*/ r,
/home/**/tor-browser_*/* r,
/home/**/tor-browser_*/Browser/ r,
/home/**/tor-browser_*/Browser/** rwk,
~
So at this stage, it seems that there is no universal solution. Will look further into it.
latest tails release
"Our AppArmor setup has been audited and improved in various ways which should harden the system. The network should now be properly disabled when MAC address spoofing fails."
maybe seeing their setup can help improve apparmor for whonix