Added “git” profile i removed the ability to a user to do “sudo git clone” and more other things
I will remove the ability for every browsers and file manager as well to be run as sudo too i didn’t think it was possible with apparmor i discover things everyday
Added thunar profile compatible with the package “qubes-core-agent-thunar” (but don’t use it yet i will modify the profile very soon) thunar was the most complicated profile it ask too much permission…
I was busy to learn things with apparmor but the librewolf profile is coming
I just added the librewolf profile i take a lot of time to write this one perfectly. The librewolf profile is the most well written i need to change firefox , mullvad a little bit
List of things that will be denied when using Librewolf :
You can’t run librewolf by using “sudo librewolf”
Librewolf can’t access curl , wget , bash command and more… (it’s for your safety it will not impact your experience this just increase the security)
Of course Librewolf can’t read write every home , file and foler inside the home directory except Downloads folder and Librewolf can’t access to the root filesystem
I don’t know if extensions such as keepassxc or bitwarden will work with the profile and the more i think about that the more i think i will deny access to a user to use extensions for his safety (don’t worry ublock will still work but a lot of them not). It need to be discussed but the things is extension is too much dangerous please read More malicious browser extensions uncovered - Chrome, Firefox, and Edge all affected | TechRadar
I didn’t do anything about the extensions potential issue in the future like i said it need to be discussed. But i don’t want to see random user complaining in the Qubes forum that he have been hacked when he was using Qubes and saying “qubes don’t protect you”
When i was doing the brave profile i’ve seen that some extensions like password manager is using command like “/usr/bin/curl” “/usr/bin/touch” and this is so dangerous…
Mullvad Browser is shipped with 3 extensions Noscript, Ubloc, and their vpn extension but they do not allow a random user to install easily a extension maybe i should do the same thing ? I don’t know like i said it need to be discussed
I removed the librewolf profile there is a little issue that need to be fixed immediately
Edit : Librewolf profile fixed
Every browser should be able to see correctly files and directories in “Downloads” the deny rules before was way too strict
File Manager no longer have network connections i finally find the rules in apparmor to do that
Improved the security i added the “sudo” profile to deny access to command like “sudo brave-browser , sudo firefox , sudo git , sudo mullvad-browser, sudo curl” the rules “deny /usr/bin/sudo rw,” was not working as i excepted
I accidentally create a duplicate of “deny network inet,” in the two manager profile (nautilus and thunar) earlier which was making all profile broken i removed the duplicate now everything works correctly
I still don’t understand why apparmor complain about a protocol error with some profile doing aa-enforce /etc/apparmor.d/nautilus make apparmor throw a protocol error and in that case the user need to do aa-enforce multiples times to make it work some profile doesn’t have this issue i’m going to check what’s going on with the nautilus profile maybe the issue is coming from apparmor itself?
Apparmor profile from Author: Daniel Richard G. <skunk@iSKUNK.ORG> added in the repository : “Xorg Display manager” every Qubes is using X11 as display we increase the security of the vm a lot more now. The profile is shipped in Whonix and Debian template but the profile missed a line to work properly in enforce mode in Qubes. In my testing on Whonix and Debian the “Xorg” profile is working completely fine i didn’t have any issue with it. I also put every profile in my repository in the Qubes kernel by using apparmor_parser -r i didn’t have any issue by doing that even with the Xorg profile.
Every apparmor profile for browser is stable, Nautilus , Signal, Proton-pass and mail is stable too i will make some minor change for protonmail.
In the future i would like qubes dev ship the apparmor profile from the repository in the debian template i will try to talk with them about that
I added a lot of changes for every browser in the repository they are really better now (except donutbrowser he need a rewrite but i will do it later this one is painful to deal with) The only little thing missing is the dbus rules and unix rules for mullvad-browser , librewolf , firefox but it’s not really important i will add this later
I would like to add a apparmor profile for Telegram , Tutanota desktop mail , Stremio but i need to create a telegram account and create a account now is almost impossible. Tutanota doesn’t have a official debian repository so i’m waiting. And the official stremio deb package have some issue with dependencies in debian trixie so i’m waiting a fix from them.
List of new profiles added in the apparmor qubes repository : Element-desktop , Session-desktop, Bitwarden, Metadata-cleaner, streamlink , Thunderbird
I also finished to write the Thunar profile it’s working fine with every qubes features.
Please update if you was using my previous profile i’ve made a lot of progress and improved the isolation for the browser (except brave) i have to do it
The donutbrowser is really hard to rewrite but it’s planned
Added new profiles : Transmission (work only with the gtk version for now) and i also added qbittorrent
I tried to build the tutanota-desktop version to create a apparmor profile but building the package doesn’t work depsite my effort to fix the issue i couldn’t build anything so i’m still waiting for a official repository from them
Next profile i’d like to add : Podman , Docker , ssh
Added “docker” profile in the repository the profile is in the folder “selfhost” i will do podman soon
Pulling image and running docker compose commands is working fine but i don’t know if the software need more command to run under apparmor properly if some permission are missing i will add them immediately
I also added a folder “screenshot” to show to people what apparmor is doing in the background
Yeah i forgot the “apparmor=1” i will update the post thanks
To be more clear the command
qvm-prefs x kernelopts "swiotlb=2048 security=apparmor"
must target the template because after you have created a appvm the appvm will inherit the kernelopts value. (every vm you will create from the template will inherit the apparmor value)
Your answer is clear, but think a moment about 30k+ users of QubesOS.
Could be that most of them believe in working apparmor in their Debian templates while they should setup it for each Qube via kernelopts?
Even for kicksecure and whonix templates.
I didn’t test if a users really need to do the qvm-prefs kernelopts commands i don’t know if apparmor will deny access correctly if you don’t do it. And the apparmor profile for tor browser in whonix seem to work without the qvm-prefs commands so i guess we probably not need to use the commands ? I won’t lie i don’t know at all some test are needed
qvm-prefs x kernelopts "swiotlb=2048 apparmor=1 security=apparmor"
According to docs, only place when apparmor mentioned also mention exactly that use case:
To view kernel options, you can use the GUI VM Settings tool; to view and change them, use qvm-prefs commandline tool:
qvm-prefs my-appvm kernelopts
swiotlb=2048
qvm-prefs my-appvm kernelopts "swiotlb=10240 apparmor=1 security=apparmor"
And usage is for AppVM, not for template.
@unman
Excuse me but maybe you know for sure should users change manually kernelopts for each template to activate apparmor in debian based qubes?
