torbrowser profile: back to @{HOME}/**/. after the removal of some deny statements. See the comments in the commit.
Merged.
Is this an inconsistency or on purpose?
Inconsistency. Fixed.
Some problems in start-tor-browser, which requires an absolute path for executing a child profile (Browser/firefox Px,). Workaround by declaring a variable @{TBB} at the beginning of the profiles.
For consistency, added owner keyword in torbrowser profile.
Merged.
Added some refactoring on top. Namely moved the other home related rules upwards so theyâre below the first home related rules, to make further inconsistencies in future more unlikely.
With AA enabled, itâs possible for me to read any files from desktop, documents etcâŚ
Is this expected?
[quote=â8uwu, post:585, topic:108â]With AA enabled, itâs possible for me to read any files from desktop, documents etcâŚ
Is this expected?[/quote]
Does Whonix Forum help?
It should help.
But âread any files from desktop, documents etcâŚâ is only partly expected. The documents directory should be denied. The only allowed directories under HOME should be Desktop and Downloads.
Note that the default downloads direcrory in Tor Browser is â[Tor Browser folder]/Browser/Downloadsâ.
Got an external pull request:
Some updates in apparmor-profile-icedove after Reviewed and adopted for "normal" Debian Jessie installation. by ypid ¡ Pull Request #1 ¡ Kicksecure/apparmor-profile-thunderbird ¡ GitHub
Merged. Luckily was mergeable. Please fetch/merge from origin before making changes.
added missing packaging of apparmor profile:
Could you please port https://github.com/Whonix/tb-starter/blob/master/etc/apparmor.d/usr.bin.torbrowser to the new â@{TBB} = @{HOME}*â style, i.e. supporting the new folder(s)? Currently getting two denied messages.
Sep 18 22:27:17 localhost kernel: [343239.382352] audit: type=1400 audit(1442608037.089:152): apparmor="DENIED" operation="exec" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000
Sep 18 22:27:17 localhost kernel: [343239.382623] audit: type=1400 audit(1442608037.089:153): apparmor="DENIED" operation="open" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[quote=âPatrick, post:592, topic:108â]Could you please port https://github.com/Whonix/tb-starter/blob/master/etc/apparmor.d/usr.bin.torbrowser to the new â@{TBB} = @{HOME}*â style, i.e. supporting the new folder(s)? Currently getting two denied messages.
Sep 18 22:27:17 localhost kernel: [343239.382352] audit: type=1400 audit(1442608037.089:152): apparmor="DENIED" operation="exec" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000
Sep 18 22:27:17 localhost kernel: [343239.382623] audit: type=1400 audit(1442608037.089:153): apparmor="DENIED" operation="open" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[/quote]
Same thing here I am currently testing.
The latest apparmor profile commits are working good however apparmor shows:
denied for
/rw/usrlocal/share/applications/meminfo.cache
and
/rw/userlocal/share/applications
hope this helps!! I will post temporary workaround instructions on the thread i linked in my previous post thank you everyone for all the hard work
In Qubes /usr/local is a symlink to /rw/usrlocal/. Due to apparmor-profile-dist/qubes-whonix-anondist at master ¡ Kicksecure/apparmor-profile-dist ¡ GitHub shipping
alias /usr/local -> /rw/usrlocal/,
we donât have to care about this a lot. Only note, if a user posts a denied message
/rw/usrlocal/share/applications/meminfo.cache
Then the one added to the AppArmor profile should be.
/usr/local/share/applications/meminfo.cache
So it will work for non-Qubes users as well.
apparmor-woes, can you please try test adding.
/usr/local/share/applications/meminfo.cache r,
to the profile and report if that fixes the denied message?
I have added the line above Patrick. I am still getting AppArmor errors. I would be more than happy to test any suggestions I am not too familiar with AppArmor but am happy to donate my time! Please let me know.
Here is the logs:
audit: type=1400 audit(1442672258.219:2): apparmor="STATUS" operation="profile_load" name="/home/**/tor-browser_*/Browser/firefox" pid=330 comm="apparmor_parser"audit: type=1400 audit(1442672258.650:3): apparmor=âSTATUSâ operation=âprofile_replaceâ name=â/home/**/tor-browser_*/Browser/firefoxâ pid=330 comm=âapparmor_parserâ
audit: type=1400 audit(1442672258.661:4): apparmor=âSTATUSâ operation=âprofile_loadâ name=â/usr/bin/pidginâ pid=330 comm=âapparmor_parserâ
audit: type=1400 audit(1442672258.664:5): apparmor=âSTATUSâ operation=âprofile_loadâ name=â/usr/lib/virtualbox/VirtualBoxâ pid=330 comm=âapparmor_parserâ
audit: type=1400 audit(1442672329.843:6): apparmor=âDENIEDâ operation=âopenâ profile=â/home/**/tor-browser_*/Browser/firefoxâ name=â/rw/usrlocal/share/applications/â pid=7026 comm=âfirefoxâ requested_mask=ârâ denied_mask=ârâ fsuid=1000 ouid=0
audit: type=1400 audit(1442672329.843:7): apparmor=âDENIEDâ operation=âopenâ profile=â/home/**/tor-browser_*/Browser/firefoxâ name=â/rw/usrlocal/share/applications/mimeinfo.cacheâ pid=7026 comm=âfirefoxâ requested_mask=ârâ denied_mask=ârâ fsuid=1000 ouid=0
home..tor-browser_.Browser.firefox
[code]#include <tunables/global>
@{TBB} = @{HOME}*
/home/**/tor-browser_*/Browser/firefox {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/kde>
#include <abstractions/gnome>
#include <abstractions/audio>
#include <abstractions/user-download>
#include <abstractions/user-tmp>
#include <abstractions/X>
deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/udev/udev.conf r,
deny /etc/mailcap r,
deny /etc/fstab r,
deny @{PROC}/[0-9]*/stat r,
deny @{PROC}/[0-9]*/mountinfo r,
deny @{PROC}/[0-9]*/task/** r,
deny @{PROC}/sys/kernel/random/uuid r,
deny @{PROC}/sys/vm/overcommit_memory r,
deny @{PROC}/[0-9]*/cmdline r,
deny /run/udev/** r,
deny /sys/devices/** r,
## Missing in <abstractions/user-download> #######
# Without this line, access is denied to @{HOME},
# [dD]ownload{,s}, Desktop... for downloads.
@{HOME}/ r,
@{HOME}/* r,
##################################################
owner @{TBB}/tor-browser_*/ r,
owner @{TBB}/tor-browser_*/* r,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/ rw,
##################################
owner @{TBB}/tor-browser_*/Browser/** rwk,
owner @{TBB}/tor-browser_*/Browser/*.so mr,
owner @{TBB}/tor-browser_*/Browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/firefox rix,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Tor/* mr,
owner @{TBB}/tor-browser_*/Data/Browser/Caches/** rwk,
owner @{TBB}/tor-browser_*/Data/Browser/profiles.ini r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/ r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/** rwk,
owner @{TBB}/tor-browser_*/Data/Tor/* rwk,
owner @{TBB}/tor-browser_*/Tor/* mr,
owner @{TBB}/tor-browser_*/Tor/tor rix,
owner @{TBB}/tor-browser_*/Browser/updates/ r,
owner @{TBB}/tor-browser_*/Browser/updates/** rwk,
owner @{TBB}/tor-browser_*/Browser/updates*.xml rwk,
owner @{TBB}/tor-browser_*/Browser/active-update*.xml rwk,
owner @{TBB}/tor-browser_*/update.test/ rwk,
owner @{TBB}/tor-browser_*/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/update.test/ rwk,
owner @{TBB}/tor-browser_*/Browser/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/updates/0/updater rix,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/updates/0/MozUpdater/bgupdate/updater rix,
##################################
owner @{TBB}/tor-browser_*/Browser/Desktop/ rw,
owner @{TBB}/tor-browser_*/Desktop/ rwk,
owner @{TBB}/tor-browser_*/Desktop/** rwk,
owner @{TBB}/tor-browser_*/Browser/Downloads/ r,
owner @{TBB}/tor-browser_*/Browser/Downloads/** rwk,
## Gnome2 and VirtualBox ##
owner @{TBB}/tor-browser_*/.** rwk,
## KDE 4 ##
@{HOME}/.kde/share/config/* r,
## Xfce4 ##
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
/etc/mime.types r,
/etc/wildmidi/wildmidi.cfg r, # gstreamer
/tmp/MozUpdater/bgupdate/updater rix,
/usr/bin/kde4-config rix,
## XXX
#/usr/lib/*-linux-gnu/libvisual-*/*.so mr,
#/usr/lib/*-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner rix,
/usr/lib/*-linux-gnu/** mrix,
/usr/share/ r,
/usr/share/mime/ r,
/usr/share/mime/** r,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/applications/** rk,
/usr/share/poppler/cMap/ r,
/usr/share/poppler/cMap/** r,
/usr/share/libthai/ r,
/usr/share/libthai/** r,
# Distribution homepage
/usr/share/homepage/ r,
/usr/share/homepage/** r,
/usr/local/share/applications/meminfo.cache r,
## Not in abstractions/fonts ##
/usr/share/fontconfig/conf.avail/* r,
/var/cache/fontconfig/ rk,
## For systems used in VirtualBox ##
deny /var/lib/dbus/machine-id r,
@{PROC}/[0-9]*/fd/ r,
/dev/vboxuser rw,
/bin/ps rix,
/bin/dash rix,
/usr/bin/pulseaudio rix,
}[/code]
home..tor-browser_.Browser.start-tor-browser
[code]#include <tunables/global>
@{TBB} = @{HOME}*
/home/**/tor-browser_*/Browser/firefox {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/kde>
#include <abstractions/gnome>
#include <abstractions/audio>
#include <abstractions/user-download>
#include <abstractions/user-tmp>
#include <abstractions/X>
deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/udev/udev.conf r,
deny /etc/mailcap r,
deny /etc/fstab r,
deny @{PROC}/[0-9]*/stat r,
deny @{PROC}/[0-9]*/mountinfo r,
deny @{PROC}/[0-9]*/task/** r,
deny @{PROC}/sys/kernel/random/uuid r,
deny @{PROC}/sys/vm/overcommit_memory r,
deny @{PROC}/[0-9]*/cmdline r,
deny /run/udev/** r,
deny /sys/devices/** r,
## Missing in <abstractions/user-download> #######
# Without this line, access is denied to @{HOME},
# [dD]ownload{,s}, Desktop... for downloads.
@{HOME}/ r,
@{HOME}/* r,
##################################################
owner @{TBB}/tor-browser_*/ r,
owner @{TBB}/tor-browser_*/* r,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/ rw,
##################################
owner @{TBB}/tor-browser_*/Browser/** rwk,
owner @{TBB}/tor-browser_*/Browser/*.so mr,
owner @{TBB}/tor-browser_*/Browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/firefox rix,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Tor/* mr,
owner @{TBB}/tor-browser_*/Data/Browser/Caches/** rwk,
owner @{TBB}/tor-browser_*/Data/Browser/profiles.ini r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/ r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/** rwk,
owner @{TBB}/tor-browser_*/Data/Tor/* rwk,
owner @{TBB}/tor-browser_*/Tor/* mr,
owner @{TBB}/tor-browser_*/Tor/tor rix,
owner @{TBB}/tor-browser_*/Browser/updates/ r,
owner @{TBB}/tor-browser_*/Browser/updates/** rwk,
owner @{TBB}/tor-browser_*/Browser/updates*.xml rwk,
owner @{TBB}/tor-browser_*/Browser/active-update*.xml rwk,
owner @{TBB}/tor-browser_*/update.test/ rwk,
owner @{TBB}/tor-browser_*/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/update.test/ rwk,
owner @{TBB}/tor-browser_*/Browser/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/updates/0/updater rix,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/updates/0/MozUpdater/bgupdate/updater rix,
##################################
owner @{TBB}/tor-browser_*/Browser/Desktop/ rw,
owner @{TBB}/tor-browser_*/Desktop/ rwk,
owner @{TBB}/tor-browser_*/Desktop/** rwk,
owner @{TBB}/tor-browser_*/Browser/Downloads/ r,
owner @{TBB}/tor-browser_*/Browser/Downloads/** rwk,
## Gnome2 and VirtualBox ##
owner @{TBB}/tor-browser_*/.** rwk,
## KDE 4 ##
@{HOME}/.kde/share/config/* r,
## Xfce4 ##
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
/etc/mime.types r,
/etc/wildmidi/wildmidi.cfg r, # gstreamer
/tmp/MozUpdater/bgupdate/updater rix,
/usr/bin/kde4-config rix,
## XXX
#/usr/lib/*-linux-gnu/libvisual-*/*.so mr,
#/usr/lib/*-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner rix,
/usr/lib/*-linux-gnu/** mrix,
/usr/share/ r,
/usr/share/mime/ r,
/usr/share/mime/** r,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/applications/** rk,
/usr/share/poppler/cMap/ r,
/usr/share/poppler/cMap/** r,
/usr/share/libthai/ r,
/usr/share/libthai/** r,
# Distribution homepage
/usr/share/homepage/ r,
/usr/share/homepage/** r,
/usr/local/share/applications/meminfo.cache r,
## Not in abstractions/fonts ##
/usr/share/fontconfig/conf.avail/* r,
/var/cache/fontconfig/ rk,
## For systems used in VirtualBox ##
deny /var/lib/dbus/machine-id r,
@{PROC}/[0-9]*/fd/ r,
/dev/vboxuser rw,
/bin/ps rix,
/bin/dash rix,
/usr/bin/pulseaudio rix,
}[/code]
Did you forget
after making changes?
I actually backed up the current profile and overwrote it. Then I rebooted Whonix+Qubes that method seemed to work for actually getting Tor browser to start when it previously did not. I will run
sudo aa-status
to make sure that the proper profile is being enforced and report back.
Profile tb-starter/etc/apparmor.d/usr.bin.torbrowser is currently very problematic. Because it gets installed by default. (part of package tb-starter) Because itâs currently broken. It needs to work whether apparmor-profile-torbrowser is installed or not.
I am quite certain to prevent any future unstartable Tor Browser, we would be better off moving tb-starter/etc/apparmor.d/usr.bin.torbrowser to apparmor-profile-torbrowser package? Otherwise we would have to carefully test all the different cases.
hot fixed apparmor profile for new folder ~/.tb - https://www.whonix.org/forum/index.php/topic,97.msg10298.html#msg10298https://github.com/Whonix/tb-starter/commit/860fd2fe05d9ba0729c4bfb9ed70fc29586f8aa9