feat(profile): add torbrowser

The same profiles are now used for torbrowser on either it is running on whonix or not.
2024-11-15 07:54:17 +01:00 · 2024-09-12 22:54:20 +01:00 · 2024-09-12 22:54:20 +01:00 · 7b4db8fd41
commit 7b4db8fd41
parent ecf4eaee14
10 changed files with 241 additions and 93 deletions
--- a/apparmor.d/groups/browsers/torbrowser
+++ b/apparmor.d/groups/browsers/torbrowser
@ -7,9 +7,9 @@ abi <abi/3.0>,
 include <tunables/global>
@{name} = torbrowser "tor browser"
-@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
-@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{config_dirs} = @{data_dirs}/Browser/profile.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/firefox{,.real}
@ -19,8 +19,14 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mrix,
-  @{lib_dirs}/abicheck          rix,
+  @{lib_dirs}/abicheck           ix,
-  @{lib_dirs}/updater           rPx,
+  @{lib_dirs}/glxtest            Px -> torbrowser//&torbrowser-glxtest,
  @{lib_dirs}/updater            Px,
  @{lib_dirs}/vaapitest          Px -> torbrowser//&torbrowser-vaapitest,
  #aa:exclude whonix
  @{lib_dirs}/TorBrowser/Tor/PluggableTransports/**  Px -> torbrowser-tor,
  @{lib_dirs}/TorBrowser/Tor/tor                     Px -> torbrowser-tor,
  /usr/share/homepage/{,**} r,
@ -37,10 +43,10 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
  # Due to the nature of the browser, we silence much more than for Firefox.
  deny network inet dgram, # TOR does not work over UDP
  deny network inet6 dgram,
  deny network inet6 stream, # TOR does not work over IPv6
  deny dbus (send receive) bus=session path=/ca/desrt/dconf/Writer/user,
  deny @{bin}/lsb_release x,
  deny @{lib_dirs}/crashreporter x,
  deny @{lib_dirs}/glxtest x,
  deny @{lib_dirs}/minidump-analyzer x,
  deny @{lib_dirs}/pingsender x,
  deny /usr/share/dconf/** r,
@ -56,6 +62,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
  deny /etc/passwd r,
  deny /etc/resolv.conf r,
  deny /var/lib/dbus/machine-id r,
  deny owner @{HOME}/ r,
  deny owner @{user_config_dirs}/dconf/user r,
  deny owner @{user_config_dirs}/gtk-*/{,**} rw,
  deny owner @{run}/user/@{uid}/dconf/ rw,
--- a/apparmor.d/groups/browsers/torbrowser-glxtest
+++ b/apparmor.d/groups/browsers/torbrowser-glxtest
@ -7,13 +7,13 @@ abi <abi/3.0>,
 include <tunables/global>
@{name} = torbrowser "tor browser"
-@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
-@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{config_dirs} = @{data_dirs}/Browser/profile.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/glxtest
-profile torbrowser-glxtest @{exec_path} {
+profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
@ -21,12 +21,10 @@ profile torbrowser-glxtest @{exec_path} {
  @{exec_path} mr,
  owner @{config_dirs}/.parentlock rw,
  owner @{tmp}/@{name}/.parentlock rw,
  owner @{PROC}/@{pid}/cmdline r,
  deny @{config_dirs}/.parentlock rw,
  include if exists <local/torbrowser-glxtest>
 }
--- a/apparmor.d/groups/browsers/torbrowser-launcher
+++ b/apparmor.d/groups/browsers/torbrowser-launcher
@ -0,0 +1,93 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{exec_path} = @{bin}/torbrowser-launcher
 profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/ssl_certs>
  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  network netlink raw,
  @{exec_path} mrix,
  @{sh_path}      rix,
  @{bin}/file      ix,
  @{bin}/gpg{,2}   Cx -> gpg,
  @{bin}/gpgconf   Cx -> gpg,
  @{bin}/gpgsm     Cx -> gpg,
  @{bin}/grep      ix,
  @{bin}/sed       ix,
  @{bin}/tail      ix,
  @{lib_dirs}/execdesktop       ix,
  @{lib_dirs}/start-tor-browser Px, # torbrowser-start 
  @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix,
  /usr/share/file/** r,
  /usr/share/torbrowser-launcher/{,**} r,
  owner @{user_cache_dirs}/torbrowser/{,**/} rw,
  owner @{user_cache_dirs}/torbrowser/download/** rw,
  owner @{user_cache_dirs}/torbrowser/torbrowser.gpg rw,
  owner @{user_config_dirs}/torbrowser/{,**/} rw,
  owner @{user_config_dirs}/torbrowser/settings.json rw,
  owner @{user_share_dirs}/torbrowser/{,**} rw,
  owner @{PROC}/@{pid}/cmdline r,
  /dev/tty rw,
  profile gpg {
    include <abstractions/base>
    @{bin}/gpg{,2}  mr,
    @{bin}/gpgconf  mr,
    @{bin}/gpgsm    mr,
    @{bin}/gpg-agent         ix,
    @{lib}/{,gnupg/}scdaemon ix,
    owner @{HOME}/ r,
    owner @{HOME}/@{XDG_GPG_DIR}/ r,
    owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r,
    owner @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r,
    owner @{user_share_dirs}/torbrowser/ r,
    owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw,
    owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
    owner @{run}/user/@{uid}/ r,
    owner @{run}/user/@{uid}/gnupg/ r,
    owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
    owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
    include if exists <local/torbrowser-launcher_gpg>
  }
  include if exists <local/torbrowser-launcher>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/browsers/torbrowser-plugin-container
+++ b/apparmor.d/groups/browsers/torbrowser-plugin-container
@ -8,9 +8,9 @@ abi <abi/3.0>,
 include <tunables/global>
@{name} = torbrowser "tor browser"
-@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
-@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{config_dirs} = @{data_dirs}/Browser/profile.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/plugin-container
--- a/apparmor.d/groups/browsers/torbrowser-start
+++ b/apparmor.d/groups/browsers/torbrowser-start
@ -0,0 +1,54 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{exec_path} = @{lib_dirs}/start-tor-browser
 profile torbrowser-start @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} rm,
  @{sh_path}                  rix,
  @{bin}/cp                    ix,
  @{bin}/dirname               ix,
  @{bin}/env                    r,
  @{bin}/expr                  ix,
  @{bin}/file                  ix,
  @{bin}/getconf               ix,
  @{bin}/grep                  ix,
  @{bin}/id                    ix,
  @{bin}/ln                    ix,
  @{bin}/mkdir                 ix,
  @{bin}/rm                    ix,
  @{bin}/sed                   ix,
  @{bin}/srm                   ix,
  @{lib_dirs}/abicheck         ix,
  @{lib_dirs}/firefox{,.real}  Px -> torbrowser,
  /usr/share/file/** r,
  /etc/magic r,
  owner @{lib_dirs}/.config/ibus/{,**} rw,
  owner @{lib_dirs}/.local/* rw,
  owner @{lib_dirs}/sed@{rand6} rw,
  owner @{lib_dirs}/TorBrowser/Tor/tor r,
  owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/sed@{rand6} rw,
  owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop rw,
  owner @{HOME}/.xsession-errors rw,
  owner @{HOME}/.tb/tor-browser/* rw,
  include if exists <local/torbrowser-start>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/browsers/torbrowser-tor
+++ b/apparmor.d/groups/browsers/torbrowser-tor
@ -0,0 +1,51 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor 
 profile torbrowser-tor @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  network inet stream,
  network netlink raw,
  @{exec_path} mr,
  @{lib_dirs}/{,**}                                    r,
  @{lib_dirs}/TorBrowser/Tor/*.so*                     m,
  @{lib_dirs}/TorBrowser/Tor/PluggableTransports/**  mix,
  owner @{data_dirs}/Tor/ rw,
  owner @{data_dirs}/Tor/** rw,
  owner @{data_dirs}/Tor/lock rwk,
  /tmp/onionshare/** rw,  # OnionShare compatibility
  @{PROC}/sys/kernel/random/uuid r,
  @{PROC}/sys/net/core/somaxconn r,
  deny /etc/group r,
  deny /etc/host.conf r,
  deny /etc/hosts r,
  deny /etc/machine-id r,
  deny /etc/mailcap r,
  deny /etc/nsswitch.conf r,
  deny /etc/os-release r,
  deny /etc/passwd r,
  deny /etc/resolv.conf r,
  deny /etc/services r,
  deny /var/lib/dbus/machine-id r,
  include if exists <local/torbrowser-tor>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/browsers/torbrowser-updater
+++ b/apparmor.d/groups/browsers/torbrowser-updater
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{exec_path} = @{lib_dirs}/updater
 profile torbrowser-updater @{exec_path} {
@ -16,14 +16,12 @@ profile torbrowser-updater @{exec_path} {
  @{exec_path} mr,
  @{lib_dirs}/*.so              mr,
-  @{lib_dirs}/firefox{,.real}  rPx,
+  @{lib_dirs}/firefox{,.real}   Px,
  owner @{lib_dirs}/{,**} rw,
  owner @{tmp}/#@{int} rw,
  deny owner @{lib_dirs}/Downloads/** rw,
  include if exists <local/torbrowser-updater>
 }
--- a/apparmor.d/groups/browsers/torbrowser-vaapitest
+++ b/apparmor.d/groups/browsers/torbrowser-vaapitest
@ -7,13 +7,13 @@ abi <abi/3.0>,
 include <tunables/global>
@{name} = torbrowser "tor browser"
-@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
-@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{config_dirs} = @{data_dirs}/Browser/profile.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/vaapitest
-profile torbrowser-vaapitest @{exec_path} {
+profile torbrowser-vaapitest @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/graphics>
@ -21,11 +21,9 @@ profile torbrowser-vaapitest @{exec_path} {
  @{exec_path} mr,
-  owner @{tmp}/@{name}/.parentlock rw,
+  deny @{lib_dirs}/{,browser/}omni.ja r,
-
+  deny @{cache_dirs}/profile.default/startupCache/* r,
  deny @{config_dirs}/.parentlock rw,
  deny @{config_dirs}/startupCache/** r,
  deny @{user_cache_dirs}/startupCache/* r,
  include if exists <local/torbrowser-vaapitest>
 }
--- a/apparmor.d/groups/whonix/torbrowser-start
+++ b/apparmor.d/groups/whonix/torbrowser-start
@ -1,51 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{exec_path} = @{lib_dirs}/start-tor-browser
 profile torbrowser-start @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} rm,
  @{sh_path}                  rix,
  @{bin}/cp                   rix,
  @{bin}/dirname              rix,
  @{bin}/env                  r,
  @{bin}/expr                 rix,
  @{bin}/file                 rix,
  @{bin}/getconf              rix,
  @{bin}/grep                 rix,
  @{bin}/id                   rix,
  @{bin}/ln                   rix,
  @{bin}/mkdir                rix,
  @{bin}/rm                   rix,
  @{bin}/sed                  rix,
  @{bin}/sh                   rix,
  @{bin}/srm                  rix,
  @{lib_dirs}/abicheck        rix,
  @{lib_dirs}/firefox{,.real} rPx,
  /etc/magic r,
  owner @{lib_dirs}/.config/ibus/{,**} rw,
  owner @{lib_dirs}/.local/* rw,
  owner @{lib_dirs}/sed@{rand6} rw,
  owner @{lib_dirs}/start-tor-browser.desktop rw,
  owner @{lib_dirs}/TorBrowser/Tor/tor r,
  owner @{HOME}/.xsession-errors rw,
  owner @{HOME}/.tb/tor-browser/* rw,
  include if exists <local/torbrowser-start>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/whonix/torbrowser-wrapper
+++ b/apparmor.d/groups/whonix/torbrowser-wrapper
@ -17,24 +17,24 @@ profile torbrowser-wrapper @{exec_path} {
  @{exec_path} rm,
  @{sh_path}                     rix,
-  @{bin}/basename                rix,
+  @{bin}/basename                 ix,
-  @{bin}/cp                      rix,
+  @{bin}/cp                       ix,
-  @{bin}/dirname                 rix,
+  @{bin}/dirname                  ix,
-  @{bin}/grep                    rix,
+  @{bin}/grep                     ix,
-  @{bin}/id                      rix,
+  @{bin}/id                       ix,
-  @{bin}/mkdir                   rix,
+  @{bin}/mkdir                    ix,
-  @{bin}/mktemp                  rix,
+  @{bin}/mktemp                   ix,
-  @{bin}/mount                   rix,
+  @{bin}/mount                    ix,
-  @{bin}/str_replace             rix,
+  @{bin}/str_replace              ix,
-  @{bin}/sudo                    rCx -> sudo,
+  @{bin}/sudo                     Cx -> sudo,
-  @{bin}/systemctl               rCx -> systemctl,
+  @{bin}/systemctl                Cx -> systemctl,
-  @{bin}/touch                   rix,
+  @{bin}/touch                    ix,
-  @{bin}/tty                     rix,
+  @{bin}/tty                      ix,
-  @{bin}/whoami                  rix,
+  @{bin}/whoami                   ix,
-  @{lib_dirs}/start-tor-browser                         rPx,
+  @{lib_dirs}/start-tor-browser                         Px, # torbrowser-start 
-  @{lib}/msgcollector/msgcollector                      rPx,
+  @{lib}/msgcollector/msgcollector                      Px,
-  @{lib}/open-link-confirmation/open-link-confirmation  rPx,
+  @{lib}/open-link-confirmation/open-link-confirmation  Px,
  @{lib}/helper-scripts/* r,