mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): add torbrowser

Browse Source 
The same profiles are now used for torbrowser on either it is running on whonix or not.
This commit is contained in:
Alexandre Pujol 2024-09-12 22:54:20 +01:00
parent ecf4eaee14
commit 7b4db8fd41
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
10 changed files with 241 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
apparmor.d/groups/whonix/torbrowser → apparmor.d/groups/browsers/torbrowser
View File

@ -7,9 +7,9 @@ abi <abi/3.0>,
include <tunables/global>
@{name} = torbrowser "tor browser"
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
@{config_dirs} = @{data_dirs}/Browser/*.default/
@{config_dirs} = @{data_dirs}/Browser/profile.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/firefox{,.real}
@ -19,8 +19,14 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
@{lib_dirs}/abicheck rix,
@{lib_dirs}/updater rPx,
@{lib_dirs}/abicheck ix,
@{lib_dirs}/glxtest Px -> torbrowser//&torbrowser-glxtest,
@{lib_dirs}/updater Px,
@{lib_dirs}/vaapitest Px -> torbrowser//&torbrowser-vaapitest,
#aa:exclude whonix
@{lib_dirs}/TorBrowser/Tor/PluggableTransports/** Px -> torbrowser-tor,
@{lib_dirs}/TorBrowser/Tor/tor Px -> torbrowser-tor,
/usr/share/homepage/{,**} r,
@ -37,10 +43,10 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
# Due to the nature of the browser, we silence much more than for Firefox.
deny network inet dgram, # TOR does not work over UDP
deny network inet6 dgram,
deny network inet6 stream, # TOR does not work over IPv6
deny dbus (send receive) bus=session path=/ca/desrt/dconf/Writer/user,
deny @{bin}/lsb_release x,
deny @{lib_dirs}/crashreporter x,
deny @{lib_dirs}/glxtest x,
deny @{lib_dirs}/minidump-analyzer x,
deny @{lib_dirs}/pingsender x,
deny /usr/share/dconf/** r,
@ -56,6 +62,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
deny /etc/passwd r,
deny /etc/resolv.conf r,
deny /var/lib/dbus/machine-id r,
deny owner @{HOME}/ r,
deny owner @{user_config_dirs}/dconf/user r,
deny owner @{user_config_dirs}/gtk-*/{,**} rw,
deny owner @{run}/user/@{uid}/dconf/ rw,

12
apparmor.d/groups/whonix/torbrowser-glxtest → apparmor.d/groups/browsers/torbrowser-glxtest
View File

@ -7,13 +7,13 @@ abi <abi/3.0>,
include <tunables/global>
@{name} = torbrowser "tor browser"
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
@{config_dirs} = @{data_dirs}/Browser/*.default/
@{config_dirs} = @{data_dirs}/Browser/profile.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/glxtest
profile torbrowser-glxtest @{exec_path} {
profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
@ -21,12 +21,10 @@ profile torbrowser-glxtest @{exec_path} {
@{exec_path} mr,
owner @{config_dirs}/.parentlock rw,
owner @{tmp}/@{name}/.parentlock rw,
owner @{PROC}/@{pid}/cmdline r,
deny @{config_dirs}/.parentlock rw,
include if exists <local/torbrowser-glxtest>
}

93
apparmor.d/groups/browsers/torbrowser-launcher Normal file
View File

@ -0,0 +1,93 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{exec_path} = @{bin}/torbrowser-launcher
profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/ssl_certs>
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
@{sh_path} rix,
@{bin}/file ix,
@{bin}/gpg{,2} Cx -> gpg,
@{bin}/gpgconf Cx -> gpg,
@{bin}/gpgsm Cx -> gpg,
@{bin}/grep ix,
@{bin}/sed ix,
@{bin}/tail ix,
@{lib_dirs}/execdesktop ix,
@{lib_dirs}/start-tor-browser Px, # torbrowser-start
@{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix,
/usr/share/file/** r,
/usr/share/torbrowser-launcher/{,**} r,
owner @{user_cache_dirs}/torbrowser/{,**/} rw,
owner @{user_cache_dirs}/torbrowser/download/** rw,
owner @{user_cache_dirs}/torbrowser/torbrowser.gpg rw,
owner @{user_config_dirs}/torbrowser/{,**/} rw,
owner @{user_config_dirs}/torbrowser/settings.json rw,
owner @{user_share_dirs}/torbrowser/{,**} rw,
owner @{PROC}/@{pid}/cmdline r,
/dev/tty rw,
profile gpg {
include <abstractions/base>
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
@{bin}/gpg-agent ix,
@{lib}/{,gnupg/}scdaemon ix,
owner @{HOME}/ r,
owner @{HOME}/@{XDG_GPG_DIR}/ r,
owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r,
owner @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r,
owner @{user_share_dirs}/torbrowser/ r,
owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw,
owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/gnupg/ r,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <local/torbrowser-launcher_gpg>
}
include if exists <local/torbrowser-launcher>
}
# vim:syntax=apparmor

4
apparmor.d/groups/whonix/torbrowser-plugin-container → apparmor.d/groups/browsers/torbrowser-plugin-container
View File

@ -8,9 +8,9 @@ abi <abi/3.0>,
include <tunables/global>
@{name} = torbrowser "tor browser"
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
@{config_dirs} = @{data_dirs}/Browser/*.default/
@{config_dirs} = @{data_dirs}/Browser/profile.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/plugin-container

54
apparmor.d/groups/browsers/torbrowser-start Normal file
View File

@ -0,0 +1,54 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{exec_path} = @{lib_dirs}/start-tor-browser
profile torbrowser-start @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} rm,
@{sh_path} rix,
@{bin}/cp ix,
@{bin}/dirname ix,
@{bin}/env r,
@{bin}/expr ix,
@{bin}/file ix,
@{bin}/getconf ix,
@{bin}/grep ix,
@{bin}/id ix,
@{bin}/ln ix,
@{bin}/mkdir ix,
@{bin}/rm ix,
@{bin}/sed ix,
@{bin}/srm ix,
@{lib_dirs}/abicheck ix,
@{lib_dirs}/firefox{,.real} Px -> torbrowser,
/usr/share/file/** r,
/etc/magic r,
owner @{lib_dirs}/.config/ibus/{,**} rw,
owner @{lib_dirs}/.local/* rw,
owner @{lib_dirs}/sed@{rand6} rw,
owner @{lib_dirs}/TorBrowser/Tor/tor r,
owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/sed@{rand6} rw,
owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop rw,
owner @{HOME}/.xsession-errors rw,
owner @{HOME}/.tb/tor-browser/* rw,
include if exists <local/torbrowser-start>
}
# vim:syntax=apparmor

51
apparmor.d/groups/browsers/torbrowser-tor Normal file
View File

@ -0,0 +1,51 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor
profile torbrowser-tor @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
network inet stream,
network netlink raw,
@{exec_path} mr,
@{lib_dirs}/{,**} r,
@{lib_dirs}/TorBrowser/Tor/*.so* m,
@{lib_dirs}/TorBrowser/Tor/PluggableTransports/** mix,
owner @{data_dirs}/Tor/ rw,
owner @{data_dirs}/Tor/** rw,
owner @{data_dirs}/Tor/lock rwk,
/tmp/onionshare/** rw, # OnionShare compatibility
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/net/core/somaxconn r,
deny /etc/group r,
deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/machine-id r,
deny /etc/mailcap r,
deny /etc/nsswitch.conf r,
deny /etc/os-release r,
deny /etc/passwd r,
deny /etc/resolv.conf r,
deny /etc/services r,
deny /var/lib/dbus/machine-id r,
include if exists <local/torbrowser-tor>
}
# vim:syntax=apparmor

6
apparmor.d/groups/whonix/torbrowser-updater → apparmor.d/groups/browsers/torbrowser-updater
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{exec_path} = @{lib_dirs}/updater
profile torbrowser-updater @{exec_path} {
@ -16,14 +16,12 @@ profile torbrowser-updater @{exec_path} {
@{exec_path} mr,
@{lib_dirs}/*.so mr,
@{lib_dirs}/firefox{,.real} rPx,
@{lib_dirs}/firefox{,.real} Px,
owner @{lib_dirs}/{,**} rw,
owner @{tmp}/#@{int} rw,
deny owner @{lib_dirs}/Downloads/** rw,
include if exists <local/torbrowser-updater>
}

12
apparmor.d/groups/whonix/torbrowser-vaapitest → apparmor.d/groups/browsers/torbrowser-vaapitest
View File

@ -7,13 +7,13 @@ abi <abi/3.0>,
include <tunables/global>
@{name} = torbrowser "tor browser"
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
@{config_dirs} = @{data_dirs}/Browser/*.default/
@{config_dirs} = @{data_dirs}/Browser/profile.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/vaapitest
profile torbrowser-vaapitest @{exec_path} {
profile torbrowser-vaapitest @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/graphics>
@ -21,11 +21,9 @@ profile torbrowser-vaapitest @{exec_path} {
@{exec_path} mr,
owner @{tmp}/@{name}/.parentlock rw,
deny @{lib_dirs}/{,browser/}omni.ja r,
deny @{cache_dirs}/profile.default/startupCache/* r,
deny @{config_dirs}/.parentlock rw,
deny @{config_dirs}/startupCache/** r,
deny @{user_cache_dirs}/startupCache/* r,
include if exists <local/torbrowser-vaapitest>
}

51
apparmor.d/groups/whonix/torbrowser-start
View File

@ -1,51 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{exec_path} = @{lib_dirs}/start-tor-browser
profile torbrowser-start @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} rm,
@{sh_path} rix,
@{bin}/cp rix,
@{bin}/dirname rix,
@{bin}/env r,
@{bin}/expr rix,
@{bin}/file rix,
@{bin}/getconf rix,
@{bin}/grep rix,
@{bin}/id rix,
@{bin}/ln rix,
@{bin}/mkdir rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/sh rix,
@{bin}/srm rix,
@{lib_dirs}/abicheck rix,
@{lib_dirs}/firefox{,.real} rPx,
/etc/magic r,
owner @{lib_dirs}/.config/ibus/{,**} rw,
owner @{lib_dirs}/.local/* rw,
owner @{lib_dirs}/sed@{rand6} rw,
owner @{lib_dirs}/start-tor-browser.desktop rw,
owner @{lib_dirs}/TorBrowser/Tor/tor r,
owner @{HOME}/.xsession-errors rw,
owner @{HOME}/.tb/tor-browser/* rw,
include if exists <local/torbrowser-start>
}
# vim:syntax=apparmor

34
apparmor.d/groups/whonix/torbrowser-wrapper
View File

@ -17,24 +17,24 @@ profile torbrowser-wrapper @{exec_path} {
@{exec_path} rm,
@{sh_path} rix,
@{bin}/basename rix,
@{bin}/cp rix,
@{bin}/dirname rix,
@{bin}/grep rix,
@{bin}/id rix,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/mount rix,
@{bin}/str_replace rix,
@{bin}/sudo rCx -> sudo,
@{bin}/systemctl rCx -> systemctl,
@{bin}/touch rix,
@{bin}/tty rix,
@{bin}/whoami rix,
@{bin}/basename ix,
@{bin}/cp ix,
@{bin}/dirname ix,
@{bin}/grep ix,
@{bin}/id ix,
@{bin}/mkdir ix,
@{bin}/mktemp ix,
@{bin}/mount ix,
@{bin}/str_replace ix,
@{bin}/sudo Cx -> sudo,
@{bin}/systemctl Cx -> systemctl,
@{bin}/touch ix,
@{bin}/tty ix,
@{bin}/whoami ix,
@{lib_dirs}/start-tor-browser rPx,
@{lib}/msgcollector/msgcollector rPx,
@{lib}/open-link-confirmation/open-link-confirmation rPx,
@{lib_dirs}/start-tor-browser Px, # torbrowser-start
@{lib}/msgcollector/msgcollector Px,
@{lib}/open-link-confirmation/open-link-confirmation Px,
@{lib}/helper-scripts/* r,