Whonix AppArmor Profiles Development Discussion

Patrick · June 13, 2022, 11:10am

Patrick · June 13, 2022, 11:21am

github.com/rustybird/qubes-app-split-browser

Whonix and AppArmor

opened 04:19PM - 10 Sep 21 UTC

Getting bookmarks to work in Tor Browser in Whonix with AppArmor enabled (follow…ing instructions from [here](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Qubes/AppArmor)<sup>[clearnet](https://www.whonix.org/wiki/Qubes/AppArmor)</sup>) required some changes to [these](https://github.com/Whonix/apparmor-profile-torbrowser/blob/master/etc/apparmor.d/home.tor-browser.firefox) rules. I added the following to /etc/apparmor.d/local/home.tor-browser.firefox ``` /usr/share/split-browser-disp/firefox/sb-load.js r, /run/split-browser-disp/into-firefox rw, /run/split-browser-disp/from-firefox rw, ``` Is this something that could be supplied with the package (either this one or upstream) and do these rules seem sensible? I did not try other features of split-browser other than saving and opening bookmarks.

Patrick · June 13, 2022, 11:22am

Now merged.

0x1f · June 27, 2022, 10:08pm

I am going to give this a try, will report if i encounter any problem

0x1f · June 28, 2022, 9:12pm

So far, absolutely no problems! everything works as expected

Patrick · June 29, 2022, 7:38am

Thanks for everyone who has been testing this!

As a result, the next security improvement install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure by default could be moved forward.

Patrick · June 29, 2022, 7:51am

Patrick · June 29, 2022, 7:59am

Old:

Previously the Enabling instructions only mentioned one example for one profile only:

sudo cp /usr/share/apparmor/extra-profiles/bin.netstat /etc/apparmor.d
sudo aa-enforce /etc/apparmor.d/bin.netstat

New:

The Enabling instructions have been edited by me just now.

Option B) Copy all profiles.

sudo cp /usr/share/apparmor/extra-profiles/* /etc/apparmor.d

Option B) Enable all profiles.

sudo aa-enforce /etc/apparmor.d/*

Patrick · June 29, 2022, 8:00am

Call for Testers

Did anyone test command…?

sudo cp /usr/share/apparmor/extra-profiles/* /etc/apparmor.d

and / or

Did anyone test command…?

sudo aa-enforce /etc/apparmor.d/*

0x1f · June 29, 2022, 11:19am

did both, it loaded a lot of profiles but at the end it printed this error
/etc/apparmor.d/usr.sbin.anondate-get doesn't contain a valid profile (syntax error?)

Patrick · August 7, 2022, 7:16pm

That error is fixed in the stable repository.

Patrick · August 7, 2022, 7:17pm

Patrick · July 7, 2023, 9:32pm

2 posts were split to a new topic: apparmor-profile-torbrowser allows access to user home folder

Patrick · May 10, 2023, 12:37pm