Whonix AppArmor Profiles Development Discussion


[quote=“troubadour, post:620, topic:108”]An update to apparmor-profile-icedove.


All apparmor profiles have been updated in the testers repository. (usual delay of ~ 1 hour for mirror.whonix.de)



Got this error on gateway when installing apparmor–profiles-whonix from testers (virtualbox profile error line 50…“allows dangerous…”)


It’s a warning. Not an error. A non-perfection of the profile.



Are you subscribed (“watch” function) to torbrowser-launcher at github? There was some minor apparmor change. I could keep posting these here, since I subscribed to torbrowser-launcher at github. (Need to keep up with TBB changes.)


Yes, I’m subscribed to torbrowser-launcher at github.

We may need it some day, so added the line to the Whonix profile.


A new one. Related: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805074


Most likely related to the above.


Are you sure https://github.com/troubadoour/apparmor-profile-anondist/commit/659bb0b30105fe390b6dd3f3ad83ec140517eded is required?

Shouldn’t /etc/apparmor.d/tunables/home.d/anondist prevent need for that?

alias /etc/timezone -> /etc/timezone.anondist,
alias /etc/timezone -> /etc/timezone.anondist-orig,

( https://github.com/troubadoour/apparmor-profile-anondist/blob/ad9af43077e907e5c68e8f2508392e1c74663d06/etc/apparmor.d/tunables/home.d/anondist#L48 )


Or thinking about this differently… Please revert https://github.com/troubadoour/apparmor-profile-anondist/commit/659bb0b30105fe390b6dd3f3ad83ec140517eded and add /etc/timezone r, to apparmor-profile-icedove instead please.


Two icedove denied messages. Happening when you try to store a file in Qubes-Whonix inside the ~/Downloads folder.

Dec 10 13:30:11 host kernel: [49430.266714] audit: type=1400 audit(1449754211.436:23): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/home/user/" pid=20708 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000


Dec 10 13:30:14 host kernel: [49433.517170] audit: type=1400 audit(1449754214.687:24): apparmor="DENIED" operation="mkdir" profile="/usr/lib/icedove/icedove" name="/home/user/.config/gtk-2.0/" pid=3337 comm="icedove" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000


This is now a bug.

Opening links from iceweasel in Tor Browser no longer works because we deprecated the /usr/bin/torbrowser AppArmor profile. Any idea how to fix it?


Yes, we run /usr/bin/torbrowser unconfined. Tor Browser is still enforced.









systemd AppArmorProfile= directive unavailable leads to not loading AppArmor profile on Debian jessie: