feat(profile): torbrowser: do not give access to user dirs by default.

- Remove read-only access to most user dirs. - Remove read-write access to download directories. fix #490
2024-11-14 23:43:56 +01:00 · 2024-09-16 13:36:29 +01:00 · 2024-09-16 13:36:29 +01:00 · 7858cae330
commit 7858cae330
parent 2805ed9dd9
5 changed files with 9 additions and 3 deletions
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@ -29,8 +29,6 @@
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/uim>
-  include <abstractions/user-download-strict>
-  include <abstractions/user-read-strict>

  # userns,

--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -16,6 +16,8 @@ include <tunables/global>
 profile firefox @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app/firefox>
+  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>

  signal (send) set=(term, kill) peer=keepassxc-proxy,

--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{name} = firefox{,.sh,-esr,-bin}
+@{name} = firefox{,-esr,-bin}
@{lib_dirs} = @{lib}/@{name} /opt/@{name}
@{config_dirs} = @{HOME}/.mozilla/
@{cache_dirs} = @{user_cache_dirs}/mozilla/
--- a/apparmor.d/groups/browsers/torbrowser
+++ b/apparmor.d/groups/browsers/torbrowser
@ -17,6 +17,9 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app/firefox>

+  # Uncomment if you want to give the Tor Browser access to the common download directory.
+  # include <abstractions/user-download-strict>
+
  @{exec_path} mrix,

  @{lib_dirs}/abicheck           ix,
@ -41,6 +44,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
  owner "@{tmp}/Tor Project*/**" rwk,

  # Due to the nature of the browser, we silence much more than for Firefox.
+  deny capability sys_ptrace,
  deny network inet dgram, # TOR does not work over UDP
  deny network inet6 dgram,
  deny network inet6 stream, # TOR does not work over IPv6
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@ -16,6 +16,8 @@ include <tunables/global>
 profile thunderbird @{exec_path} {
  include <abstractions/base>
  include <abstractions/app/firefox>
+  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>

  #aa:dbus own bus=session name=org.mozilla.thunderbird