[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#601

(If we decide to move tb-starter/etc/apparmor.d/usr.bin.torbrowser to apparmor-profile-torbrowser package, we should rename the file to /etc/apparmor.d/usr_bin_torbrowser or so to prevent dpkg upgrade issues.)

Please say how likely you find it for this to cause issues. There are various cases to consider.

  • Only tb-starter/etc/apparmor.d/usr.bin.torbrowser installed, but apparmor-profile-torbrowser package not.
  • Only tb-starter/etc/apparmor.d/usr.bin.torbrowser installed, and apparmor-profile-torbrowser installed and enforced.
  • Only tb-starter/etc/apparmor.d/usr.bin.torbrowser installed, and apparmor-profile-torbrowser installed and disabled.
  • Any others?

In none of these cases tb-starter/etc/apparmor.d/usr.bin.torbrowser should prevent /usr/bin/torbrowser from starting Tor Browser.


#602
apparmor profile fixes
https://github.com/Whonix/tb-starter/commit/2959df2fd786861f87a7e7609d1ac2c74a401d1d

#603

I think tb-starter/etc/apparmor.d/usr.bin.torbrowser is just too complex for installing it by default and enabling it by default. Because it interacts with msgcollector. And update-torbrowser. And worst, with software that we do not control, i.e. Tor Browser.


#604

I do aggree with your last post. I’m currently trying to get tb-starter/etc/apparmor.d/usr.bin.torbrowser working, without success so far. It’s getting harder if we want to get it path insensitive, amongst other issues.

it looks like we are shooting our own foot for a minimal if not non-existing security gain. We would be much better off keeping apparmor-profile-torbrowser only, because the profiles relate to TBB only and can be adapted [relatively] easily. We have some experience with Tor browser changes…


#605

Removed the profile:

Feel free to re-add it to apparmor-profile-torbrowser. However, I also fail to see the security gain by it.


#606

Added /usr/local/share/applications/meminfo.cache to apparmor-profile-torbrowser.


#607

Updated apparmor-profile-whonixcheck after https://www.whonix.org/forum/index.php/topic,1759.0.html


#608

Merged.


#609
delete deprecated usr.bin.torbrowser apparmor profile
https://github.com/Whonix/whonix-legacy/commit/b8a6153736358d367624dc8b830be3689e898950

#610

TB installation path has been changed to

by me. (https://www.whonix.org/forum/index.php/topic,860.0.html)

Wondering if the following would be appropriate…

[hr]

Change from

to

?
[hr]

Change from

to

?


#611

Seems to work. Changed apparmor-profile-torbrowser in git.


#612

Got some new denied messages. Most likely related to TBB hardened.

I guess we need to allow environ somehow. Added…

I don’t know if it could be restricted more (to itself only). Reading its own environment is important.

Also added…

Which should be harmless.

proc task, I don’t know what to do about that.


#613

Minor changes to apparmor-profile-sdwdate and apparmor-profile-whonixcheck.


#614

Merged your changes.

TB new path: changed

with

In both firefox and start-tor-browser. It works too. Perhaps we should change the profile names, because it does not corespond the real path any longer. It could be

  • torbrower.Browser.firefox
  • torbrower.Browser.start-tor-browser

[That’s the convention used in torbrowser-launcher]

I guess we must allow ‘environ’. Regarding task, added a “deny” line above the existing one already denying /proc/task/**.

A minor one: “TB_path/Browser.bak” popped once when updating to 5.0.4 with Tor browser internal updater (had put it aside an forgot it).

Had a look to TBB hardened on the Tor site, looks like there is only a 64 bit version available, for the time being (or forever?).


#615

A new one with TB 5.5a4.


#616

I would expect Browser.bak to require even rw?

Was wondering about something else… Can’t we just declare somehow “Tor Browser is free to read/write/anything within the whole Tor Browser folder” for simplified maintained?

Had a look to TBB hardened on the Tor site, looks like there is only a 64 bit version available, for the time being (or forever?).
Answered here: https://www.whonix.org/forum/index.php/topic,1904.msg11352.html#msg11352
Perhaps we should change the profile names,
Yes, but a bit difficult maintenance wise. Need to disable/remove the existing profiles form existing systems. Otherwise they'd conflict.

Similar to this (which may even be incomplete - does not disable beforehand):


#617

Merged apparmor-profile-torbrowser. Tested. Works for me.


#618
I would expect Browser.bak to require even rw?
Yes, done.
Was wondering about something else... Can't we just declare somehow "Tor Browser is free to read/write/anything within the whole Tor Browser folder" for simplified maintained?
I have been wondering about that several times before, but did not dare pushing it. We can give all the required permissions (mrlwkix) to all the files in the Tor browser directory. It works (except when we have to run a child profile, but that's not the case here). https://github.com/troubadoour/apparmor-profile-torbrowser/commit/4acb99d1a653628b4f8454f077df295062ec91e1

#619

Merged. Can/should we/you do the the same with the start-tor-browser profile?


#620

That’s looking more difficult, because of the child profile. Working on it.

An update to apparmor-profile-icedove.