[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#561
amd64 / Qubes specific fixes
https://github.com/Whonix/apparmor-profile-sdwdate/commit/ea40754dffd0a2407a7bb67cae6c022fb8474f54

#562

Are the profiles already tested to work with Debian jessie [based Whonix 11]?

[hr]

jessie / amd64 / Qubes specific fixes
https://github.com/Whonix/apparmor-profile-gwenview/commit/9d2a5ec501fe6495590bbfe87a324dc283083897

But it’s still broken. Crashing on start.

Aug 24 16:56:19 localhost kernel: [12370.197193] audit: type=1400 audit(1440428179.747:273): apparmor="DENIED" operation="open" profile="/usr/bin/gwenview" name="/sys/devices/system/cpu/" pid=10275 comm="gwenview" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I thought the following should do.

@{PROC}/sys/devices/system/cpu/ r, @{PROC}/sys/devices/system/cpu/** r,

But it doesn’t.


#563
Qubes specific fixes
https://github.com/Whonix/apparmor-profile-anondist/commit/73059be620f44b78150b7008b10c53cfc17c8f08
amd64 / jessie / Qubes specific fixes
https://github.com/Whonix/apparmor-profile-icedove/commit/629df0d656641cc60c14e807dd17ebf4db1a9495

Icedove now starts. But there is an issue.

An error occurred while loading or saving configuration information for icedove. Some of your configuration settings may not work properly.
No D-BUS daemon running

No D-BUS daemon running

No D-BUS daemon running

No D-BUS daemon running

I don’t know the consequences. And have no idea how to fix it, because there are no denied messages.


#564
jessie / Qubes specific fixes
https://github.com/Whonix/apparmor-profile-okular/commit/020299e5b80f3ddf5cda5310a5e28251a65a2547

okular can now open pdf files located in the ~/Downloads folder from command line. But trying to open a pdf from dolphin makes okular crash without any denied messages.


#565
jessie specific fixes
https://github.com/Whonix/apparmor-profile-pidgin/commit/576568518d148ac6d1acd600819fb24be1846363

#566
amd64 / Qubes / jessie specific fixes
https://github.com/Whonix/apparmor-profile-xchat/commit/b4189b82fdcc16a69d2114f6e30d2a5bc37bd4dd

#567
Are the profiles already tested to work with Debian jessie [based Whonix 11]?
The profiles are installed, but not all have been used, only torbrowser, icedove and the Whonix specific profiles

From the first test: okular (from Dolphin), gwenview and xchat pop some denied messages, but nothing fatal. Will fix that.

Now to be of any help, I should be able to test the profiles in Qubes. I have a second ssd with Whonix Gateway installed in Qubes R2 rc2. I have never managed to get R3 even close to start. Is it OK for testing if I install Whonix Workstation in R2 rc2? Might take some time…


#568

If profiles are working on non-Qubes-Whonix, that would probably also fix lots of denied messages.

Please merge my changes beforehand. That should fix some denied messages already. Except for the parts were my changes might have been nonsensical. :slight_smile: I allowed stuff like reading all /usr/share/** because simply too many were requested. Nothing private should be inside there. So there is little risk of having a compromised application read that folder. (Perhaps would reveal more about other installed packages, but well.)

I see. Perhaps hardware issues. I spend more than two weeks on such stuff.

There is no Whonix 11 for R2. Also R2 will fade out sometime soon. So long term R3 would be good.


#569

Updated some profiles, fetched from Whonix master:

  • gwenview
  • xchat
  • whonixcheck, complaining about some .anondist / .anondist.orig files.
  • xchat
  • okular

The profile for okular was working off the shelf. Just narrowed the permissions in /usr/share, so that what’s left is surely harmless.


#570

Please try to avoid restoring the anondist / anondist-orig stuff. I tried to come up with a simpler, more generic, less maintenance mechanism:

Have you had the updated apparmor-profile-anondist profile installed? Then those anondist rules should be unnecessary?


#571

Installed apparmor-profile-anondist and it’s fine. Reverted the changes in whonixcheck profile.


#572

[quote=“troubadour, post:569, topic:108”]Updated some profiles, fetched from Whonix master:

  • gwenview
  • xchat
  • whonixcheck, complaining about some .anondist / .anondist.orig files.
  • xchat
  • okular

The profile for okular was working off the shelf. Just narrowed the permissions in /usr/share, so that what’s left is surely harmless.[/quote]
All merged.


#573

Changes:

[hr]

Wondering, in the whonixcheck profile, what’s the following good for?

Looks dangerous. Should be removed?


#574

Do’nt remmeber why it was there in the first place. Removed.


#575

Merged.

By the way, if I make minor changes not necessary to be rechecked in your opinion, there is no need to merge those quickly. Optional. As you prefer. Just if you would like to add stuff on top, please check beforehand if there are changes in the Whonix repository so we can prevent merge conflicts.

I am working on apparmor profiles at the moment so I can get the testers repository back in shape again.


#576

#577

Testers repository upgraded as per Whonix 12.0.0.0.6-developers-only.


#578

The torbrowser profile does not work with @{HOME}//. Changed to /home//. That is the solution so far if we want to allow TBB installation in a different folder than /home/user (but still under HOME).

Some changes (again) in TBB 5.0.2 when using the internal updater.


#579

Merged.

Thehome..tor-browser_.Browser.start-tor-browser profile was also load and works for you?


#580

Not yet. At least, it does not work when started from [tbbfolder]/start-tor-browser.desktop.

After the internal installation, Tor Browser Starter says “Tor Browser is currently not installed.”. Will reinstall from tb-updater and check.