The chroot installation.
1- Gentoo hardened base system in chroot.
2- xorg-server on Gentoo.
3- Openbox, a small window manager, in Gentoo
4- Virtualbox in Gentoo (the difficult part).

Using.
1- Start a second display in the main OS, with Xnest (geometry 1024x768).
2- In chroot, launch Openbox in the second display.
3- Virtualbox starts in Openbox autostart.

The setup works, I am using it to post this. It would have to be fine tuned with SELinux and PaX. Now, I am not sure that I fully understand all the implications, about the kernel setup amongst other things.

Am I right saying that on top of virtualization, it could add two layers of isolation, with chroot and SELinux? Is that worth the effort?

About security, Virtualbox was built with PaX enabled, but there is an issue with ‘virtualbox.so’ saying “it will not work properly (or at all!)”. Well, it works. Searching.

Chroot is a very nice tool in the toolbox. Whonix’s build script makes use of chroot. For security, it’s difficult to say without being misquoted. For the build script, chroot is perfectly secure. But running an operating system inside chroot doesn’t add much (any?) security. You’re still using the system’s kernel.

Virtualzation and kernel security module (such as AppArmor/SELinux etc.) however complement each other. Having kernel security modules for the virtualizer on the host and all applications inside the VMs would be very much worth the effort. At least for the network facing applications.

For example using https://gitorious.org/tbb-apparmor in Whonix (and auditing the profile is bulletproof) would be a considerable improvement of Whonix’s security.

I was suspecting the OS in chroot was using the system’s kernel (same output from ‘uname -a’). Then it looks like the only way to test a hardened kernel is to create a separate partition and install a minimal Debian release, running Whonix only.

I have installed Debian recently, with full disk encryption, so I’m afraid I will have to do it again, unencrypted this time.

SELinux looks hard to play with, it would be easier for me to patch the kernel with grsecurity/PaX and use Apparmor.

i would have two systems, one for my ‘normal’ browsing and mail, and the Whonix one, with Tor, my more private mail and IRC. By the way, with Whonix, to hide the fact that I am using Tor, I have a VPN plus a socks proxy in the gateway which acts as a kill switch, or a fail safe mechanism.

If I manage to complete the step upstream, I will definitely have a look at the tbb-apparmor in Whonix. For this, I may need much more assistance at the beginning.

Then it looks like the only way to test a hardened kernel is to create a separate partition and install a minimal Debian release, running Whonix only.

You can boot different kernels. Grub supports choosing kernel at boot. And for experimenting I recommend using virtual machines, not you host operating systems. When you figured out how, just do the same on your host operating system.

I have installed Debian recently, with full disk encryption, so I'm afraid I will have to do it again, unencrypted this time.

I don't see why that should be necessary. Also you don't need a chroot just for creating a custom kernel.

If I manage to complete the step upstream

What do you mean? Contribute to Debian? Have the hardened kernel available for all Debian users from the usual Debian apt repository? That'd be awesome.

I will definitely have a look at the tbb-apparmor in Whonix. For this, I may need much more assistance at the beginning.

I don't have much AppArmor skills either.

You can boot different kernels. Grub supports choosing kernel at boot. And for experimenting I recommend using virtual machines, not you host operating systems. When you figured out how, just do the same on your host operating system.

Let us say I install two kernels on the same partition. For experimenting with Whonix in a virtual machine, I would have to run VirtualBox inside KVM, or inside Virtualbox. It looks possible, but how realistic is it, in terms of performance, especially?

What do you mean? Contribute to Debian? Have the hardened kernel available for all Debian users from the usual Debian apt repository?

No way. I must have use the wrong words.

Let us say I install two kernels on the same partition. For experimenting with Whonix in a virtual machine, I would have to run VirtualBox inside KVM, or inside Virtualbox. It looks possible, but how realistic is it, in terms of performance, especially?

Why would you need to run a VM inside a VM to experiment with this? Well, it would work, but it's slow even on fast systems. Fortunately, I see no need for this.

Is build anonymity (Build Anonymity) important to you?

You could experiment with creating and booting hardened kernel on your host system. Unless you care about build anonymity. And you probably also don’t want to do this, because you’re afraid of bricking your host system, which is sane.

I’d suggest to install a usual Debian inside Virtual Box (or KVM or whatever) and do your experiments there. Make a snapshot while everything works and before operations you consider risky bricking the virtualized operating system. This isn’t mandatory, but it will be simple to revert back to a working state. In any case, if you’re following guides on how to create a hardened kernel, I guess there is a little chance of bricking your system anyway.

And if you care about build anonymity, you can just use a default Whonix-Workstation behind a default Whonix-Gateway. Perhaps snapshot your workstation. Any experiment with hardened kernels you do inside Whonix-Workstation will have build anonymity. And if you brick the virtual operating system, you just delete the VM and re-import. Or revert to a working snapshot. Everything you learn in the process will also work on Debian, since Whonix basically is Debian plus a few settings and scripts.

Kernel security modules are a different question. I don’t know about SELinux, but as for AppArmor I never managed to make my system unbootable by experimenting with AppArmor. Even if you added a VirtualBox/KVM/whatever AppArmor profile to autostart in enforce mode and made a mistake which renders the system unoperable, you could still start in recovery mode and deactivate the AppArmor profile. Or just have a separate boot menu (grub) entry where the kernel doesn’t load the kernel security module. Same most likely also goes for SELinux.

In any case, I see no reason to run VMs in VMs just for this. Learning/debugging these tools is always possible without breaking your system beyond recovery.

Thank you for the clarification. I thought that I had to install Whonix inside a virtualizer. Tried it, and it is really slow.

Finally, instead of experimenting with VirtualBox inside itself (started that, with a Debian VM), I have opted for a more drastic solution. I have created a new partition on the hard disk, installed a bare Debian (without desktop environment, server, system utilities or whatsoever), then Xfce4, TBB and VirtualBox with both Whonix guests.

I am starting from there. It should be comfortable for testing and I play directly with the host’s kernel. If the system breaks beyond recovery, it is quick to reinstall, as all the files are in the other partition, namely Debian ‘.iso’, TBB ‘.tar.xz’, VirtualBox ‘.deb’ and Whonix '.vmdk’s.

I managed to create a working AppArmor profile for VirtualBox. Along with the AppArmor documentation, or part of it, it was created mostly by trial and error, and with some inspiration from working profiles at Ubuntu. https://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files/head:/ubuntu/12.10/

File ‘/etc/apparmor.d/usr.bin.VBox’.

[code]#include <tunables/global>

/usr/bin/VBox
{
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/fonts>
#include <abstractions/audio> ## not required by Whonix

capability net_admin,
capability net_raw,
capability sys_ptrace,

network inet raw,

network inet stream,

network inet6 stream,

/home/*/.ICEauthority r,
/home/*/.Xauthority r,
/home/*/.config/** rw,			## tweak
/home/*/.config/Trolltech.conf rk,
/home/*/user/.local/** r,		## tweak
"/home/*/VirtualBox VMs/**" rw,

Some directories (themes, pixmap) denied, check again.

####################################

/usr/share/icons* r,

/usr/share/themes/** r,

/usr/share/icons/** rk,

/usr/share/mime/** r,

/usr/share/pixmaps/** r,

/usr/share/virtualbox/** r,

####################################

So, the easy way.

/usr/share/** rk,
/usr/local/share/** r,     	

/bin/dash ix,
/bin/kmod ix,
/bin/grep ix,
/bin/uname ix,
/bin/cat ix,
/bin/gawk ix,
/bin/ps rPUx,		## check
/bin/rm rPUx,		## check
/bin/rmdir rPUx,	## check	
/bin/open rPUx,		## check

/usr/bin/whoami ix,
/usr/bin/gawk ix,
/usr/bin/mawk ix,
/usr/bin/basename ix,
/usr/bin/VBox rix,

/usr/lib/virtualbox/** mrix,
/usr/lib/virtualbox/VBoxXPCOMIPCD cux,	## unconfined? check
/usr/lib/x86_64-linux-gnu/pango/** m,

/etc/nsswitch.conf r,
/etc/passwd r,
/etc/resolv.conf r,

/dev/vboxdrv rw,
/dev/vboxdrvu rw,

/proc/ r,
/proc/cmdline r,
/proc/*/cmdline r,
/proc/modules r,
/proc/*/modules r,
/proc/net r,
/proc/*/net/** r,

/sys/devices/pci0000:00/** r,
/sys/devices/virtual/** r,
/sys/devices/system/cpu/** r,
/sys/devices/LNXSYSTM:00/LNXSYBUS:00/** r,

/sys/module/** r,		## tweak		

/sys/block/ r,

/sys/class/** r,		## tweak
/sys/class/virtual/** r,

Authorisation for user: ‘/auth-for-userxxxx/database’.

/run/gdm3/** r,

}
[/code]

The profile is loaded at boot in enforce mode. After starting VirtualBox:

user@host:/etc/apparmor.d$ sudo aa-status AppArmor available in kernel. 1 profiles are loaded. 1 profiles are in enforce mode. /usr/bin/VBox 0 profiles are in complain mode. 2 processes have profiles defined. 2 processes are in enforce mode. /usr/bin/VBox (5596) /usr/bin/VBox (5613) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.

There was too much related and non related trouble with Debian testing, so I have installed wheezy with Xfce4 in my experimenting partition. It is working with VirtualBox-4.3. I plan to test again with jessie in a VM. I do not see a reason why it should not work.

Now, it should be audited (by whom?), but I believe that it provides a reasonable degree of confinement to VirtualBox, better than nothing at least. Now VirtualBox uses its own kernel, and there again, I do not understand all the implications. The host having has a better protection against an attacker who would manage to break through the virtualization layer is all I can gather. How big a security improvement is that?

This is great!

It would be best if these profiles were contributed to Debian. Once landed in Debian, they will automatically spread to all distributions based on Debian such as Ubuntu, Mint, etc.

Please see:
https://wiki.debian.org/AppArmor

And contact the Debian AppArmor team:
https://wiki.debian.org/AppArmor/Contribute

They’ll be able of assistance on how to merge it in Debian and audit.

Thank you for the positive feedback.

Before I submit the profile to Debian, there is some work left, though. To test further, I have removed and reinstalled Whonix-Gateway and Whonix-Workstation. Two problems have arisen, so far.

1- Cannot import an appliance or a disk image in VirtualBox (access denied). With hindsight, that had to be expected. AppArmor was disabled for the installation.

2- In the profile, I commented <abstractions/audio> with ‘not required by Whonix’. Wrong. After the installation of the workstation, there is a warning ‘No audio devices could be opened’. It was not a major problem until upgrading. Now it crashes with a kernel panic. I believe it would happen with any distribution.

Point 1 should be easy to take care of. Point 2 looks much trickier. Xfce4 uses PulseAudio, but that can be solved too, the problem is not there. As I see it, the profile should take into account all the different software which might come on top of ALSA, FFADO or even OSS. To my very fresh knowledge, it includes ALSA itself, PulseAudio, GStreamer, perhaps whatever is installed by alsa-tools and alsa-utils, Jack, Xine, Phonon… or any combination of those. Anything else? I did not mention audio through FireWire. Welcome to the Linux audio jungle.

Obviously, I’ll have to sort the mess and select only the most widely used audio software. Any advice is welcome.

I don’t know that. Contacting the AppArmor developers would help here as well. I guess they’re eager to welcome a helping hand.

Even if this is more a Debian than a Whonix issue, here is the latest on the profile.

In my previous post, I was over-reacting. It was the matter of one line. Had to find it.
It was tested with Debian testing and Ubuntu 12.04 in VMs, so in enforce mode.

I have submitted the profile to Debian. Here is the first reply:

I'm not personally directly interested in such a profile, and am not using VirtualBox, so it would be better to send it to the apparmor mailing-list? I'm sure someone else will happily review it :)

(Don’t hesitate to ping them every two weeks

I am waiting for a reply from apparmor@packages.debian.org. They have no mailing list that I know of. If I submit it to Ubuntu, is there a chance that it spreads back to Debian?

For those interested, the updated profile.

[code]#include <tunables/global>

/usr/bin/VBox {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/fonts>
#include <abstractions/audio>

capability net_admin, 
capability net_raw,
capability sys_ptrace,

owner @{HOME}/.ICEauthority r,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.config/** r,
owner @{HOME}/.config/VirtualBox/** rw,
owner @{HOME}/.config/Trolltech.conf rk,
owner @{HOME}/.local/share/mime/* r,			
owner @{HOME}/.gtk-bookmarks r,

owner @{HOME}/ r,

The disk images have to be there. All the other locations are denied.

owner @{HOME}/Disk_Images/ r,
owner @{HOME}/Disk_Images/* r,

The default virtual machines directory.

owner "@{HOME}/VirtualBox VMs/" r,
owner "@{HOME}/VirtualBox VMs/**" rw,

When importing an appliance, default opening directory.

owner @{HOME}/Documents/ r,

Shared foders. Replace with your own host share.

owner @{HOME}/share/* r,

Guest settings. Required?

/usr/lib/x86_64-linux-gnu/pango/** 	m,
/usr/lib/x86_64-linux-gnu/dri/* 	m,
/dev/dri/card0 rw,
/etc/drirc  r,

Some directories (themes, pixmap) denied. Check.

###############################

/usr/share/icons/* r,

/usr/share/themes/** r,

/usr/share/icons/** rk,

/usr/share/mime/** r,

/usr/share/pixmaps/** r,

/usr/share/virtualbox/** r,

###############################

So, the easy way.

/usr/share/** rk,
/usr/local/share/** r,     	

/bin/dash 	ix,
/bin/kmod 	ix,
/bin/grep 	ix,
/bin/uname 	ix,
/bin/cat 	ix,
/bin/gawk 	ix,

Pops two ‘denied’ messages at vbox start when uncommented. No other penalty.

Giving permission to ‘rm’ and ‘rmdir’ makes one nervous.

#######################################

/bin/ps PUx, ## ‘rix’ denied.

/bin/rm PUx, ## ‘rix’ denied.

/bin/rmdir PUx, ## ‘rix’ denied.

/bin/open rPUx, ## ‘rix’ denied.

#######################################

/usr/bin/whoami		ix,
/usr/bin/gawk 		ix,
/usr/bin/mawk 		ix,
/usr/bin/basename 	ix,
/usr/bin/VBox 		rix,

owner /tmp/** rw,

Could use only the necessary libs. Gain?

/usr/lib/virtualbox/** mrix,

unconfined ??? ‘rix’ denied.

/usr/lib/virtualbox/VBoxXPCOMIPCD cux,	

/etc/nsswitch.conf 	r,
/etc/passwd 		r,
/etc/resolv.conf 	r,

/dev/vboxdrv 		rw,
/dev/vboxdrvu 		rw,

/proc/ 				r,
/proc/cmdline 		r,
/proc/modules 		r,
/proc/net 			r,
/proc/*/cmdline 	r,
/proc/*/net/** 		r,

/sys/devices/pci0000:00/** 				r,
/sys/devices/virtual/** 				r,
/sys/devices/system/cpu/** 				r,
/sys/devices/LNXSYSTM:00/LNXSYBUS:00/** r,
/sys/module/** 							r,		## tweak
/sys/block/ 							r,
/sys/class/** 							r,	

If missing, guest error ‘No audio devices could be opened’.

/var/lib/dbus/machine-id r,

Authorisation for user: ‘/auth-for-userxxxx/database’.

/run/gdm3/** r,

Site-specific additions and overrides.

#include <local/usr.bin.VBox>

}[/code]

Even if this is more a Debian than a Whonix issue, here is the latest on the profile.

Thank you for sharing this!

I have submitted the profile to Debian.

To whom?

I am waiting for a reply from apparmor@packages.debian.org.

Last time I mailed it didn't take long. A day or two or so.

If I submit it to Ubuntu, is there a chance that it spreads back to Debian?

There are chances for seeing the profile automagically flowing back to Debian, but these are low and could take years, I think. Anyway. It doesn't need to happen automagically. Working with Ubuntu will improve your Debian skill as well, since Ubuntu in essence is also just Debian with modifications. Having the profile accepted in Ubuntu, which seems simpler, makes it more likely to get the profile accepted in Debian, because you can say "it's already merged in Ubuntu". So working with them is useful in any case.

To whom?

To Intrigeri. He was replying to your bug report https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732578 and another one, earlier.

I will pass the profile to Ubuntu. They look more active where it concerns AppArmor. To get some inspiration, they have a good list of profiles at ~apparmor-dev/apparmor-profiles/master : files for revision 169

Just installed Whonix 7.7.8.6 (testers). I have noticed tat the process ‘system-tor’ is no longer enforced in the gateway.

The TBB profile is now working in Whonix. The problem mentioned earlier in Whonix Forum (process not enforced) was a typo in the profile name. :-[

It still looks too permissive, I have to fine tune it before putting it here and in the wiki. I’ll probably push a less specific version to Debian. i have read somewhere that it is in their wish list, so they might react…

Edit. The profile is tested with Xfce4. All the references to KDE are commented.

The latest TBB profile. I put it here first.

File ‘/etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox’

# Last Modified: Thu Feb 20 21:22:24 2014
#include <tunables/global>

/home/user/tor-browser_en-US/Browser/firefox {
	#include <abstractions/base>
	#include <abstractions/user-tmp>
	#include <abstractions/bash>
	
	capability sys_ptrace,

	network,
	network tcp,

	deny /etc/host.conf r,
	deny /etc/hosts r,
	deny /etc/nsswitch.conf r,
	deny /etc/resolv.conf r,
	deny /proc/9881/mountinfo r,
	deny @{HOME}/.config/user-dirs.dirs r,
	deny @{HOME}/.gtk-bookmarks r,
	deny @{HOME}/.local/share/recently-used.xbel* rw,

	/bin/dash rix,
	/bin/open rix,
	/bin/ps rix,		
	
	/dev/dri/card0 rw,
	/dev/vboxuser rw,
	/dev/tty r,

	/etc/drirc r,
	/etc/X11/cursors/* r,
	/etc/fonts/** r,
	/etc/mime.types r,
	/etc/mailcap r,
	deny /etc/passwd r,
	deny /etc/resolv.conf.whonix r,
	deny /etc/hosts.whonix r,

	owner @{HOME}/tor-browser_en-US/.mozilla/ w,
	owner @{HOME}/tor-browser_en-US/.mozilla/*/ w,
	owner @{HOME}/tor-browser_en-US/Browser/** r,
	owner @{HOME}/tor-browser_en-US/Browser/*.so mr,
	owner @{HOME}/tor-browser_en-US/Browser/browser/components/*.so mr,
	owner @{HOME}/tor-browser_en-US/Browser/components/*.so mr,
	owner @{HOME}/tor-browser_en-US/Browser/firefox rix,
	owner @{HOME}/tor-browser_en-US/Data/Browser/ r,
	owner @{HOME}/tor-browser_en-US/Data/Browser/** rwk,
	owner @{HOME}/tor-browser_en-US/Desktop/ rw,
	owner @{HOME}/tor-browser_en-US/Desktop/** rw,
	owner @{HOME}/tor-browser_en-US/Downloads/ rw,
	owner @{HOME}/tor-browser_en-US/Downloads/** rw,
	owner @{HOME}/tor-browser_en-US/Tor/tor Px,

	
	## Authentification for user. Probably required with Gnome.
	deny /run/gdm3/** r,

	/sys/devices/system/cpu/ r,
	/sys/devices/system/cpu/* r,

	/tmp/.X0-lock r,

	## Looks like a nvidia audio driver. Hardware dependent.
	deny /usr/lib/i386-linux-gnu/dri/swrast_dri.so m,

	## Alphabets libraries.
	/usr/lib/i386-linux-gnu/pango/1.6.0/modules/* m,

	/usr/share/ r,
	/usr/share/fonts/ r,
	/usr/share/fonts/** r,
	/usr/share/icons/ r,
	/usr/share/icons/** r,
	deny /usr/share/mime/ r,
	deny /usr/share/mime/** r,
	/usr/share/pixmaps/ r,
	/usr/share/pixmaps/** r,
	/usr/share/themes/ r,
	/usr/share/themes/** r,

	## Desktop environment dependent.
	deny /usr/share/applications/** r,

	/var/cache/fontconfig/* r,
	/var/lib/dbus/machine-id r,

	## In 'Edit/Preferences', set 'Saves files to' -> 'Downloads'.	
	owner @{HOME}/Downloads/* rw,

	owner @{HOME}/.Xauthority r,
	deny owner @{HOME}/.local/share/applications/mimeapps.list r,
	owner @{HOME}/.icons/ r,
	owner @{HOME}/.icons/** r,
	owner @{HOME}/.local/share/icons/ r,
	owner @{HOME}/.themes/** r,
	deny owner @{HOME}/.local/share/gvfs-metadata/home r,
	owner @{HOME}/.cache/ r,
	owner @{HOME}/.cache/* rwk,
	
	@{PROC} r,
	@{PROC}/[0-9]*/maps r,
	deny @{PROC}/[0-9]*/mounts r,
	deny @{PROC}/[0-9]*/mountinfo r,
	@{PROC}/[0-9]*/stat r,
	@{PROC}/[0-9]*/status r,
	@{PROC}/[0-9]*/task/*/stat r,
	@{PROC}/cpuinfo r,
	@{PROC}/filesystems r,
	@{PROC}/meminfo r,
	@{PROC}/stat r,
	@{PROC}/sys/kernel/pid_max r,
	@{PROC}/uptime r,
}

I believe it is not too lax as is. I have used it for a few days.There will certainly be some situations when it will flash some denied messages, so the more people use it, the better the testing.

The procedure to enforce the profile.

• Copy/paste the the code in kwrite.
• Save the file as ‘home.user.tor-browser_en-US.Browser.firefox’
• Copy the file in ‘/etc/apparmor.d’
• ‘sudo chown root:root /etc/apparmor.d/user.tor-browser_en-US.Browser.firefox’
• ‘sudo chmod +x /etc/apparmor.d/user.tor-browser_en-US.Browser.firefox’
• ‘sudo aa-enforce /etc/apparmor.d/user.tor-browser_en-US.Browser.firefox’

Start the Tor browser.
‘sudo aa-status’ should output

AppArmor available in kernel. 2 profiles are loaded. 2 profiles are in enforce mode. /* /home/user/tor-browser_en-US/Browser/firefox 0 profiles are in complain mode. 1 processes have profiles defined. 1 processes are in enforce mode. /home/user/tor-browser_en-US/Browser/firefox (5735) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.

You should see more info there, as I have cleaned the ‘apparmor.d’ directory to leave only the profile under test. AppArmor loads some profile by default.

Adrelanos, a problem I can foresee. In Whonix, TBB is installed in ‘/home/user’, the default home directory. If a user decides to change this to his name or whatever, and I am sure some do, then he would have to modify the profile.
Radostan Riedel, the author of the profile I have based mine on, installs TBB in ‘/opt’. That seems to be a fair move, as it refers to a non modifiable location.

Before linking the profile in the wiki, perhaps I should wait for more testing?

When the user runs Whonix’s torbrowser updater as another user other than user such as user2, it stores the profile in user2’s home folder. This is untested, but should work.

Anyway, if it would help, the extraction path for torbrowser can be easily changed. Even be configurable through whatever means are comfortable. These would be simple changes I am happy to make.

If /opt is non-writable, how can settings such as bookmarks be stored?

Using /opt seems like a non-standard way and always when you go non-standard ways there is risk to hit issues sooner or later. I though /home/ is the standard way to extract tbb.

Before linking the profile in the wiki, perhaps I should wait for more testing?

No need to wait. You may edit the wiki. As long we're honest about things, I see no issues with that.

I have added the TBB profile in the wiki. Advanced Security Guide - Whonix

Can you review it?

I reviewed the wiki change but not the profile itself. I’ll test that profile myself soon.

Also added “troubadour created this profile. You can discuss it in this forum thread.” and improved the experimental warning.

It would be nice if you could “watch” the pages you’ve edited. Which
means, you’d get automatically informed by e-mail.

If you want…

Please check on Login required - Whonix you see
“Your email address was confirmed…”

And please enable

• Email me when a page or file on my watchlist is changed
• Email me also for minor edits of pages and files

Then go for example to the wiki page you edited. Near
top there is a “View history” button. Next to it is a button with an
arrow down. There you’ll find the “watch” function.

Alternatively there is the recent changes page

and if desired we could try to get a working rss feed for it. Or perhaps just
a rss feed for that wiki page.

In this particular case, we could also move the AppArmor profile to a template,
and import it in the Advanced Security Guide. Then you’d only get notification
for profiles changes, not for other changes to that page.

Please inform me, should there be ever malicious changes in the wiki.

I am now ‘watching’ the wiki page. In the experimental warning, could you please replace ‘Pidgin’ with ‘TBB’? I do not know how to do that.

Please inform me, should there be ever malicious changes in the wiki.

Do you see many malicious edits of the wiki?