Whonix and AppArmor

[fyqwbdzsfjh]

Getting bookmarks to work in Tor Browser in Whonix with AppArmor enabled (following instructions from here^clearnet) required some changes to these rules.

I added the following to /etc/apparmor.d/local/home.tor-browser.firefox

/usr/share/split-browser-disp/firefox/sb-load.js r,
/run/split-browser-disp/into-firefox rw,
/run/split-browser-disp/from-firefox rw,

Is this something that could be supplied with the package (either this one or upstream) and do these rules seem sensible?

I did not try other features of split-browser other than saving and opening bookmarks.

[adrelanos]

Pull request welcome.

https://github.com/Whonix/apparmor-profile-torbrowser/blob/master/etc/apparmor.d/home.tor-browser.firefox

[fyqwbdzsfjh]

@adrelanos sure thing! I'll test the other features of split-browser just in case (like logins)

[rustybird]

The "move downloads to a VM of your choice" feature (Ctrl-Shift-s) probably needs a rule for /bin/bash - like the existing rule for /bin/dash?

[fyqwbdzsfjh]

@rustybird good shout. I tried it out, and it seems like bash isn't an issue, but qvm-copy-to-vm.gnome is. (which I don't quite understand, since it seems to try to call qvm-move-to-vm.kde here)

I could give execute permission to that, but since it tries to call a bunch of other stuff, that alone would not work. Something like:

/usr/lib/qubes/qvm-copy-to-vm.gnome Ux,

works, but rather than having it unconfined, maybe it should have its own profile.

[fyqwbdzsfjh]

I'll close this for now, as further discussion should probably happen in the Whonix/apparmor-profile-torbrowser-repo.

[rustybird]

With AppArmor now(?) enabled by default on Whonix Workstation, the "move downloads to a VM of your choice" feature (Ctrl-Shift-s) is currently broken.