[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#621

[quote=“troubadour, post:620, topic:108”]An update to apparmor-profile-icedove.
https://github.com/troubadoour/apparmor-profile-icedove/commit/a2859e5bb1e1d03a9dab7dce712a4e42f35b01d6[/quote]
Merged.


#622

All apparmor profiles have been updated in the testers repository. (usual delay of ~ 1 hour for mirror.whonix.de)


#623

#624

Got this error on gateway when installing apparmor–profiles-whonix from testers (virtualbox profile error line 50…“allows dangerous…”)


#625

It’s a warning. Not an error. A non-perfection of the profile.


#626

#627

Are you subscribed (“watch” function) to torbrowser-launcher at github? There was some minor apparmor change. I could keep posting these here, since I subscribed to torbrowser-launcher at github. (Need to keep up with TBB changes.)


#628

Yes, I’m subscribed to torbrowser-launcher at github.

We may need it some day, so added the line to the Whonix profile.


#629

A new one. Related: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805074
https://github.com/troubadoour/apparmor-profile-icedove/commit/9ff1964edc96feac948bad6e65a36b8b8eaa4d1c


#630

Most likely related to the above.


#631

Are you sure https://github.com/troubadoour/apparmor-profile-anondist/commit/659bb0b30105fe390b6dd3f3ad83ec140517eded is required?

Shouldn’t /etc/apparmor.d/tunables/home.d/anondist prevent need for that?

alias /etc/timezone -> /etc/timezone.anondist,
alias /etc/timezone -> /etc/timezone.anondist-orig,

( https://github.com/troubadoour/apparmor-profile-anondist/blob/ad9af43077e907e5c68e8f2508392e1c74663d06/etc/apparmor.d/tunables/home.d/anondist#L48 )


#632

Or thinking about this differently… Please revert https://github.com/troubadoour/apparmor-profile-anondist/commit/659bb0b30105fe390b6dd3f3ad83ec140517eded and add /etc/timezone r, to apparmor-profile-icedove instead please.


#633

Two icedove denied messages. Happening when you try to store a file in Qubes-Whonix inside the ~/Downloads folder.

Dec 10 13:30:11 host kernel: [49430.266714] audit: type=1400 audit(1449754211.436:23): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/home/user/" pid=20708 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

.

Dec 10 13:30:14 host kernel: [49433.517170] audit: type=1400 audit(1449754214.687:24): apparmor="DENIED" operation="mkdir" profile="/usr/lib/icedove/icedove" name="/home/user/.config/gtk-2.0/" pid=3337 comm="icedove" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

#634

This is now a bug.

Opening links from iceweasel in Tor Browser no longer works because we deprecated the /usr/bin/torbrowser AppArmor profile. Any idea how to fix it?


#635

Yes, we run /usr/bin/torbrowser unconfined. Tor Browser is still enforced.


#636

Merged.


#637

Minor.


#638

#639

Merged.


#640

systemd AppArmorProfile= directive unavailable leads to not loading AppArmor profile on Debian jessie: