[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#581

torbrowser profile: back to @{HOME}/**/. after the removal of some deny statements. See the comments in the commit.


#582

Merged.

Is this an inconsistency or on purpose?


#583

Inconsistency. Fixed.

Some problems in start-tor-browser, which requires an absolute path for executing a child profile (Browser/firefox Px,). Workaround by declaring a variable @{TBB} at the beginning of the profiles.

For consistency, added owner keyword in torbrowser profile.


#584

Merged.

Added some refactoring on top. Namely moved the other home related rules upwards so they’re below the first home related rules, to make further inconsistencies in future more unlikely.


#585

With AA enabled, it’s possible for me to read any files from desktop, documents etc…

Is this expected?


#586

[quote=“8uwu, post:585, topic:108”]With AA enabled, it’s possible for me to read any files from desktop, documents etc…

Is this expected?[/quote]
Does https://www.whonix.org/forum/index.php/topic,741 help?


#587

It should help.

But “read any files from desktop, documents etc…” is only partly expected. The documents directory should be denied. The only allowed directories under HOME should be Desktop and Downloads.

Note that the default downloads direcrory in Tor Browser is “[Tor Browser folder]/Browser/Downloads”.


#588

Got an external pull request:


#589

Some updates in apparmor-profile-icedove after https://github.com/Whonix/apparmor-profile-icedove/pull/1


#590

Merged. Luckily was mergeable. Please fetch/merge from origin before making changes.


#591

added missing packaging of apparmor profile:


#592

Could you please port https://github.com/Whonix/tb-starter/blob/master/etc/apparmor.d/usr.bin.torbrowser to the new “@{TBB} = @{HOME}*” style, i.e. supporting the new folder(s)? Currently getting two denied messages.

Sep 18 22:27:17 localhost kernel: [343239.382352] audit: type=1400 audit(1442608037.089:152): apparmor="DENIED" operation="exec" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000
Sep 18 22:27:17 localhost kernel: [343239.382623] audit: type=1400 audit(1442608037.089:153): apparmor="DENIED" operation="open" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

#593

[quote=“Patrick, post:592, topic:108”]Could you please port https://github.com/Whonix/tb-starter/blob/master/etc/apparmor.d/usr.bin.torbrowser to the new “@{TBB} = @{HOME}*” style, i.e. supporting the new folder(s)? Currently getting two denied messages.

Sep 18 22:27:17 localhost kernel: [343239.382352] audit: type=1400 audit(1442608037.089:152): apparmor="DENIED" operation="exec" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 Sep 18 22:27:17 localhost kernel: [343239.382623] audit: type=1400 audit(1442608037.089:153): apparmor="DENIED" operation="open" profile="/usr/bin/torbrowser" name="/home/user/.tb/tor-browser_en-US/start-tor-browser.desktop" pid=30474 comm="torbrowser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [/quote]

Same thing here I am currently testing.

https://www.whonix.org/forum/index.php/topic,1703.0.html


#594

The latest apparmor profile commits are working good however apparmor shows:

denied for /rw/usrlocal/share/applications/meminfo.cache and /rw/userlocal/share/applications

hope this helps!! I will post temporary workaround instructions on the thread i linked in my previous post thank you everyone for all the hard work :smiley: :smiley:


Audio in TBB when process in enforced
#595

In Qubes /usr/local is a symlink to /rw/usrlocal/. Due to https://github.com/Whonix/apparmor-profile-anondist/blob/master/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist shipping

we don’t have to care about this a lot. Only note, if a user posts a denied message

Then the one added to the AppArmor profile should be.

So it will work for non-Qubes users as well.

apparmor-woes, can you please try test adding.

to the profile and report if that fixes the denied message?


Audio in TBB when process in enforced
#596

I have added the line above Patrick. I am still getting AppArmor errors. I would be more than happy to test any suggestions I am not too familiar with AppArmor but am happy to donate my time! Please let me know.

Here is the logs:

audit: type=1400 audit(1442672258.219:2): apparmor="STATUS" operation="profile_load" name="/home/**/tor-browser_*/Browser/firefox" pid=330 comm="apparmor_parser"

audit: type=1400 audit(1442672258.650:3): apparmor=“STATUS” operation=“profile_replace” name="/home/**/tor-browser_*/Browser/firefox" pid=330 comm=“apparmor_parser”

audit: type=1400 audit(1442672258.661:4): apparmor=“STATUS” operation=“profile_load” name="/usr/bin/pidgin" pid=330 comm=“apparmor_parser”

audit: type=1400 audit(1442672258.664:5): apparmor=“STATUS” operation=“profile_load” name="/usr/lib/virtualbox/VirtualBox" pid=330 comm=“apparmor_parser”

audit: type=1400 audit(1442672329.843:6): apparmor=“DENIED” operation=“open” profile="/home/**/tor-browser_*/Browser/firefox" name="/rw/usrlocal/share/applications/" pid=7026 comm=“firefox” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

audit: type=1400 audit(1442672329.843:7): apparmor=“DENIED” operation=“open” profile="/home/**/tor-browser_*/Browser/firefox" name="/rw/usrlocal/share/applications/mimeinfo.cache" pid=7026 comm=“firefox” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

home..tor-browser_.Browser.firefox

[code]#include <tunables/global>

@{TBB} = @{HOME}*

/home/**/tor-browser_*/Browser/firefox {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/kde>
#include <abstractions/gnome>
#include <abstractions/audio>
#include <abstractions/user-download>
#include <abstractions/user-tmp>
#include <abstractions/X>

deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/udev/udev.conf r,
deny /etc/mailcap r,
deny /etc/fstab r,

deny @{PROC}/[0-9]*/stat r,
deny @{PROC}/[0-9]*/mountinfo r,
deny @{PROC}/[0-9]*/task/** r,
deny @{PROC}/sys/kernel/random/uuid r,
deny @{PROC}/sys/vm/overcommit_memory r,
deny @{PROC}/[0-9]*/cmdline r,

deny /run/udev/** r,
deny /sys/devices/** r,

## Missing in <abstractions/user-download> #######
# Without this line, access is denied to @{HOME},
# [dD]ownload{,s}, Desktop... for downloads.
@{HOME}/ r,
@{HOME}/* r,
##################################################

owner @{TBB}/tor-browser_*/ r,
owner @{TBB}/tor-browser_*/* r,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/ rw,
##################################
owner @{TBB}/tor-browser_*/Browser/** rwk,
owner @{TBB}/tor-browser_*/Browser/*.so mr,
owner @{TBB}/tor-browser_*/Browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/firefox rix,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Tor/* mr,
owner @{TBB}/tor-browser_*/Data/Browser/Caches/** rwk,
owner @{TBB}/tor-browser_*/Data/Browser/profiles.ini r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/ r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/** rwk,
owner @{TBB}/tor-browser_*/Data/Tor/* rwk,
owner @{TBB}/tor-browser_*/Tor/* mr,
owner @{TBB}/tor-browser_*/Tor/tor rix,
owner @{TBB}/tor-browser_*/Browser/updates/ r,
owner @{TBB}/tor-browser_*/Browser/updates/** rwk,
owner @{TBB}/tor-browser_*/Browser/updates*.xml rwk,
owner @{TBB}/tor-browser_*/Browser/active-update*.xml rwk,
owner @{TBB}/tor-browser_*/update.test/ rwk,
owner @{TBB}/tor-browser_*/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/update.test/ rwk,
owner @{TBB}/tor-browser_*/Browser/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/updates/0/updater rix,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/updates/0/MozUpdater/bgupdate/updater rix,
##################################
owner @{TBB}/tor-browser_*/Browser/Desktop/ rw,
owner @{TBB}/tor-browser_*/Desktop/ rwk,
owner @{TBB}/tor-browser_*/Desktop/** rwk,
owner @{TBB}/tor-browser_*/Browser/Downloads/ r,
owner @{TBB}/tor-browser_*/Browser/Downloads/** rwk,

## Gnome2 and VirtualBox ##
owner @{TBB}/tor-browser_*/.** rwk,

## KDE 4 ##
@{HOME}/.kde/share/config/* r,

## Xfce4 ##
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,

/etc/mime.types r,
/etc/wildmidi/wildmidi.cfg r,  # gstreamer

/tmp/MozUpdater/bgupdate/updater rix,

/usr/bin/kde4-config rix,

## XXX
#/usr/lib/*-linux-gnu/libvisual-*/*.so mr,
#/usr/lib/*-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner rix,
/usr/lib/*-linux-gnu/** mrix,

/usr/share/ r,
/usr/share/mime/ r,
/usr/share/mime/** r,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/applications/** rk,
/usr/share/poppler/cMap/ r,
/usr/share/poppler/cMap/** r,
/usr/share/libthai/ r,
/usr/share/libthai/** r,
# Distribution homepage
/usr/share/homepage/ r,
/usr/share/homepage/** r,
/usr/local/share/applications/meminfo.cache r,

## Not in abstractions/fonts ##
/usr/share/fontconfig/conf.avail/* r,
/var/cache/fontconfig/ rk,

## For systems used in VirtualBox ##
deny /var/lib/dbus/machine-id r,
@{PROC}/[0-9]*/fd/ r,
/dev/vboxuser rw,
/bin/ps rix,
/bin/dash rix,
/usr/bin/pulseaudio rix,

}[/code]

home..tor-browser_.Browser.start-tor-browser

[code]#include <tunables/global>

@{TBB} = @{HOME}*

/home/**/tor-browser_*/Browser/firefox {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/kde>
#include <abstractions/gnome>
#include <abstractions/audio>
#include <abstractions/user-download>
#include <abstractions/user-tmp>
#include <abstractions/X>

deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/udev/udev.conf r,
deny /etc/mailcap r,
deny /etc/fstab r,

deny @{PROC}/[0-9]*/stat r,
deny @{PROC}/[0-9]*/mountinfo r,
deny @{PROC}/[0-9]*/task/** r,
deny @{PROC}/sys/kernel/random/uuid r,
deny @{PROC}/sys/vm/overcommit_memory r,
deny @{PROC}/[0-9]*/cmdline r,

deny /run/udev/** r,
deny /sys/devices/** r,

## Missing in <abstractions/user-download> #######
# Without this line, access is denied to @{HOME},
# [dD]ownload{,s}, Desktop... for downloads.
@{HOME}/ r,
@{HOME}/* r,
##################################################

owner @{TBB}/tor-browser_*/ r,
owner @{TBB}/tor-browser_*/* r,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/ rw,
##################################
owner @{TBB}/tor-browser_*/Browser/** rwk,
owner @{TBB}/tor-browser_*/Browser/*.so mr,
owner @{TBB}/tor-browser_*/Browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/browser/components/*.so mr,
owner @{TBB}/tor-browser_*/Browser/firefox rix,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Tor/* mr,
owner @{TBB}/tor-browser_*/Data/Browser/Caches/** rwk,
owner @{TBB}/tor-browser_*/Data/Browser/profiles.ini r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/ r,
owner @{TBB}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/** rwk,
owner @{TBB}/tor-browser_*/Data/Tor/* rwk,
owner @{TBB}/tor-browser_*/Tor/* mr,
owner @{TBB}/tor-browser_*/Tor/tor rix,
owner @{TBB}/tor-browser_*/Browser/updates/ r,
owner @{TBB}/tor-browser_*/Browser/updates/** rwk,
owner @{TBB}/tor-browser_*/Browser/updates*.xml rwk,
owner @{TBB}/tor-browser_*/Browser/active-update*.xml rwk,
owner @{TBB}/tor-browser_*/update.test/ rwk,
owner @{TBB}/tor-browser_*/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/update.test/ rwk,
owner @{TBB}/tor-browser_*/Browser/update.test rwk,
owner @{TBB}/tor-browser_*/Browser/updates/0/updater rix,
## TBB 5.0.2 internal updater ####
owner @{TBB}/tor-browser_*/Browser/updates/0/MozUpdater/bgupdate/updater rix,
##################################
owner @{TBB}/tor-browser_*/Browser/Desktop/ rw,
owner @{TBB}/tor-browser_*/Desktop/ rwk,
owner @{TBB}/tor-browser_*/Desktop/** rwk,
owner @{TBB}/tor-browser_*/Browser/Downloads/ r,
owner @{TBB}/tor-browser_*/Browser/Downloads/** rwk,

## Gnome2 and VirtualBox ##
owner @{TBB}/tor-browser_*/.** rwk,

## KDE 4 ##
@{HOME}/.kde/share/config/* r,

## Xfce4 ##
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,

/etc/mime.types r,
/etc/wildmidi/wildmidi.cfg r,  # gstreamer

/tmp/MozUpdater/bgupdate/updater rix,

/usr/bin/kde4-config rix,

## XXX
#/usr/lib/*-linux-gnu/libvisual-*/*.so mr,
#/usr/lib/*-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner rix,
/usr/lib/*-linux-gnu/** mrix,

/usr/share/ r,
/usr/share/mime/ r,
/usr/share/mime/** r,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/applications/** rk,
/usr/share/poppler/cMap/ r,
/usr/share/poppler/cMap/** r,
/usr/share/libthai/ r,
/usr/share/libthai/** r,
# Distribution homepage
/usr/share/homepage/ r,
/usr/share/homepage/** r,
/usr/local/share/applications/meminfo.cache r,

## Not in abstractions/fonts ##
/usr/share/fontconfig/conf.avail/* r,
/var/cache/fontconfig/ rk,

## For systems used in VirtualBox ##
deny /var/lib/dbus/machine-id r,
@{PROC}/[0-9]*/fd/ r,
/dev/vboxuser rw,
/bin/ps rix,
/bin/dash rix,
/usr/bin/pulseaudio rix,

}[/code]


#597

Did you forget

after making changes?


#598

I actually backed up the current profile and overwrote it. Then I rebooted Whonix+Qubes that method seemed to work for actually getting Tor browser to start when it previously did not. I will run

sudo aa-status

to make sure that the proper profile is being enforced and report back.


#599

Profile tb-starter/etc/apparmor.d/usr.bin.torbrowser is currently very problematic. Because it gets installed by default. (part of package tb-starter) Because it’s currently broken. It needs to work whether apparmor-profile-torbrowser is installed or not.

I am quite certain to prevent any future unstartable Tor Browser, we would be better off moving tb-starter/etc/apparmor.d/usr.bin.torbrowser to apparmor-profile-torbrowser package? Otherwise we would have to carefully test all the different cases.


#600
hot fixed apparmor profile for new folder ~/.tb - https://www.whonix.org/forum/index.php/topic,97.msg10298.html#msg10298
https://github.com/Whonix/tb-starter/commit/860fd2fe05d9ba0729c4bfb9ed70fc29586f8aa9