Whonix AppArmor Profiles Development Discussion





fix tor-controlport-filter AppArmor profile



Any changes from

required in https://github.com/Whonix/apparmor-profile-torbrowser/blob/master/etc/apparmor.d/home.tor-browser.firefox?


Anything we should apply to https://github.com/Whonix/apparmor-profile-torbrowser as well?




Post here as a record


Following the last post from @iry and the issue regarding /etc/torrc.d, an update to apparmor-profile-whonixcheck, including /usr/local/etc/apparmor.d just in case.

After cloning my repository from github, I fetched and merged https://github.com/Whonix/apparmor-profile-whonixcheck, which is out of date. So I copied the installed profile in the package folder and then made the changes, hence the two commits.


apparmor-profile-whonixcheck does no longer exist. We integrated it into whonixcheck. (Please merge Whonix master please.)


That explains.

The same change in whonixcheck.

After installing the profile, whonixcheck does not complain after running anon-connection-wizard.


Merged. :slight_smile:

Are you sure the following is required?

/etc/ r,
/etc/torrc.d/ r,
/usr/local/etc/torrc.d/ r,

I speculate the following alone would do?

/etc/torrc.d/* rw,
/usr/local/etc/torrc.d/* rw,

Wondering because we had /etc/tor/** r, without /etc/ r, and it always worked.


By experience, I do prefer to add ,r to the folder we are allowing to read in before giving the required permissions to the files. I have been stuck too many times because of this missing line, and I would recommend to apply that rule as a standard.


Hi @troubadour!

I am not an expert so please correct me if I am wrong.

My understand is that AppArmor is all about giving the minimal permissions to an application as it needs? If my understanding is correct, then having /etc/ r, may be too permissive?


/etc/ r, seems to be essential sometimes. :slight_smile:


Yes. I was a little quick in my reply. Actually we do not need the line /etc/ r,. I will amend.




Merged. :slight_smile: