feat(profile): improve whonix specific profiles.

apparmor.d/groups/whonix/msgcollector-generic-gui-message

@@ -12,8 +12,11 @@ profile msgcollector-generic-gui-message @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/python>
   include <abstractions/xfce>
+  include <abstractions/vulkan-strict>
 
   @{exec_path} mr,
 
+  @{lib}/msgcollector/ r,
+
   include if exists <local/msgcollector-generic-gui-message>
 }

apparmor.d/groups/whonix/msgcollector-striphtml

@@ -13,5 +13,7 @@ profile msgcollector-striphtml @{exec_path} {
 
   @{exec_path} mr,
 
+  @{lib}/msgcollector/ r,
+
   include if exists <local/msgcollector-striphtml>
 }

apparmor.d/groups/whonix/msgdispatcher

@@ -21,14 +21,31 @@ profile msgdispatcher @{exec_path} {
   @{bin}/mkdir                rix,
   @{bin}/mkfifo               rix,
   @{bin}/rm                   rix,
+  @{bin}/cat                  rix,
   @{bin}/sleep                rix,
   @{bin}/touch                rix,
   @{bin}/whoami               rix,
+  @{bin}/sudo                 rCx -> sudo,
 
   @{lib}/msgcollector/* r,
+  @{lib}/msgcollector/msgdispatcher_dispatch_x rPx,
+
+  owner @{HOME}/.xsession-errors w,
 
         @{run}/msgcollector/ r,
   owner @{run}/msgcollector/user/{,**} rwk,
 
+  profile sudo {
+    include <abstractions/base>
+    include <abstractions/app/sudo>
+
+    @{bin}/sudo mr,
+    @{lib}/msgcollector/* rPx,
+
+    owner @{run}/msgcollector/user/msgdispatcher_x_* r,
+
+    include if exists <local/msgdispatcher_sudo>
+  }
+
   include if exists <local/msgdispatcher>
 }

apparmor.d/groups/whonix/open-link-confirmation

@@ -14,12 +14,15 @@ profile open-link-confirmation @{exec_path} {
 
   @{sh_path}            rix,
   @{bin}/readlink       rix,
-  @{bin}/whichbrowser   rix,
   @{bin}/torbrowser     rPx,
+  @{bin}/whichbrowser   rix,
+  @{bin}/xdg-mime       rPx,
   @{lib}/msgcollector/generic_gui_message rPx,
   @{lib}/msgcollector/striphtml rPx,
 
   /etc/open_link_confirm.d/{,**} r,
 
+  owner @{HOME}/.xsession-errors rw,
+
   include if exists <local/open-link-confirmation>
 }

apparmor.d/groups/whonix/rads

@@ -34,12 +34,15 @@ profile rads @{exec_path} {
   /usr/share/whonix/marker r,
 
   /etc/dpkg/origins/whonix r,
+  /etc/machine-id r,
   /etc/rads.d/{,**} r,
   /etc/whonix_version r,
   /etc/X11/default-display-manager r,
 
   owner @{run}/rads/{,**} rw,
 
+  owner /dev/tty@{int} rw,
+
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
@@ -47,6 +50,8 @@ profile rads @{exec_path} {
     capability net_admin,
     capability sys_ptrace,
 
+    /etc/machine-id r,
+
     /{run,var}/log/journal/ r,
     /{run,var}/log/journal/@{hex32}/ r,
     /{run,var}/log/journal/@{hex32}/*.journal* r,

apparmor.d/groups/whonix/sdwdate-start

@@ -20,10 +20,12 @@ profile sdwdate-start @{exec_path} {
   @{bin}/mkfifo  rix,
   @{bin}/inotifywait  rix,
 
+  @{bin}/anondate-set rPx,
+
   owner @{tmp}/tmp.@{rand10} rw,
 
   owner @{run}/sdwdate/ rw,
-  owner @{run}/sdwdate/status rw,
+  owner @{run}/sdwdate/* rw,
 
   /dev/tty rw,
 

apparmor.d/groups/whonix/sensible-browser

@@ -24,5 +24,7 @@ profile sensible-browser @{exec_path} {
 
   /etc/open_link_confirm.d/{,**} r,
 
+  owner @{HOME}/.xsession-errors rw,
+
   include if exists <local/sensible-browser>
 }

apparmor.d/groups/whonix/systemcheck-canary

@@ -23,8 +23,10 @@ profile systemcheck-canary @{exec_path} {
   @{lib}/systemcheck/canary rix,
 
   #aa:stack systemd-detect-virt systemd-notify
-  @{bin}/systemd-detect-virt  rPx -> &systemd-detect-virt,
-  @{bin}/systemd-notify       rPx -> &systemd-notify,
+  @{bin}/systemd-detect-virt  rPx -> systemcheck-canary//&systemd-detect-virt,
+  @{bin}/systemd-notify       rPx -> systemcheck-canary//&systemd-notify,
+
+  /etc/systemcheck.d/{,**} r,
 
   @{PROC}/cmdline r,
 

apparmor.d/groups/whonix/torbrowser

@@ -38,6 +38,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
 
   capability sys_admin, # If kernel.unprivileged_userns_clone = 1
   capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
+  capability sys_ptrace,
 
   network inet stream,
   network inet6 stream,
@@ -49,12 +50,22 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
+  @{sh_path}                 rix,
+  @{bin}/basename            rix,
+  @{bin}/dirname             rix,
+  @{bin}/expr                rix,
+
   @{lib_dirs}/{,**}             r,
   @{lib_dirs}/*.so              mr,
+  @{lib_dirs}/abicheck          rix,
   @{lib_dirs}/glxtest           rPx,
   @{lib_dirs}/plugin-container  rPx,
+  @{lib_dirs}/updater           rPx,
   @{lib_dirs}/vaapitest         rPx,
 
+  # Desktop integration
+  @{bin}/lsb_release                                 rPx -> lsb_release,
+
   /usr/share/@{name}/{,**} r,
   /usr/share/doc/{,**} r,
   /usr/share/homepage/{,**} r,
@@ -72,8 +83,10 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   /var/lib/nscd/services r,
 
   owner @{lib_dirs}/.cache/{,**} rw,
+  owner @{lib_dirs}/.local/{,**} rw,
   owner @{lib_dirs}/Downloads/{,**} rw,
   owner @{lib_dirs}/fonts/** r,
+  owner @{lib_dirs}/TorBrowser/UpdateInfo/{,**} rw,
 
   owner @{config_dirs}/ rw,
   owner @{config_dirs}/** rwk,
@@ -91,7 +104,6 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/firefox/* rwk,
   owner @{tmp}/@{name}/ rw,
   owner @{tmp}/@{name}/* rwk,
-  owner @{tmp}/Temp-@{uuid}/ rw,
   owner "@{tmp}/Tor Project*/" rw,
   owner "@{tmp}/Tor Project*/**" rwk,
   owner "@{tmp}/Tor Project*" rwk,

apparmor.d/groups/whonix/torbrowser-start

@@ -15,7 +15,7 @@ profile torbrowser-start @{exec_path} {
 
   @{exec_path} rm,
 
-  @{bin}/bash                 rix,
+  @{sh_path}                  rix,
   @{bin}/cp                   rix,
   @{bin}/dirname              rix,
   @{bin}/env                  r,
@@ -29,6 +29,7 @@ profile torbrowser-start @{exec_path} {
   @{bin}/rm                   rix,
   @{bin}/sed                  rix,
   @{bin}/sh                   rix,
+  @{bin}/srm                  rix,
   @{lib_dirs}/abicheck        rix,
 
   @{lib_dirs}/firefox{,.real} rPx,
@@ -41,6 +42,7 @@ profile torbrowser-start @{exec_path} {
   owner @{lib_dirs}/start-tor-browser.desktop rw,
   owner @{lib_dirs}/TorBrowser/Tor/tor r,
 
+  owner @{HOME}/.xsession-errors rw,
   owner @{HOME}/.tb/tor-browser/* rw,
 
   include if exists <local/torbrowser-start>

apparmor.d/groups/whonix/torbrowser-wrapper

@@ -40,9 +40,11 @@ profile torbrowser-wrapper @{exec_path} {
 
   /etc/torbrowser.d/{,*} r,
 
-  owner @{HOME}/.tb/{,**} rw,
   owner /var/cache/tb-binary/{,**} rw,
 
+  owner @{HOME}/.tb/{,**} rw,
+  owner @{HOME}/.xsession-errors rw,
+  
   owner @{tmp}/tmp.@{rand10} rw,
 
   owner @{run}/mount/utab r,

apparmor.d/groups/whonix/whonix-firewall-restarter

@@ -35,10 +35,10 @@ profile whonix-firewall-restarter @{exec_path} {
   /{run,var}/log/journal/@{hex32}/ r,
   /{run,var}/log/journal/@{hex32}/*.journal* r,
 
- owner /tmp/tmp.@{rand10} rw,
+  owner /tmp/tmp.@{rand10} rw,
 
-       @{run}/sdwdate/{,*} rw,
- owner @{run}/updatesproxycheck/{,*} rw,
+        @{run}/sdwdate/{,*} rw,
+  owner @{run}/updatesproxycheck/{,*} rw,
 
   include if exists <local/whonix-firewall-restarter>
 }