From 18a0e16d13ba7f1c9fce77b736ffbf40d30e2b87 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 5 Apr 2024 23:41:06 +0100
Subject: [PATCH] feat(profile): update torbrowser profiles.

---
 apparmor.d/groups/whonix/torbrowser           | 27 ++++++++----
 apparmor.d/groups/whonix/torbrowser-start     |  8 ++--
 .../whonix/torbrowser-updater-permission-fix  | 42 +++++++++++++++++++
 apparmor.d/groups/whonix/torbrowser-wrapper   | 29 +++++++++----
 4 files changed, 86 insertions(+), 20 deletions(-)
 create mode 100644 apparmor.d/groups/whonix/torbrowser-updater-permission-fix

diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser
index a8236628..d7fa8284 100644
--- a/apparmor.d/groups/whonix/torbrowser
+++ b/apparmor.d/groups/whonix/torbrowser
@@ -12,7 +12,7 @@ include <tunables/global>
 @{config_dirs} = @{data_dirs}/Browser/*.default/
 @{cache_dirs} = @{data_dirs}/Browser/Caches
 
-@{exec_path} = @{lib_dirs}/firefox.*
+@{exec_path} = @{lib_dirs}/firefox{,.real}
 profile torbrowser @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
@@ -31,7 +31,6 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
-  include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
   include <abstractions/user-read-strict>
 
@@ -44,13 +43,17 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
+  signal (send) set=(term, kill) peer=torbrowser-*,
+
+  deny dbus send bus=system path=/org/freedesktop/hostname1,
+
   @{exec_path} mrix,
 
   @{lib_dirs}/{,**}             r,
   @{lib_dirs}/*.so              mr,
-  @{lib_dirs}/glxtest           rPx -> torbrowser-glxtest,
-  @{lib_dirs}/plugin-container  rPx -> torbrowser-plugin-container,
-  @{lib_dirs}/vaapitest         rPx -> torbrowser-vaapitest,
+  @{lib_dirs}/glxtest           rPx,
+  @{lib_dirs}/plugin-container  rPx,
+  @{lib_dirs}/vaapitest         rPx,
 
   # Desktop integration
   @{bin}/lsb_release            rPx -> lsb_release,
@@ -86,8 +89,8 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   owner /tmp/user/@{uid}/* rwk,
   owner /tmp/user/@{uid}/Temp-@{uuid}/ rw,
   owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk,
-  owner /tmp/user/@{uid}/@{name}/ rw,
-  owner /tmp/user/@{uid}/@{name}/* rwk,
+  owner /tmp/user/@{uid}/firefox/ rw,
+  owner /tmp/user/@{uid}/firefox/* rwk,
   owner /tmp/@{name}/ rw,
   owner /tmp/@{name}/* rwk,
   owner /tmp/Temp-@{uuid}/ rw,
@@ -130,9 +133,15 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pids}/cmdline r,
   owner @{PROC}/@{pids}/environ r,
 
+        /dev/ r,
+        /dev/hidraw@{int} rw,
+        /dev/tty rw,
+  owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
+  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
+  owner /dev/tty@{int} rw, # File Inherit
+
   # Silencer
-  deny @{lib_dirs}/** w,
-  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+  deny @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   include if exists <local/torbrowser>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/whonix/torbrowser-start b/apparmor.d/groups/whonix/torbrowser-start
index 9d34ca07..29e063f7 100644
--- a/apparmor.d/groups/whonix/torbrowser-start
+++ b/apparmor.d/groups/whonix/torbrowser-start
@@ -32,15 +32,17 @@ profile torbrowser-start @{exec_path} {
   @{lib_dirs}/abicheck        rix,
   @{lib_dirs}/firefox         rix,
 
-  @{lib_dirs}/firefox.* rPx -> torbrowser,
+  @{lib_dirs}/firefox{,.real} rPx,
 
   /etc/magic r,
 
-  owner @{HOME}/.tb/tor-browser/* rw,
-
+  owner @{lib_dirs}/.config/ibus/{,**} rw,
   owner @{lib_dirs}/.local/* rw,
   owner @{lib_dirs}/sed@{rand6} rw,
   owner @{lib_dirs}/start-tor-browser.desktop rw,
+  owner @{lib_dirs}/TorBrowser/Tor/tor r,
+
+  owner @{HOME}/.tb/tor-browser/* rw,
 
   include if exists <local/torbrowser-start>
 }
diff --git a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix
new file mode 100644
index 00000000..d9348805
--- /dev/null
+++ b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix
@@ -0,0 +1,42 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/tb-updater/tb-permission-fix
+profile torbrowser-updater-permission-fix @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability chown,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+
+  @{exec_path} mr,
+
+  @{sh_path}     rix,
+  @{bin}/chmod   rix,
+  @{bin}/chown   rix,
+  @{bin}/find    rix,
+  @{bin}/id      rix,
+  @{bin}/mktemp  rix,
+  @{bin}/xargs   rix,
+
+  @{lib}/helper-scripts/* r,
+
+  /var/cache/tb-binary/{,**} rw,
+
+  owner /tmp/user/@{uid}/tmp.@{rand10} rw,
+
+  owner @{PROC}/@{pid}/fd/ r,
+
+  owner /dev/tty rw,
+
+  deny @{HOME}/ r,
+
+  include if exists <local/torbrowser-updater-permission-fix>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper
index 7b40db8c..b3d9f446 100644
--- a/apparmor.d/groups/whonix/torbrowser-wrapper
+++ b/apparmor.d/groups/whonix/torbrowser-wrapper
@@ -18,32 +18,47 @@ profile torbrowser-wrapper @{exec_path} {
 
   @{sh_path}                     rix,
   @{bin}/basename                rix,
+  @{bin}/cp                      rix,
   @{bin}/dirname                 rix,
   @{bin}/grep                    rix,
   @{bin}/id                      rix,
+  @{bin}/mkdir                   rix,
   @{bin}/mktemp                  rix,
   @{bin}/mount                   rix,
   @{bin}/str_replace             rix,
+  @{bin}/sudo                    rCx -> sudo,
   @{bin}/systemctl               rCx -> systemctl,
+  @{bin}/touch                   rix,
   @{bin}/tty                     rix,
   @{bin}/whoami                  rix,
 
-  @{lib_dirs}/start-tor-browser  rPx -> torbrowser-start,
-  @{lib}/msgcollector/msgcollector rPx,
-  @{lib}/open-link-confirmation/open-link-confirmation rPx,
+  @{lib_dirs}/start-tor-browser                         rPx,
+  @{lib}/msgcollector/msgcollector                      rPx,
+  @{lib}/open-link-confirmation/open-link-confirmation  rPx,
 
   @{lib}/helper-scripts/* r,
 
   /etc/torbrowser.d/{,*} r,
 
-  owner @{lib_dirs}/TorBrowser/Data/Browser/profile.default/prefs.js r,
+  owner @{HOME}/.tb/{,**} rw,
+  owner /var/cache/tb-binary/{,**} rw,
 
   owner /tmp/tmp.@{rand10} rw,
+  owner /tmp/user/@{uid}/tmp.@{rand10} rw,
 
   owner @{run}/mount/utab r,
   
   owner @{PROC}/@{pid}/mountinfo r,
 
+  profile sudo {
+    include <abstractions/base>
+    include <abstractions/app/sudo>
+
+    @{lib}/tb-updater/tb-permission-fix rPx,
+
+    include if exists <local/torbrowser-wrapper_sudo>
+  }
+
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
@@ -52,10 +67,8 @@ profile torbrowser-wrapper @{exec_path} {
 
     /{run,var}/log/journal/ r,
     /{run,var}/log/journal/@{hex32}/ r,
-    /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
-    /{run,var}/log/journal/@{hex32}/system.journal* r,
-    /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,
-    
+    /{run,var}/log/journal/@{hex32}/*.journal* r,
+
     include if exists <local/torbrowser-wrapper_systemctl>
   }