[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#641

#642




#643

#644

fix tor-controlport-filter AppArmor profile
https://phabricator.whonix.org/T587


#645

#646

Any changes from

required in https://github.com/Whonix/apparmor-profile-torbrowser/blob/master/etc/apparmor.d/home.tor-browser.firefox?


#647

Anything we should apply to https://github.com/Whonix/apparmor-profile-torbrowser as well?


#648

#649

#650

Post here as a record


#651

Following the last post from @iry and the issue regarding /etc/torrc.d, an update to apparmor-profile-whonixcheck, including /usr/local/etc/apparmor.d just in case.

Note.
After cloning my repository from github, I fetched and merged https://github.com/Whonix/apparmor-profile-whonixcheck, which is out of date. So I copied the installed profile in the package folder and then made the changes, hence the two commits.


#652

apparmor-profile-whonixcheck does no longer exist. We integrated it into whonixcheck. (Please merge Whonix master please.)


#653

That explains.

The same change in whonixcheck.

After installing the profile, whonixcheck does not complain after running anon-connection-wizard.


#654

Merged. :slight_smile:

Are you sure the following is required?

/etc/ r,
/etc/torrc.d/ r,
/usr/local/etc/torrc.d/ r,

I speculate the following alone would do?

/etc/torrc.d/* rw,
/usr/local/etc/torrc.d/* rw,

Wondering because we had /etc/tor/** r, without /etc/ r, and it always worked.


#655

By experience, I do prefer to add ,r to the folder we are allowing to read in before giving the required permissions to the files. I have been stuck too many times because of this missing line, and I would recommend to apply that rule as a standard.


#656

Hi @troubadour!

I am not an expert so please correct me if I am wrong.

My understand is that AppArmor is all about giving the minimal permissions to an application as it needs? If my understanding is correct, then having /etc/ r, may be too permissive?


#657

/etc/ r, seems to be essential sometimes. :slight_smile:


#658

Yes. I was a little quick in my reply. Actually we do not need the line /etc/ r,. I will amend.


#659

Done.


#660

Merged. :slight_smile: