Whonix AppArmor Profiles Development Discussion

amd64 / Qubes specific fixes
https://github.com/Whonix/apparmor-profile-sdwdate/commit/ea40754dffd0a2407a7bb67cae6c022fb8474f54

Are the profiles already tested to work with Debian jessie [based Whonix 11]?

[hr]

jessie / amd64 / Qubes specific fixes
https://github.com/Whonix/apparmor-profile-gwenview/commit/9d2a5ec501fe6495590bbfe87a324dc283083897

But it’s still broken. Crashing on start.

Aug 24 16:56:19 localhost kernel: [12370.197193] audit: type=1400 audit(1440428179.747:273): apparmor="DENIED" operation="open" profile="/usr/bin/gwenview" name="/sys/devices/system/cpu/" pid=10275 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I thought the following should do.

@{PROC}/sys/devices/system/cpu/ r, @{PROC}/sys/devices/system/cpu/** r,

But it doesn’t.

Qubes specific fixes
https://github.com/Whonix/apparmor-profile-anondist/commit/73059be620f44b78150b7008b10c53cfc17c8f08
amd64 / jessie / Qubes specific fixes
https://github.com/Whonix/apparmor-profile-icedove/commit/629df0d656641cc60c14e807dd17ebf4db1a9495

Icedove now starts. But there is an issue.

An error occurred while loading or saving configuration information for icedove. Some of your configuration settings may not work properly.
No D-BUS daemon running

No D-BUS daemon running

No D-BUS daemon running

No D-BUS daemon running

I don’t know the consequences. And have no idea how to fix it, because there are no denied messages.

jessie / Qubes specific fixes
https://github.com/Whonix/apparmor-profile-okular/commit/020299e5b80f3ddf5cda5310a5e28251a65a2547

okular can now open pdf files located in the ~/Downloads folder from command line. But trying to open a pdf from dolphin makes okular crash without any denied messages.

jessie specific fixes
https://github.com/Whonix/apparmor-profile-pidgin/commit/576568518d148ac6d1acd600819fb24be1846363
amd64 / Qubes / jessie specific fixes
https://github.com/Whonix/apparmor-profile-xchat/commit/b4189b82fdcc16a69d2114f6e30d2a5bc37bd4dd
Are the profiles already tested to work with Debian jessie [based Whonix 11]?
The profiles are installed, but not all have been used, only torbrowser, icedove and the Whonix specific profiles

From the first test: okular (from Dolphin), gwenview and xchat pop some denied messages, but nothing fatal. Will fix that.

Now to be of any help, I should be able to test the profiles in Qubes. I have a second ssd with Whonix Gateway installed in Qubes R2 rc2. I have never managed to get R3 even close to start. Is it OK for testing if I install Whonix Workstation in R2 rc2? Might take some time…

If profiles are working on non-Qubes-Whonix, that would probably also fix lots of denied messages.

Please merge my changes beforehand. That should fix some denied messages already. Except for the parts were my changes might have been nonsensical. :slight_smile: I allowed stuff like reading all /usr/share/** because simply too many were requested. Nothing private should be inside there. So there is little risk of having a compromised application read that folder. (Perhaps would reveal more about other installed packages, but well.)

I see. Perhaps hardware issues. I spend more than two weeks on such stuff.

There is no Whonix 11 for R2. Also R2 will fade out sometime soon. So long term R3 would be good.

Updated some profiles, fetched from Whonix master:

  • gwenview
  • xchat
  • whonixcheck, complaining about some .anondist / .anondist.orig files.
  • xchat
  • okular

The profile for okular was working off the shelf. Just narrowed the permissions in /usr/share, so that what’s left is surely harmless.

Please try to avoid restoring the anondist / anondist-orig stuff. I tried to come up with a simpler, more generic, less maintenance mechanism:

Have you had the updated apparmor-profile-anondist profile installed? Then those anondist rules should be unnecessary?

Installed apparmor-profile-anondist and it’s fine. Reverted the changes in whonixcheck profile.

[quote=“troubadour, post:569, topic:108”]Updated some profiles, fetched from Whonix master:

  • gwenview
  • xchat
  • whonixcheck, complaining about some .anondist / .anondist.orig files.
  • xchat
  • okular

The profile for okular was working off the shelf. Just narrowed the permissions in /usr/share, so that what’s left is surely harmless.[/quote]
All merged.

Changes:

[hr]

Wondering, in the whonixcheck profile, what’s the following good for?

	/etc/init.d/virtualbox-guest-utils rwix,

Looks dangerous. Should be removed?

Do’nt remmeber why it was there in the first place. Removed.

Merged.

By the way, if I make minor changes not necessary to be rechecked in your opinion, there is no need to merge those quickly. Optional. As you prefer. Just if you would like to add stuff on top, please check beforehand if there are changes in the Whonix repository so we can prevent merge conflicts.

I am working on apparmor profiles at the moment so I can get the testers repository back in shape again.

Testers repository upgraded as per Whonix 12.0.0.0.6-developers-only.

The torbrowser profile does not work with @{HOME}//. Changed to /home//. That is the solution so far if we want to allow TBB installation in a different folder than /home/user (but still under HOME).

Some changes (again) in TBB 5.0.2 when using the internal updater.

Merged.

Thehome..tor-browser_.Browser.start-tor-browser profile was also load and works for you?

Not yet. At least, it does not work when started from [tbbfolder]/start-tor-browser.desktop.

After the internal installation, Tor Browser Starter says “Tor Browser is currently not installed.”. Will reinstall from tb-updater and check.