From 7b4db8fd41812f951379d6773910986b527228ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 12 Sep 2024 22:54:20 +0100 Subject: [PATCH] feat(profile): add torbrowser The same profiles are now used for torbrowser on either it is running on whonix or not. --- .../groups/{whonix => browsers}/torbrowser | 17 +++- .../{whonix => browsers}/torbrowser-glxtest | 12 +-- .../groups/browsers/torbrowser-launcher | 93 +++++++++++++++++++ .../torbrowser-plugin-container | 4 +- apparmor.d/groups/browsers/torbrowser-start | 54 +++++++++++ apparmor.d/groups/browsers/torbrowser-tor | 51 ++++++++++ .../{whonix => browsers}/torbrowser-updater | 6 +- .../{whonix => browsers}/torbrowser-vaapitest | 12 +-- apparmor.d/groups/whonix/torbrowser-start | 51 ---------- apparmor.d/groups/whonix/torbrowser-wrapper | 34 +++---- 10 files changed, 241 insertions(+), 93 deletions(-) rename apparmor.d/groups/{whonix => browsers}/torbrowser (76%) rename apparmor.d/groups/{whonix => browsers}/torbrowser-glxtest (69%) create mode 100644 apparmor.d/groups/browsers/torbrowser-launcher rename apparmor.d/groups/{whonix => browsers}/torbrowser-plugin-container (79%) create mode 100644 apparmor.d/groups/browsers/torbrowser-start create mode 100644 apparmor.d/groups/browsers/torbrowser-tor rename apparmor.d/groups/{whonix => browsers}/torbrowser-updater (77%) rename apparmor.d/groups/{whonix => browsers}/torbrowser-vaapitest (63%) delete mode 100644 apparmor.d/groups/whonix/torbrowser-start diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/browsers/torbrowser similarity index 76% rename from apparmor.d/groups/whonix/torbrowser rename to apparmor.d/groups/browsers/torbrowser index 0ec13ed5..6b9b6dba 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/browsers/torbrowser @@ -7,9 +7,9 @@ abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/firefox{,.real} @@ -19,8 +19,14 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{lib_dirs}/abicheck rix, - @{lib_dirs}/updater rPx, + @{lib_dirs}/abicheck ix, + @{lib_dirs}/glxtest Px -> torbrowser//&torbrowser-glxtest, + @{lib_dirs}/updater Px, + @{lib_dirs}/vaapitest Px -> torbrowser//&torbrowser-vaapitest, + + #aa:exclude whonix + @{lib_dirs}/TorBrowser/Tor/PluggableTransports/** Px -> torbrowser-tor, + @{lib_dirs}/TorBrowser/Tor/tor Px -> torbrowser-tor, /usr/share/homepage/{,**} r, @@ -37,10 +43,10 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { # Due to the nature of the browser, we silence much more than for Firefox. deny network inet dgram, # TOR does not work over UDP deny network inet6 dgram, + deny network inet6 stream, # TOR does not work over IPv6 deny dbus (send receive) bus=session path=/ca/desrt/dconf/Writer/user, deny @{bin}/lsb_release x, deny @{lib_dirs}/crashreporter x, - deny @{lib_dirs}/glxtest x, deny @{lib_dirs}/minidump-analyzer x, deny @{lib_dirs}/pingsender x, deny /usr/share/dconf/** r, @@ -56,6 +62,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { deny /etc/passwd r, deny /etc/resolv.conf r, deny /var/lib/dbus/machine-id r, + deny owner @{HOME}/ r, deny owner @{user_config_dirs}/dconf/user r, deny owner @{user_config_dirs}/gtk-*/{,**} rw, deny owner @{run}/user/@{uid}/dconf/ rw, diff --git a/apparmor.d/groups/whonix/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest similarity index 69% rename from apparmor.d/groups/whonix/torbrowser-glxtest rename to apparmor.d/groups/browsers/torbrowser-glxtest index cbc009db..54e1d5ad 100644 --- a/apparmor.d/groups/whonix/torbrowser-glxtest +++ b/apparmor.d/groups/browsers/torbrowser-glxtest @@ -7,13 +7,13 @@ abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/glxtest -profile torbrowser-glxtest @{exec_path} { +profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { include include include @@ -21,12 +21,10 @@ profile torbrowser-glxtest @{exec_path} { @{exec_path} mr, - owner @{config_dirs}/.parentlock rw, - - owner @{tmp}/@{name}/.parentlock rw, - owner @{PROC}/@{pid}/cmdline r, + deny @{config_dirs}/.parentlock rw, + include if exists } diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher new file mode 100644 index 00000000..2d52cd2b --- /dev/null +++ b/apparmor.d/groups/browsers/torbrowser-launcher @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ + +@{exec_path} = @{bin}/torbrowser-launcher +profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + + network netlink raw, + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/file ix, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + @{bin}/grep ix, + @{bin}/sed ix, + @{bin}/tail ix, + + @{lib_dirs}/execdesktop ix, + @{lib_dirs}/start-tor-browser Px, # torbrowser-start + @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix, + + /usr/share/file/** r, + /usr/share/torbrowser-launcher/{,**} r, + + owner @{user_cache_dirs}/torbrowser/{,**/} rw, + owner @{user_cache_dirs}/torbrowser/download/** rw, + owner @{user_cache_dirs}/torbrowser/torbrowser.gpg rw, + + owner @{user_config_dirs}/torbrowser/{,**/} rw, + owner @{user_config_dirs}/torbrowser/settings.json rw, + + owner @{user_share_dirs}/torbrowser/{,**} rw, + + owner @{PROC}/@{pid}/cmdline r, + + /dev/tty rw, + + profile gpg { + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + + @{bin}/gpg-agent ix, + @{lib}/{,gnupg/}scdaemon ix, + + owner @{HOME}/ r, + owner @{HOME}/@{XDG_GPG_DIR}/ r, + owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, + + owner @{user_share_dirs}/torbrowser/ r, + owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw, + owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ r, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/torbrowser-plugin-container b/apparmor.d/groups/browsers/torbrowser-plugin-container similarity index 79% rename from apparmor.d/groups/whonix/torbrowser-plugin-container rename to apparmor.d/groups/browsers/torbrowser-plugin-container index 9fcb1bd3..fa31652c 100644 --- a/apparmor.d/groups/whonix/torbrowser-plugin-container +++ b/apparmor.d/groups/browsers/torbrowser-plugin-container @@ -8,9 +8,9 @@ abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/plugin-container diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start new file mode 100644 index 00000000..8292f613 --- /dev/null +++ b/apparmor.d/groups/browsers/torbrowser-start @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ + +@{exec_path} = @{lib_dirs}/start-tor-browser +profile torbrowser-start @{exec_path} { + include + include + + @{exec_path} rm, + + @{sh_path} rix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/env r, + @{bin}/expr ix, + @{bin}/file ix, + @{bin}/getconf ix, + @{bin}/grep ix, + @{bin}/id ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/srm ix, + + @{lib_dirs}/abicheck ix, + @{lib_dirs}/firefox{,.real} Px -> torbrowser, + + /usr/share/file/** r, + + /etc/magic r, + + owner @{lib_dirs}/.config/ibus/{,**} rw, + owner @{lib_dirs}/.local/* rw, + owner @{lib_dirs}/sed@{rand6} rw, + owner @{lib_dirs}/TorBrowser/Tor/tor r, + + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/sed@{rand6} rw, + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop rw, + + owner @{HOME}/.xsession-errors rw, + owner @{HOME}/.tb/tor-browser/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/torbrowser-tor b/apparmor.d/groups/browsers/torbrowser-tor new file mode 100644 index 00000000..7eaa85c5 --- /dev/null +++ b/apparmor.d/groups/browsers/torbrowser-tor @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ +@{data_dirs} = @{lib_dirs}/TorBrowser/Data/ + +@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor +profile torbrowser-tor @{exec_path} { + include + include + include + + network inet stream, + network netlink raw, + + @{exec_path} mr, + + @{lib_dirs}/{,**} r, + @{lib_dirs}/TorBrowser/Tor/*.so* m, + @{lib_dirs}/TorBrowser/Tor/PluggableTransports/** mix, + + owner @{data_dirs}/Tor/ rw, + owner @{data_dirs}/Tor/** rw, + owner @{data_dirs}/Tor/lock rwk, + + /tmp/onionshare/** rw, # OnionShare compatibility + + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/net/core/somaxconn r, + + deny /etc/group r, + deny /etc/host.conf r, + deny /etc/hosts r, + deny /etc/machine-id r, + deny /etc/mailcap r, + deny /etc/nsswitch.conf r, + deny /etc/os-release r, + deny /etc/passwd r, + deny /etc/resolv.conf r, + deny /etc/services r, + deny /var/lib/dbus/machine-id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/torbrowser-updater b/apparmor.d/groups/browsers/torbrowser-updater similarity index 77% rename from apparmor.d/groups/whonix/torbrowser-updater rename to apparmor.d/groups/browsers/torbrowser-updater index 4f0e1682..3bc8e591 100644 --- a/apparmor.d/groups/whonix/torbrowser-updater +++ b/apparmor.d/groups/browsers/torbrowser-updater @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{exec_path} = @{lib_dirs}/updater profile torbrowser-updater @{exec_path} { @@ -16,14 +16,12 @@ profile torbrowser-updater @{exec_path} { @{exec_path} mr, @{lib_dirs}/*.so mr, - @{lib_dirs}/firefox{,.real} rPx, + @{lib_dirs}/firefox{,.real} Px, owner @{lib_dirs}/{,**} rw, owner @{tmp}/#@{int} rw, - deny owner @{lib_dirs}/Downloads/** rw, - include if exists } diff --git a/apparmor.d/groups/whonix/torbrowser-vaapitest b/apparmor.d/groups/browsers/torbrowser-vaapitest similarity index 63% rename from apparmor.d/groups/whonix/torbrowser-vaapitest rename to apparmor.d/groups/browsers/torbrowser-vaapitest index d29d1265..7570d6ce 100644 --- a/apparmor.d/groups/whonix/torbrowser-vaapitest +++ b/apparmor.d/groups/browsers/torbrowser-vaapitest @@ -7,13 +7,13 @@ abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/vaapitest -profile torbrowser-vaapitest @{exec_path} { +profile torbrowser-vaapitest @{exec_path} flags=(attach_disconnected) { include include @@ -21,11 +21,9 @@ profile torbrowser-vaapitest @{exec_path} { @{exec_path} mr, - owner @{tmp}/@{name}/.parentlock rw, - + deny @{lib_dirs}/{,browser/}omni.ja r, + deny @{cache_dirs}/profile.default/startupCache/* r, deny @{config_dirs}/.parentlock rw, - deny @{config_dirs}/startupCache/** r, - deny @{user_cache_dirs}/startupCache/* r, include if exists } diff --git a/apparmor.d/groups/whonix/torbrowser-start b/apparmor.d/groups/whonix/torbrowser-start deleted file mode 100644 index 266f8e34..00000000 --- a/apparmor.d/groups/whonix/torbrowser-start +++ /dev/null @@ -1,51 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ - -@{exec_path} = @{lib_dirs}/start-tor-browser -profile torbrowser-start @{exec_path} { - include - include - - @{exec_path} rm, - - @{sh_path} rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/env r, - @{bin}/expr rix, - @{bin}/file rix, - @{bin}/getconf rix, - @{bin}/grep rix, - @{bin}/id rix, - @{bin}/ln rix, - @{bin}/mkdir rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/sh rix, - @{bin}/srm rix, - @{lib_dirs}/abicheck rix, - - @{lib_dirs}/firefox{,.real} rPx, - - /etc/magic r, - - owner @{lib_dirs}/.config/ibus/{,**} rw, - owner @{lib_dirs}/.local/* rw, - owner @{lib_dirs}/sed@{rand6} rw, - owner @{lib_dirs}/start-tor-browser.desktop rw, - owner @{lib_dirs}/TorBrowser/Tor/tor r, - - owner @{HOME}/.xsession-errors rw, - owner @{HOME}/.tb/tor-browser/* rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index 5ae554b4..a659d00f 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -17,24 +17,24 @@ profile torbrowser-wrapper @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{bin}/basename rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/grep rix, - @{bin}/id rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/mount rix, - @{bin}/str_replace rix, - @{bin}/sudo rCx -> sudo, - @{bin}/systemctl rCx -> systemctl, - @{bin}/touch rix, - @{bin}/tty rix, - @{bin}/whoami rix, + @{bin}/basename ix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/grep ix, + @{bin}/id ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mount ix, + @{bin}/str_replace ix, + @{bin}/sudo Cx -> sudo, + @{bin}/systemctl Cx -> systemctl, + @{bin}/touch ix, + @{bin}/tty ix, + @{bin}/whoami ix, - @{lib_dirs}/start-tor-browser rPx, - @{lib}/msgcollector/msgcollector rPx, - @{lib}/open-link-confirmation/open-link-confirmation rPx, + @{lib_dirs}/start-tor-browser Px, # torbrowser-start + @{lib}/msgcollector/msgcollector Px, + @{lib}/open-link-confirmation/open-link-confirmation Px, @{lib}/helper-scripts/* r,