From 0dcd8832f351893eb216a33014f234ea8c0ffa61 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 9 Dec 2021 12:38:09 +0000
Subject: [PATCH] Remove untested torbrowser.

---
 .../browsers/torbrowser.Browser.firefox       | 165 ------------------
 .../torbrowser.Browser.plugin-container       | 104 -----------
 apparmor.d/groups/browsers/torbrowser.Tor.tor |  47 -----
 dists/ignore/main.ignore                      |   3 -
 4 files changed, 319 deletions(-)
 delete mode 100644 apparmor.d/groups/browsers/torbrowser.Browser.firefox
 delete mode 100644 apparmor.d/groups/browsers/torbrowser.Browser.plugin-container
 delete mode 100644 apparmor.d/groups/browsers/torbrowser.Tor.tor

diff --git a/apparmor.d/groups/browsers/torbrowser.Browser.firefox b/apparmor.d/groups/browsers/torbrowser.Browser.firefox
deleted file mode 100644
index 5ae6a9a2..00000000
--- a/apparmor.d/groups/browsers/torbrowser.Browser.firefox
+++ /dev/null
@@ -1,165 +0,0 @@
-#include <tunables/global>
-#include <tunables/torbrowser>
-
-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
-
-profile torbrowser_firefox @{torbrowser_firefox_executable} {
-  #include <abstractions/audio>
-  #include <abstractions/gnome>
-  #include <abstractions/ibus>
-  #include if exists <abstractions/vulkan>
-
-  # Uncomment the following lines if you want to give the Tor Browser read-write
-  # access to most of your personal files.
-  # #include <abstractions/user-download>
-  # @{HOME}/ r,
-
-  # Audio support
-  /{,usr/}bin/pulseaudio Pixr,
-
-  #dbus,
-  network netlink raw,
-  network tcp,
-
-  ptrace (trace) peer=@{profile_name},
-  signal (receive, send) set=("term") peer=@{profile_name},
-
-  deny /etc/host.conf r,
-  deny /etc/hosts r,
-  deny /etc/nsswitch.conf r,
-  deny /etc/resolv.conf r,
-  deny /etc/passwd r,
-  deny /etc/group r,
-  deny /etc/mailcap r,
-
-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
-
-  /dev/ r,
-  /dev/shm/ r,
-
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/environ r,
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/status r,
-  owner @{PROC}/@{pid}/task/*/stat r,
-  @{PROC}/sys/kernel/random/uuid r,
-
-  owner @{torbrowser_installation_dir}/ r,
-  owner @{torbrowser_installation_dir}/* r,
-  owner @{torbrowser_installation_dir}/.** rwk,
-  owner @{torbrowser_installation_dir}/update.test/ rwk,
-  owner @{torbrowser_home_dir}/.** rwk,
-  owner @{torbrowser_home_dir}/ rw,
-  owner @{torbrowser_home_dir}/** rwk,
-  owner @{torbrowser_home_dir}.bak/ rwk,
-  owner @{torbrowser_home_dir}.bak/** rwk,
-  owner @{torbrowser_home_dir}/*.so mr,
-  owner @{torbrowser_home_dir}/.cache/fontconfig/ rwk,
-  owner @{torbrowser_home_dir}/.cache/fontconfig/** rwkl,
-  owner @{torbrowser_home_dir}/browser/** r,
-  owner @{torbrowser_home_dir}/{,browser/}components/*.so mr,
-  owner @{torbrowser_home_dir}/Downloads/ rwk,
-  owner @{torbrowser_home_dir}/Downloads/** rwk,
-  owner @{torbrowser_home_dir}/firefox rix,
-  owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/* rw,
-  owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/{,MozUpdater/bgupdate/}updater ix,
-  owner @{torbrowser_home_dir}/updater ix,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/.parentwritetest rw,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/{,**} rwk,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
-  owner @{torbrowser_home_dir}/fonts/* l,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so mr,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so.* mr,
-
-  # parent Firefox process when restarting after upgrade, Web Content processes
-  owner @{torbrowser_firefox_executable} pxmr -> torbrowser_firefox,
-
-  /etc/mailcap r,
-  /etc/mime.types r,
-
-  /usr/share/ r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/mime/ r,
-  /usr/share/themes/ r,
-  /usr/share/applications/** rk,
-  /usr/share/gnome/applications/ r,
-  /usr/share/gnome/applications/kde4/ r,
-  /usr/share/poppler/cMap/ r,
-  /etc/xdg/mimeapps.list r,
-
-  # Distribution homepage
-  /usr/share/homepage/ r,
-  /usr/share/homepage/** r,
-
-  /sys/devices/system/cpu/ r,
-  /sys/devices/system/cpu/present r,
-  /sys/devices/system/node/ r,
-  /sys/devices/system/node/node[0-9]*/meminfo r,
-  /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_quota_us r,
-  deny /sys/devices/virtual/block/*/uevent r,
-
-  # Should use abstractions/gstreamer instead once merged upstream
-  /etc/udev/udev.conf r,
-  @{run}/udev/data/+pci:* r,
-  /sys/devices/pci[0-9]*/**/uevent r,
-  owner /{dev,run}/shm/shmfd-* rw,
-
-  # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
-  owner /{dev,run}/shm/org.chromium.* rw,
-  owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, # for Chromium IPC
-
-  # Required for Wayland display protocol support
-  owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
-
-  # Deny access to DRM nodes, that's granted by the X abstraction, which is
-  # sourced by the gnome abstraction, that we include.
-  deny /dev/dri/** rwklx,
-
-  # Silence denial logs about permissions we don't need
-  deny /dev/dri/   rwklx,
-  deny @{user_cache_dirs}/fontconfig/ rw,
-  deny @{user_cache_dirs}/fontconfig/** rw,
-  deny @{user_config_dirs}/gtk-2.0/ rw,
-  deny @{user_config_dirs}/gtk-2.0/** rw,
-  deny @{PROC}/@{pid}/net/route r,
-  deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
-  deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
-  deny @{run}/user/@{uid}/dconf/user rw,
-  deny /usr/bin/lsb_release x,
-
-  # Silence denial logs about PulseAudio
-  deny /etc/pulse/client.conf r,
-  deny /usr/bin/pulseaudio x,
-
-  # KDE 4
-  owner @{HOME}/.kde/share/config/* r,
-
-  # Xfce4
-  /etc/xfce4/defaults.list r,
-  /usr/share/xfce4/applications/ r,
-
-  # u2f (tested with Yubikey 4)
-  /sys/class/ r,
-  /sys/bus/ r,
-  /sys/class/hidraw/ r,
-  @{run}/udev/data/c24{5,7,9}:* r,
-  /dev/hidraw* rw,
-  # Yubikey NEO also needs this:
-  /sys/devices/**/hidraw/hidraw*/uevent r,
-
-  # Needed for Firefox sandboxing via unprivileged user namespaces
-  capability sys_admin,
-  capability sys_chroot,
-  owner @{PROC}/@{pid}/{gid,uid}_map w,
-  owner @{PROC}/@{pid}/setgroups w,
-
-  #include if exists <local/torbrowser.Browser.firefox>
-}
diff --git a/apparmor.d/groups/browsers/torbrowser.Browser.plugin-container b/apparmor.d/groups/browsers/torbrowser.Browser.plugin-container
deleted file mode 100644
index 4602b39c..00000000
--- a/apparmor.d/groups/browsers/torbrowser.Browser.plugin-container
+++ /dev/null
@@ -1,104 +0,0 @@
-include <tunables/global>
-include <tunables/torbrowser>
-
-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
-
-profile torbrowser_plugin_container {
-  include <abstractions/gnome>
-
-  # Uncomment the following lines if you want Tor Browser
-  # to have direct access to your sound hardware. You will also
-  # need to remove, further bellow:
-  #  - the "deny" word in the machine-id lines
-  #  - the rules that deny reading /etc/pulse/client.conf
-  #    and executing /usr/bin/pulseaudio
-  # include <abstractions/audio>
-  # /etc/asound.conf r,
-  # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
-
-  signal (receive) set=("term") peer=torbrowser_firefox,
-
-  deny /etc/host.conf r,
-  deny /etc/hosts r,
-  deny /etc/nsswitch.conf r,
-  deny /etc/resolv.conf r,
-  deny /etc/passwd r,
-  deny /etc/group r,
-  deny /etc/mailcap r,
-
-  deny /etc/machine-id r,
-  deny /var/lib/dbus/machine-id r,
-
-  /etc/mime.types r,
-  /usr/share/applications/gnome-mimeapps.list r,
-
-  /dev/shm/ r,
-
-  owner @{PROC}/@{pid}/environ r,
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/status r,
-  owner @{PROC}/@{pid}/task/*/stat r,
-  @{PROC}/sys/kernel/random/uuid r,
-
-  owner @{torbrowser_home_dir}/*.dat r,
-  owner @{torbrowser_home_dir}/*.manifest r,
-  owner @{torbrowser_home_dir}/*.so mr,
-  owner @{torbrowser_home_dir}/.cache/fontconfig/   rw,
-  owner @{torbrowser_home_dir}/.cache/fontconfig/** rw,
-  owner @{torbrowser_home_dir}/browser/** r,
-  owner @{torbrowser_home_dir}/components/*.so mr,
-  owner @{torbrowser_home_dir}/browser/components/*.so mr,
-  owner @{torbrowser_home_dir}/defaults/pref/     r,
-  owner @{torbrowser_home_dir}/defaults/pref/*.js r,
-  owner @{torbrowser_home_dir}/dependentlibs.list r,
-  owner @{torbrowser_home_dir}/fonts/   r,
-  owner @{torbrowser_home_dir}/fonts/** r,
-  owner @{torbrowser_home_dir}/omni.ja r,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
-  owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]*/update.{status,version} r,
-  owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]/updater rw,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
-  owner @{torbrowser_home_dir}/Downloads/ rwk,
-  owner @{torbrowser_home_dir}/Downloads/** rwk,
-
-  owner @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container,
-
-  /sys/devices/system/cpu/ r,
-  /sys/devices/system/cpu/present r,
-  /sys/devices/system/node/ r,
-  /sys/devices/system/node/node[0-9]*/meminfo r,
-  deny /sys/devices/virtual/block/*/uevent r,
-
-  # Should use abstractions/gstreamer instead once merged upstream
-  /etc/udev/udev.conf r,
-  @{run}/udev/data/+pci:* r,
-  /sys/devices/pci[0-9]*/**/uevent r,
-  owner /{dev,run}/shm/shmfd-* rw,
-
-  # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
-  owner /{dev,run}/shm/org.chromium.* rw,
-
-  # Deny access to DRM nodes, that's granted by the X abstraction, which is
-  # sourced by the gnome abstraction, that we include.
-  deny /dev/dri/** rwklx,
-
-  # Silence denial logs about permissions we don't need
-  deny /dev/dri/   rwklx,
-  deny @{PROC}/@{pid}/net/route r,
-  deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
-  deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
-
-  # Silence denial logs about PulseAudio
-  deny /etc/pulse/client.conf r,
-  deny /usr/bin/pulseaudio x,
-
-  include if exists <local/torbrowser.Browser.plugin-container>
-}
diff --git a/apparmor.d/groups/browsers/torbrowser.Tor.tor b/apparmor.d/groups/browsers/torbrowser.Tor.tor
deleted file mode 100644
index 77861cd9..00000000
--- a/apparmor.d/groups/browsers/torbrowser.Tor.tor
+++ /dev/null
@@ -1,47 +0,0 @@
-#include <tunables/global>
-#include <tunables/torbrowser>
-
-@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor
-
-profile torbrowser_tor @{torbrowser_tor_executable} {
-  #include <abstractions/base>
-
-  network netlink raw,
-  network tcp,
-  network udp,
-
-  /etc/host.conf r,
-  /etc/nsswitch.conf r,
-  /etc/passwd r,
-  /etc/resolv.conf r,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/tor mr,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/ rw,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/** rw,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/lock rwk,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
-
-  # Support some of the included pluggable transports
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
-  @{PROC}/sys/net/core/somaxconn r,
-  #include <abstractions/ssl_certs>
-
-  # Silence file_inherit logs
-  deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
-  deny @{torbrowser_home_dir}/{browser/,}features/*.xpi r,
-  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/.parentlock rw,
-  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
-  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
-  # Silence logs from included pluggable transports
-  deny /etc/hosts r,
-  deny /etc/services r,
-
-  @{PROC}/sys/kernel/random/uuid r,
-  /sys/devices/system/cpu/ r,
-  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
-  # OnionShare compatibility
-  /tmp/onionshare/** rw,
-
-  include if exists <local/torbrowser.Tor.tor>
-}
diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore
index 24c75ed0..f3d1fd85 100644
--- a/dists/ignore/main.ignore
+++ b/dists/ignore/main.ignore
@@ -8,6 +8,3 @@ apparmor.d/groups/_full
 apparmor.d/groups/apps
 
 anki
-torbrowser.Browser.firefox
-torbrowser.Browser.plugin-container
-torbrowser.Tor.tor