I am currently testing them. Works well for now. Will report back eventual issues, of course, as always. 
Made some minor changes in the Documentation main page.
New denied message:
Mar 26 19:13:45 host kernel: [77250.859145] type=1400 audit(1395861225.983:44): apparmor="DENIED" operation="mknod" parent=27238 profile="/usr/bin/sdwdate" name="/var/cache/apt/pkgcache.bin.Wr251O" pid=27239 comm="apt-get.whonix-" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Mar 26 19:13:56 host kernel: [77260.936291] type=1400 audit(1395861236.063:45): apparmor="DENIED" operation="mknod" parent=27306 profile="/usr/bin/sdwdate" name="/var/cache/apt/pkgcache.bin.NTzdad" pid=27307 comm="apt-get.whonix-" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Background: Why is this? timesync_prerequisite checks using /usr/lib/whonix/whonixcheck/apt-get-update-simulate if a package manager is currently running and waits until the package manager is done. Otherwise sdwdate may run on Whonix-Gateway while Tor is being upgraded and may therefore fail (and would report this to the user). To avoid this confusion, it checks, that no package manager is currently running.
The profile is updated.
Thank you for the background. Itâs quite interesting, not only technically, but also because it shows that a profile has to be used for a long period before it can be declared fully bullet proof. And evenâŚ
Yeah. New denied message.
[quote=âPatrick, post:105, topic:108â]Yeah. New denied message.
Yeah⌠Thatâs something I have encountered before. I do not remember what I was trying then. Iâll modify the profile.
I have added XChat. There is one restriction (the same applies to Pidgin). Do not try to directly open a link in the Tor browser, as it would require to apparmor the whole browser inside the chat profile. Just âCopy link locationâ and paste it in the browserâs navigation toolbar. I had a quick try creating a tailored local TBB profile included in Pidgin and XChat, without any luck so far.
I am testing the XChat profile. Getting some denied messages.
Mar 26 22:27:43 host kernel: [ 539.347990] type=1400 audit(1395872863.276:78): apparmor="DENIED" operation="open" parent=5094 profile="/usr/bin/xchat" name="/home/user/.kde/share/config/gtkrc-2.0" pid=8013 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 26 22:27:43 host kernel: [ 539.365469] type=1400 audit(1395872863.296:79): apparmor="DENIED" operation="open" parent=5094 profile="/usr/bin/xchat" name="/usr/share/fontconfig/conf.avail/10-scale-bitmap-fonts.conf" pid=8013 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 22:27:43 host kernel: [ 539.365783] type=1400 audit(1395872863.296:80): apparmor="DENIED" operation="open" parent=5094 profile="/usr/bin/xchat" name="/usr/share/fontconfig/conf.avail/20-unhint-small-vera.conf" pid=8013 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 22:27:43 host kernel: [ 539.365796] type=1400 audit(1395872863.296:81): apparmor="DENIED" operation="open" parent=5094 profile="/usr/bin/xchat" name="/usr/share/fontconfig/conf.avail/30-metric-aliases.conf" pid=8013 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 22:27:43 host kernel: [ 539.365807] type=1400 audit(1395872863.296:82): apparmor="DENIED" operation="open" parent=5094 profile="/usr/bin/xchat" name="/usr/share/fontconfig/conf.avail/30-urw-aliases.conf" pid=8013 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 22:27:43 host kernel: [ 539.365818] type=1400 audit(1395872863.296:83): apparmor="DENIED" operation="open" parent=5094 profile="/usr/bin/xchat" name="/usr/share/fontconfig/conf.avail/40-nonlatin.conf" pid=8013 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 22:27:43 host kernel: [ 539.365836] type=1400 audit(1395872863.296:84): apparmor="DENIED" operation="open" parent=5094 profile="/usr/bin/xchat" name="/usr/share/fontconfig/conf.avail/45-latin.conf" pid=8013 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 22:27:43 host kernel: [ 539.365848] type=1400 audit(1395872863.296:85): apparmor="DENIED" operation="open" parent=5094 profile="/usr/bin/xchat" name="/usr/share/fontconfig/conf.avail/49-sansserif.conf" pid=8013 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 22:27:43 host kernel: [ 539.365859] type=1400 audit(1395872863.296:86): apparmor="DENIED" operation="open" parent=5094 profile="/usr/bin/xchat" name="/usr/share/fontconfig/conf.avail/50-user.conf" pid=8013 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 22:27:43 host kernel: [ 539.365870] type=1400 audit(1395872863.296:87): apparmor="DENIED" operation="open" parent=5094 profile="/usr/bin/xchat" name="/usr/share/fontconfig/conf.avail/51-local.conf" pid=8013 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
I have added XChat. There is one restriction (the same applies to Pidgin). Do not try to directly open a link in the Tor browser, as it would require to apparmor the whole browser inside the chat profile.Isn't there a feature such as "start X confined with the default profile that we already have for X"?
Just "Copy link location" and paste it in the browser's navigation toolbar.That will work as a workaround.
I have an idea. Not sure if it is sane. Can you check out /etc/apparmor.d/whonix please? For convenience, I copied it in here.
[code]## This file is part of Whonix.
Copyright (C) 2012 - 2014 Patrick Schleizer adrelanos@riseup.net
See the file COPYING for copying conditions.
Whonix AppArmor Profile
Workaround for: config-package-dev clashes with AppArmor profiles
https://github.com/Whonix/Whonix/issues/66
/* {
/etc/hosts.whonix r,
/etc/resolv.conf.whonix r,
}
End of Whonix AppArmor Profile
[/code]
(You know that, for everyone elseâŚ) It basically means, âall applications are allowed to read /etc/hosts.whonix and /etc/resolv.conf.whonixâ. This is only Whonix specific.
Now, when looking at AppArmor I see it is using.
#include <abstractions/whonix>This makes it more difficult for Debian / Ubuntu / others to use the profile as well. I think we are best of, if as many users as possible can use these profiles. âinclude abstractions/whonixâ looks like âWhonix specific, not a general profile, moving alongâ. They wonât like to use the âinclude abstractions/whonixâ, since they donât need it. Wouldnât they and we be better of, if they wouldnât need to fork the profile and wouldnât need to remove âinclude abstractions/whonixâ ?
My idea is to remove â#include <abstractions/whonix>â from the profiles such as AppArmor, to add contents of https://www.whonix.org/wiki/AppArmor/abstractions/whonix to /etc/apparmor.d/whonix. Would that be sane? What do you think?
In https://www.whonix.org/wiki/AppArmor/abstractions/whonix, why do we allow write access to /usr/share/whonix/kde/share/config/kdeglobals?
While testing with /etc/apaprmor.d/whonix, I had an slight issue (just completely crashed the workstationâŚ). Fortunately, I had a relatively not too old snapshot. The time to get back in business, Iâll come with replies and perhaps a new plan proposal.
I got a denied message, which stops Tor Browser from starting. (Happens when trying to start the start-tor-browser script.)
I have updated the TBB anc XChat profiles after your last messages reports.
I got a denied message, which stops Tor Browser from starting. (Happens when trying to start the start-tor-browser script.)
Mar 30 06:34:45 host kernel: [115786.149469] type=1400 audit(1396161285.419:65): apparmor="DENIED" operation="mkdir" parent=3069 profile="/home/user/tor-browser_en-US/Browser/firefox" name="/home/user/tor-browser_en-US/.gnome2/accels/" pid=3082 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
As it is specific to your installation, I have added two lines in the local profile. I have a problem with the âcâ mask on its own. I have set ârwkâ, I believe it has worked before. Can you please retest it?
There is an apparmor IRC meeting on the 08/04. Iâll try to be there in the hope to clarify a few points.
In https://www.whonix.org/wiki/AppArmor/abstractions/whonix, why do we allow write access to /usr/share/whonix/kde/share/config/kdeglobals?
No apparent reason, except that the file has read/write permissions. I have tested with read access only. OK, abstractions/whonix is modified accordingly. There are a few other permissions that have to be checked and probably modified (log files mostly).
I really donât know what happened. My ârelatively not too old snapshotâ was not working, I had to reinstall everything. I have made a couple of snapshots after the reinstallation, and there really is a problem, because they are declared corrupted when I try to start them.
The crash is not necessarily due to the whonix profile, although with hindsight, I may have made some too daring changes in order to get it working. I am on another work for now, but before I test it again, I want to check a reliable backup of the Whonix worksation (the whole workstation VM directory plus â~/.virtualboxâ should work).
I got a few more XChat denied messages.
Mar 31 21:15:26 host kernel: [ 9008.701608] audit_printk_skb: 9 callbacks suppressed
Mar 31 21:15:26 host kernel: [ 9008.701613] type=1400 audit(1396300526.191:79): apparmor="DENIED" operation="open" parent=5785 profile="/usr/bin/xchat" name="/home/user/.kde/share/config/gtkrc-2.0" pid=3906 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 31 21:15:26 host kernel: [ 9008.718520] type=1400 audit(1396300526.207:80): apparmor="DENIED" operation="open" parent=5785 profile="/usr/bin/xchat" name="/usr/share/poppler/cMap/Adobe-CNS1/" pid=3906 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 31 21:15:26 host kernel: [ 9008.718539] type=1400 audit(1396300526.207:81): apparmor="DENIED" operation="open" parent=5785 profile="/usr/bin/xchat" name="/usr/share/poppler/cMap/Adobe-GB1/" pid=3906 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 31 21:15:26 host kernel: [ 9008.718556] type=1400 audit(1396300526.207:82): apparmor="DENIED" operation="open" parent=5785 profile="/usr/bin/xchat" name="/usr/share/poppler/cMap/Adobe-Japan2/" pid=3906 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 31 21:15:26 host kernel: [ 9008.718572] type=1400 audit(1396300526.207:83): apparmor="DENIED" operation="open" parent=5785 profile="/usr/bin/xchat" name="/usr/share/poppler/cMap/Adobe-Japan1/" pid=3906 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 31 21:15:26 host kernel: [ 9008.718588] type=1400 audit(1396300526.207:84): apparmor="DENIED" operation="open" parent=5785 profile="/usr/bin/xchat" name="/usr/share/poppler/cMap/Adobe-Korea1/" pid=3906 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 31 21:15:26 host kernel: [ 9008.837980] type=1400 audit(1396300526.327:85): apparmor="DENIED" operation="file_mmap" parent=5785 profile="/usr/bin/xchat" name="/usr/lib/xchat/plugins/perl.so" pid=3906 comm="xchat" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
Mar 31 21:15:26 host kernel: [ 9008.848078] type=1400 audit(1396300526.339:86): apparmor="DENIED" operation="open" parent=3906 profile="/usr/bin/xchat" name="/etc/host.conf" pid=3907 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 31 21:15:26 host kernel: [ 9008.849798] type=1400 audit(1396300526.339:87): apparmor="DENIED" operation="open" parent=3906 profile="/usr/bin/xchat" name="/etc/gai.conf" pid=3907 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 31 21:15:26 host kernel: [ 9008.864755] type=1400 audit(1396300526.355:88): apparmor="DENIED" operation="open" parent=3906 profile="/usr/bin/xchat" name="/etc/host.conf" pid=3908 comm="xchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
I am testing the new profiles.
No apparent reason, except that the file has read/write permissions.Really? Not on my hdd, not in Whonix source code. That would be a bug. Not a big one, though. The user can create these files in /home/user and overwrite the defaults anyway.
The crash is not necessarily due to the whonix profileI think so was well. I think there is a bug with VirtualBox snapshots. A very annoying one. Difficult to reproduce. I even thought about no longer recommending this feature.
It looks like when you are using snapshots and disk is full up, the snapshot will break beyond repair. Maybe that was your observation as well.
It looks like when you are using snapshots and disk is full up, the snapshot will break beyond repair. Maybe that was your observation as well.
Yes, thatâs what I have observed, once too many now. The snapshot was completely broken, and I had to restart with a fresh installation. It seems to happen randomly, whatever the state of the disk. I think It would be a good idea to recommend against this feature.
I have edited the xchat profile with the messages you reported, plus a couple of my own that popped after the last re-installation of Whonix.
Also changed the last line (load the profile in the kernel) in all the pages from âsudo aa-enforce profile_nameâ to âsudo apparmor_parser -a profile_nameâ. It is more proper.
Iâve installed the mediawiki github extension:
It should allow getting input from https://github.com/Whonix/apparmor-profile-torbrowser/blob/master/home.user.tor-browser_en-US.Browser.firefox and to show it on a wiki page.
Testing it here:
https://www.whonix.org/wiki/T
I am still struggling with how to correctly format it.
Maybe this can be useful?
I was going to test the updated XChat profile. Seems like apparmor_parser -a doesnât work so well.
~ $ sudo apparmor_parser -a /etc/apparmor.d/usr.bin.xchat apparmor_parser: Unable to add "/usr/bin/xchat". Profile already exists
I got some more XChat denied messages. You can reproduce them by using the sasl plugin.
Please check if addingâŚ
/usr/share/perl*/** mr,
/usr/lib/perl*/** mr,
âŚwould be sane.
I was going to test the updated XChat profile. Seems like apparmor_parser -a doesn't work so well.
Yes, my mistake. The -a switch is used to load the profile in the kernel for the first time. It should read âsudo apparmor_parser -râ to replace the profile. Iâll edit the wiki pages.