Whonix AppArmor Profiles Development Discussion

AppArmor
601

(If we decide to move tb-starter/etc/apparmor.d/usr.bin.torbrowser to apparmor-profile-torbrowser package, we should rename the file to /etc/apparmor.d/usr_bin_torbrowser or so to prevent dpkg upgrade issues.)

Please say how likely you find it for this to cause issues. There are various cases to consider.

  • Only tb-starter/etc/apparmor.d/usr.bin.torbrowser installed, but apparmor-profile-torbrowser package not.
  • Only tb-starter/etc/apparmor.d/usr.bin.torbrowser installed, and apparmor-profile-torbrowser installed and enforced.
  • Only tb-starter/etc/apparmor.d/usr.bin.torbrowser installed, and apparmor-profile-torbrowser installed and disabled.
  • Any others?

In none of these cases tb-starter/etc/apparmor.d/usr.bin.torbrowser should prevent /usr/bin/torbrowser from starting Tor Browser.

602
apparmor profile fixes
https://github.com/Whonix/tb-starter/commit/2959df2fd786861f87a7e7609d1ac2c74a401d1d
603

I think tb-starter/etc/apparmor.d/usr.bin.torbrowser is just too complex for installing it by default and enabling it by default. Because it interacts with msgcollector. And update-torbrowser. And worst, with software that we do not control, i.e. Tor Browser.

604

I do aggree with your last post. Iā€™m currently trying to get tb-starter/etc/apparmor.d/usr.bin.torbrowser working, without success so far. Itā€™s getting harder if we want to get it path insensitive, amongst other issues.

it looks like we are shooting our own foot for a minimal if not non-existing security gain. We would be much better off keeping apparmor-profile-torbrowser only, because the profiles relate to TBB only and can be adapted [relatively] easily. We have some experience with Tor browser changesā€¦

605

Removed the profile:

Feel free to re-add it to apparmor-profile-torbrowser. However, I also fail to see the security gain by it.

606

Added /usr/local/share/applications/meminfo.cache to apparmor-profile-torbrowser.

607

Updated apparmor-profile-whonixcheck after Whonix Forum

608

Merged.

609
delete deprecated usr.bin.torbrowser apparmor profile
https://github.com/Whonix/whonix-legacy/commit/b8a6153736358d367624dc8b830be3689e898950
610

TB installation path has been changed to

/home/user/.tb/tor-browser

by me. (Whonix Forum)

Wondering if the following would be appropriateā€¦

[hr]

Change from

/home/**/tor-browser_*/Browser/firefox {

to

/home/**/tor-browse*/Browser/firefox {

?
[hr]

Change from

/home*/tor-browser_*/{Browser/,}start-tor-browser {

to

/home*/tor-browse*/{Browser/,}start-tor-browser {

?

611

Seems to work. Changed apparmor-profile-torbrowser in git.

612

Got some new denied messages. Most likely related to TBB hardened.

I guess we need to allow environ somehow. Addedā€¦

I donā€™t know if it could be restricted more (to itself only). Reading its own environment is important.

Also addedā€¦

Which should be harmless.

proc task, I donā€™t know what to do about that.

613

Minor changes to apparmor-profile-sdwdate and apparmor-profile-whonixcheck.

614

Merged your changes.

TB new path: changed

with

In both firefox and start-tor-browser. It works too. Perhaps we should change the profile names, because it does not corespond the real path any longer. It could be

  • torbrower.Browser.firefox
  • torbrower.Browser.start-tor-browser

[Thatā€™s the convention used in torbrowser-launcher]

I guess we must allow ā€˜environā€™. Regarding task, added a ā€œdenyā€ line above the existing one already denying /proc/task/**.

A minor one: ā€œTB_path/Browser.bakā€ popped once when updating to 5.0.4 with Tor browser internal updater (had put it aside an forgot it).

Had a look to TBB hardened on the Tor site, looks like there is only a 64 bit version available, for the time being (or forever?).

615

A new one with TB 5.5a4.

616

I would expect Browser.bak to require even rw?

Was wondering about something elseā€¦ Canā€™t we just declare somehow ā€œTor Browser is free to read/write/anything within the whole Tor Browser folderā€ for simplified maintained?

Had a look to TBB hardened on the Tor site, looks like there is only a 64 bit version available, for the time being (or forever?).
Answered here: https://www.whonix.org/forum/index.php/topic,1904.msg11352.html#msg11352
Perhaps we should change the profile names,
Yes, but a bit difficult maintenance wise. Need to disable/remove the existing profiles form existing systems. Otherwise they'd conflict.

Similar to this (which may even be incomplete - does not disable beforehand):

617

Merged apparmor-profile-torbrowser. Tested. Works for me.

618
I would expect Browser.bak to require even rw?
Yes, done.
Was wondering about something else... Can't we just declare somehow "Tor Browser is free to read/write/anything within the whole Tor Browser folder" for simplified maintained?
I have been wondering about that several times before, but did not dare pushing it. We can give all the required permissions (mrlwkix) to all the files in the Tor browser directory. It works (except when we have to run a child profile, but that's not the case here). https://github.com/troubadoour/apparmor-profile-torbrowser/commit/4acb99d1a653628b4f8454f077df295062ec91e1
619

Merged. Can/should we/you do the the same with the start-tor-browser profile?

620

Thatā€™s looking more difficult, because of the child profile. Working on it.

An update to apparmor-profile-icedove.