Whonix AppArmor Profiles Development Discussion

Patrick · March 15, 2016, 1:15am

Patrick · March 22, 2016, 10:39am

https://github.com/Whonix/whonixcheck/commit/c93a264d47e67eeace9fc657ff6e52ef492ac5ff
https://github.com/Whonix/whonixcheck/commit/971260573446e73d288424df06a39e076d590724
https://github.com/Whonix/whonixcheck/commit/e49e3157b2a2aa17c293b441a405034eb43dcfab

Patrick · June 27, 2016, 2:47pm

https://github.com/Whonix/whonixcheck/commit/983a0ede85fff4d43789362aa57118c523317bea

Patrick · December 24, 2016, 6:54pm

fix tor-controlport-filter AppArmor profile
https://phabricator.whonix.org/T587

Patrick · January 15, 2017, 6:50am

Patrick · June 23, 2017, 2:30pm

Any changes from

github.com/micahflee/torbrowser-launcher

Apparmor: adjust profile for Tor Browser 7.0.1, support multiprocess Firefox, and various small maintenance changes

micahflee:master ← intrigeri:apparmor-tb-7

opened 04:06PM - 16 Jun 17 UTC

intrigeri

+16 -3

Here, I'm doing a first update & cleanup so I have a good starting point to work… on sandboxing Tor Browser's content renderer processes more strictly: with this branch, we confine these processes in exactly the same way as the parent Firefox process. I'm pretty sure they could be confined much more strictly, without impacting UX whatsoever. And while we're at it, maybe some permissions we currently grant to the parent Firefox process are not needed anymore, as it does less work.

required in apparmor-profile-torbrowser/home.tor-browser.firefox at master · Kicksecure/apparmor-profile-torbrowser · GitHub?

Patrick · June 23, 2017, 4:06pm

Anything we should apply to GitHub - Kicksecure/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening). as well?

Patrick · September 27, 2017, 12:10pm

github.com/micahflee/torbrowser-launcher

AppArmor: silence the logs by explicitly denying access to a few forbidden directories

micahflee:master ← intrigeri:silence-tor-browser-apparmor-logs

opened 06:27AM - 26 Sep 17 UTC

intrigeri

+4 -0

Hi! Tor Browser will always check for these directories and fail, meanwhile n…eedlessly spamming the journal with audit log entries. These changes were prepared by my Tails colleague anonym, and I hereby sign off them. I've not verified that they fix anything in regular torbrowser-launcher installations (i.e. outside of Tails) but worst case I think they're just useless, harmless, and help us keep our delta with the upstream profile as small as possible.

Patrick · November 5, 2017, 4:26pm

iry · December 30, 2017, 12:17pm

Post here as a record

https://github.com/Whonix/anon-gw-anonymizer-config/pull/7

troubadour · January 1, 2018, 12:11am

Following the last post from @iry and the issue regarding /etc/torrc.d, an update to apparmor-profile-whonixcheck, including /usr/local/etc/apparmor.d just in case.

Note.
After cloning my repository from github, I fetched and merged https://github.com/Whonix/apparmor-profile-whonixcheck, which is out of date. So I copied the installed profile in the package folder and then made the changes, hence the two commits.

Patrick · January 1, 2018, 1:39pm

apparmor-profile-whonixcheck does no longer exist. We integrated it into whonixcheck. (Please merge Whonix master please.)

troubadour · January 1, 2018, 7:59pm

That explains.

The same change in whonixcheck.

After installing the profile, whonixcheck does not complain after running anon-connection-wizard.

Patrick · January 2, 2018, 9:16am

Merged.

Are you sure the following is required?

/etc/ r,
/etc/torrc.d/ r,
/usr/local/etc/torrc.d/ r,

I speculate the following alone would do?

/etc/torrc.d/* rw,
/usr/local/etc/torrc.d/* rw,

Wondering because we had /etc/tor/** r, without /etc/ r, and it always worked.

troubadour · January 2, 2018, 8:00pm

By experience, I do prefer to add ,r to the folder we are allowing to read in before giving the required permissions to the files. I have been stuck too many times because of this missing line, and I would recommend to apply that rule as a standard.

iry · January 3, 2018, 7:34pm

Hi @troubadour!

I am not an expert so please correct me if I am wrong.

My understand is that AppArmor is all about giving the minimal permissions to an application as it needs? If my understanding is correct, then having /etc/ r, may be too permissive?

iry · January 3, 2018, 7:41pm

/etc/ r, seems to be essential sometimes.

troubadour · January 3, 2018, 7:41pm

Yes. I was a little quick in my reply. Actually we do not need the line /etc/ r,. I will amend.

troubadour · January 3, 2018, 9:45pm

Done.

Patrick · January 4, 2018, 7:42pm

Merged.