Whonix TemplateVM start-tor-browser "Permission denied" error in Qubes 4.3

Greetings.

I’m trying to modify TorBrowser in the whonix-workstation-18 Template in Qubes 4.3 after a fresh install for customizations I do for security reasons (such as installing user-agent-switcher after that built-in feature was removed from TorBrowser), and I have been trying to follow the instructions from: Option_2:_Template_Method and when I attempt to execute start-tor-browser after changing ownership via ‘chown -R user:user’ I get the following:

% ./start-tor-browser
zsh: exit 2 ./start-tor-browser

And to get more detail:

% ./start-tor-browser --verbose
mkdir: cannot create directory ‘.config/ibus’: Permission denied
ln: failed to create symbolic link ‘.config/ibus’: Permission denied
cp: cannot create regular file ‘../start-tor-browser.desktop’: Permission denied
sed: couldn’t open temporary file ../sedQDPBcd: Permission denied
sed: couldn’t open temporary file ../sed631tK1: Permission denied
sed: couldn’t open temporary file ./sedfxexjJ: Permission denied
sed: couldn’t open temporary file ../sedC3SXNf: Permission denied
ln: /var/cache/tb-binary/.tb/tor-browser/Browser/.local//share/null: cannot overwrite directory
/bin/sh: 0: cannot open ./firefox: Permission denied
zsh: exit 2 ./start-tor-browser --verbose

As best I can tell there is a security feature that is preventing execution of start-tor-browser within the whonix-workstation-18 Template to allow modifying TorBrowser. (Perhaps AppArmor)

[12916.612104] audit: type=1400 audit(1771707716.578:910): apparmor=“DENIED” operation=“open” class=“file” profile="//*-browser/Browser/firefox" name=“/var/cache/tb-binary/.tb/tor-browser/Browser/firefox” pid=32785 comm=“firefox” requested_mask=“r” denied_mask=“r” fsuid=1001 ouid=1000
[12916.612118] audit: type=1300 audit(1771707716.578:910): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffdfb4dde8 a2=0 a3=0 items=0 ppid=32769 pid=32785 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts4 ses=4294967295 comm=“firefox” exe=“/usr/bin/dash” subj=//*-browser/Browser/firefox key=(null)
[12916.612123] audit: type=1327 audit(1771707716.578:910): proctitle=2F62696E2F7368002E2F66697265666F78

Changing the AppArmor profile to “complain” mode helps but still isn’t sufficient:

root@host:/etc/apparmor.d#aa-complain home.tor-browser.firefox
Setting /etc/apparmor.d/home.tor-browser.firefox to complain mode.

% ./start-tor-browser --debug
mkdir: cannot create directory ‘.config/ibus’: Permission denied
ln: failed to create symbolic link ‘.config/ibus’: Permission denied
cp: cannot create regular file ‘../start-tor-browser.desktop’: Permission denied
sed: couldn’t open temporary file ../sedYq3v1m: Permission denied
sed: couldn’t open temporary file ../sedvrMrj5: Permission denied
sed: couldn’t open temporary file ./sediibFUo: Permission denied
sed: couldn’t open temporary file ../sedv3cSSM: Permission denied
ln: /var/cache/tb-binary/.tb/tor-browser/Browser/.local//share/null: cannot overwrite directory
Fontconfig error: No writable cache directories
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt (t=15.7775) [GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt

And a message pops up on the screen:

”Tor Browser is already running, but is not responding. To use Tor Browser, you must first close the existing Tor Browser process, restart your device, or use a different profile.”

And there is no other TorBrowser nor firefox process that I can find.

I’d like to know how to do this and then update the Wiki with the changes.
Thanks

Documentation about customizing Tor Browser in templates:

Bear in mind that customizing Tor Browser is itself harmful to anonymity. Tor Browser relies partially on all users looking the same as all other users to provide good anonymity. If you customize your browser, you are making yourself stand out from all other users, potentially making yourself fingerprintable. You will also more than likely have to manually update Tor Browser yourself if you go this path, which may have serious security implications if you forget to keep it up-to-date.

Another common thing I find I need is to set the Security Level to “Safer” in order to be able to use the pre-installed NoScript extension and only allow Javascripts on a per-site basis, which I find is quite important for security. Being able to customize the Whonix Workstation 18 TemplateVM is important so that the security features and settings I want to use remain common as I use TorBrowser in DisposableVMs in order to destroy history make tracking and user identification more difficult.

The documentation for customizing the workstation VM is there to allow doing this, and at least for me on my current system Step 4 of the template modification instructions reliably fails with an error. I am looking to understand and fix that technical problem so that I can do what I feel I need. I am the one that knows what I need with this, I’m the one that gets to choose that.

I regularly do updates on Templates and keep the Whonix VMs up-to-date. This isn’t simple when it comes to the TorBrowser on Whonix Workstation, but I’ll share a trick that helps ease this. Because the TemplateVM TorBrowser won’t access the Internet, to install an extension what I do is to make the following softlink:

/var/cache/tb-binary/.tb/tor-browser/Browser/Downloads → /home/user/Downloads

And then in a Whonix DisposableVM I install the extension I require and qvm-copy the extension file from the install location to the Whonix Workstation TemplateVM:

/home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions/

Then move the extension into /home/user/Downlaods. From there I can install the extension into the Whonix TemplateVM TorBrowser.

When TorBrowser needs to be updated, the update removes the extensions and they need to be re-installed – so I re-make the Downloads softlink to point to /home/user/Downlaods and install the extension(s) “from a file”.

That’s the most convenient way I’ve found to customize TorBrowser in Whonix Workstation and also keep it up-to-date.

File permission issue. Unrelated to AppArmor. Documentation was outdated. Command sudo chown -R user:user /var/cache/tb-binary was outdated and not updated for sysmaint - System Maintenance User.

Option_2:_Template_Method has been updated just now.

Thank you, this was the answer I needed.
After ‘chown -R sysmaint:sysmaint’ start-tor-browser started as expected.
Thanks for updating the documentation.