[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#541

Merged.


#542

A new message in icedove when importing a key.


#543

Merged.


#544

I saw an interesting concept in Micah’s torbrowser-launcher apparmor profile, he restricts access of the script/process to the interpreter running it. Its a good thing to have for scripts that permit it IMHO.

# This script doesn't really need to read the interpreter that's running it. deny /usr/bin/python{2,3}.[0-7]* r,

https://github.com/micahflee/torbrowser-launcher/blob/master/apparmor/usr.bin.torbrowser-launcher


#545

AppArmor used deny by default. White listing approach.

[hr]

For https://github.com/Whonix/apparmor-profile-icedove

What do you think about adding the following?

Context:
Opening links seen in icedove using Tor Browser - https://phabricator.whonix.org/T113#5757.

Not sure it would be worth adding a tb-starter AppArmor profile for /usr/bin/torbrowser.


#546
Not sure it would be worth adding a tb-starter AppArmor profile for /usr/bin/torbrowser.

I think it’s overkill too, but I had started on that a while ago , and the profiles are ready now.

If we want to use them, we would be consistent with what is done in torbrowser-launcher. I really don’t mind if we use rCUx for /usr/bin/torbrowser. It might not be “proper”:), but it could spare some maintenance.

For review:


Confines /usr/bin/torbrowser and open_link_confirmation.


Forked (and modified) from torbrowser-launcher.


Run /usr/bin/torbrowser under its profile.


#547

rCUx seems fine to me. I understand it as “if there is a profile, it must be used, otherwise run without that profile”. Sounds fine to me. Sounds like lower maintenance. And the finial decision is up to you.

Haven’t tested yet, but…

I think some stuff should be merged in other packages:


#548
rCUx seems fine to me.
It looks fine when reloading the profile with apparmor_parser, but fails when using aa-enforce, on any profile. rUx works, though. https://github.com/troubadoour/apparmor-profile-icedove/commit/0eea00a0f4cf889c2a62307c6648253aceb72aa3

[quote=“Patrick, post:547, topic:108”]I think some stuff should be merged in other packages:


#549
We can merge usr.bin.torbrowser in tb-starter.
Yes.
For start-tor-browser, do you mean creating a new package apparmor-profile-torbrowser?
No, because apparmor-profile-torbrowser is an already existing package: https://github.com/Whonix/apparmor-profile-torbrowser

It could include the start-tor-browser profile.


#550

Merged usr,bin.torbrowser in tb-starter.

Added start-tor-browser profile to apparmor-profile-torbrowser.

There is a cosmetic commit in apparmor-profile-icedove.

Note that in the icedoce profile, torbrowser ir run with Px, implying that the two other profiles must exist. Might be sensible to leave Ux permission until Whonix 12.

Which leads to the updating of the profiles in Whonix stable repository: https://www.whonix.org/forum/index.php/topic,1312.msg8932.html#msg8932

If a developer decides to change the structure of a program without warning (we have seen that a lot with TBB, a couple of times with Icedove), we should be able to reflect the profile modifications to the user [best case, it flashes some notifications, worst case, it breaks the program]. That would mean that any change in AppArmor should be passed right away to the stable repository. I do not realize how much work that would involve, but it could become necessary if more users install the profiles.


#551

All merged.


#552
refactoring, use AppArmor's 'alias' mechanism, ship /etc/apparmor.d/tunables/home.d/anondist instead of using /etc/apparmor.d/abstractions/base, so uwt does not break any third party AppArmor profiles
https://github.com/Whonix/apparmor-profile-anondist/commit/ad9af43077e907e5c68e8f2508392e1c74663d06

#553
- No longer required to white list .anondist/.anondist-orig extensions, because /etc/apparmor.d/tunables/home.d/anondist covers that now. - Additions for Whonix 12. - Additions for Qubes-Whonix. - Removed duplicates. - Refactoring.
https://github.com/Whonix/apparmor-profile-whonixcheck/commit/059dbab3dda11a28297cc3c1fea860494af48be6

How dangerous is the gdbus?


#554
various fixes for Whonix 12, multi platform (amd64 [Qubes]) and multi language support
https://github.com/Whonix/apparmor-profile-torbrowser/commit/2fa40df26d3f25d2c40bc6627fb2857378d40000

I don’t know if

is too permissive. But it was the only thing that I could quickly get done to ensure Tor Browser 5.x compatibility.


#555
fix, make sure the profile /etc/apparmor.d/home.*.tor-browser_*.Browser.start-tor-browser gets added to Debian maintainer scripts so it gets actually enabled
https://github.com/Whonix/apparmor-profile-torbrowser/commit/bdd223b2ca8fbccb80d6889104540b7c55d04e02

#556

Out commenting https://github.com/Whonix/apparmor-profile-torbrowser/blob/2fa40df26d3f25d2c40bc6627fb2857378d40000/etc/apparmor.d/home..tor-browser_.Browser.start-tor-browser#L24-L32 was a mistake by me. Had this while trying. If I enable that part, I get a conflicting x modifies error. But as of now, it works. Anyhow. Please look into it when you get a chance.


#557

Actually, before in the new location it wasn’t even working.

more fixes
https://github.com/Whonix/apparmor-profile-torbrowser/commit/7deea174e12769bb8ead29ae572d67cdfd91e5f8

Now using.

Then it really doesn’t matter anymore where one installs Tor Browser.


#558

Actually, it doesn’t work at all. For example the following does not work as intended.


#559

If the purpose is to be able to install TBB in any subdirectory under HOME, that should work, with some exceptions.

An example with torbrowser-launcher, which installs in /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/

Original profile:

/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/ r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/* r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/.** rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/.** rwk,
~

Modified profile:

/home/**/tor-browser_*/Browser/firefox {
  owner @{HOME}/**/tor-browser_*/ r,
  owner @{HOME}/**/tor-browser_*/* r,
  owner @{HOME}/**/tor-browser_*/.** rwk,
  owner @{HOME}/**/tor-browser_*/Browser/.** rwk,
~

The exception to the above is when we try to execute a child profile. The line

fails with an “ERROR processing regexs for profile” from apparmor_parser.

This is valid only if TBB is intalled in a subdirectory. If installed directly in HOME, like in Whonix today, "@{HOME}//tor-browser" does ot work, because it tranlates to /home/user//tor-browser, I guess.

The Whonix profile works with:

/home/**/tor-browser_*/Browser/firefox {
   /home/**/tor-browser_*/ r,
   /home/**/tor-browser_*/* r, 
   /home/**/tor-browser_*/Browser/ r,
   /home/**/tor-browser_*/Browser/** rwk,
~

So at this stage, it seems that there is no universal solution. Will look further into it.


#560

latest tails release
"Our AppArmor setup has been audited and improved in various ways which should harden the system. The network should now be properly disabled when MAC address spoofing fails."

maybe seeing their setup can help improve apparmor for whonix