Yay, we have ProtectSystem=strict now.

https://github.com/Whonix/onion-grater/blob/master/lib/systemd/system/onion-grater.service currently works without ReadWritePaths. So let's not add?

It's a file, not a folder.

I just re-read the error message. Try adding

I can test it but I doubt lockdown will help at all.

That's weird. Onion-grater is trying to write to somewhere that's being mounted read-only by systemd.

GUI isolation is very important, no?

The problem is, xpra (actually xpra | xserver-xephyr | xvfb) isn't in the list of Recommends: of the firejail package by accident. We don't really know the rationale of that. Could be an optional dependency and without it, some things someone who knows firejail who is happy to find it installed would wonder why it actually does not work.

Does it work after you comment ProtectSystem=strict and ReadWriteDirectories=? I think on Qubes-Whonix it is trying to write to a directory in /var/run (probably /var/run/qubes-service). I can't test as I don't use Qubes.

Does it work using this? It looks like it needs the openat syscall which it now allows.

I don't think anything Debian does would modify any iptables rules nor Whonix ships any code to disable the firewall. So "disables the firewall for a minute" is non-existing. Would be bad if that happened.

The way it is now looks fine. Why would it need to be changed?

We need to re-check this for Whonix Host. Since it gets installed using calamares (which handles partitioning) there could be an unwanted swap partition.

Seems quite hacky. What's the root cause for failing?

https://lists.ubuntu.com/archives/apparmor/2016-February/009371.html says it is used for various things so it might break some things.

Would it cause any issues if the machine-id was just deleted or replaced with a bunch of 0s?

My pull request enables all of these except martian packet logging which I doubt would be useful on Whonix.

You can create directories in tor-browser_en-US/Browser/TorBrowser/Data/Browser/ called (profile_name).default. Here will be all the configurations for the profile. It should have a custom user.js with proxy settings using privoxy and setting network.proxy.no_proxies_on to 0.

Alternatively, you could change the home page to the program's interface e.g. 127.0.0.1:7657 for I2P and start the browser with a script that creates a popup box using zenity or similar that tells the user the information.

Maybe disable it just for package upgrades?

There is none. You can run swapon -s or cat /proc/swaps to verify.

No, I mean the upstream repository thunar-volman by XFCE developers.

• https://git.xfce.org/xfce/thunar-volman/tree/
• https://github.com/xfce-mirror/thunar-volman

Can you see from thunar-volman source code where defaults are configured? Would be good to watch for future versions.

Automounting can be configured in /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/thunar-volman.conf