diff --git a/apparmor.d/groups/whonix/msgcollector-generic-gui-message b/apparmor.d/groups/whonix/msgcollector-generic-gui-message index c66d3508..1ccde074 100644 --- a/apparmor.d/groups/whonix/msgcollector-generic-gui-message +++ b/apparmor.d/groups/whonix/msgcollector-generic-gui-message @@ -12,8 +12,11 @@ profile msgcollector-generic-gui-message @{exec_path} { include include include + include @{exec_path} mr, + @{lib}/msgcollector/ r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/whonix/msgcollector-striphtml b/apparmor.d/groups/whonix/msgcollector-striphtml index e3bf5381..dcf6723e 100644 --- a/apparmor.d/groups/whonix/msgcollector-striphtml +++ b/apparmor.d/groups/whonix/msgcollector-striphtml @@ -13,5 +13,7 @@ profile msgcollector-striphtml @{exec_path} { @{exec_path} mr, + @{lib}/msgcollector/ r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/whonix/msgdispatcher b/apparmor.d/groups/whonix/msgdispatcher index 190bf248..879ffb3d 100644 --- a/apparmor.d/groups/whonix/msgdispatcher +++ b/apparmor.d/groups/whonix/msgdispatcher @@ -21,14 +21,31 @@ profile msgdispatcher @{exec_path} { @{bin}/mkdir rix, @{bin}/mkfifo rix, @{bin}/rm rix, + @{bin}/cat rix, @{bin}/sleep rix, @{bin}/touch rix, @{bin}/whoami rix, + @{bin}/sudo rCx -> sudo, @{lib}/msgcollector/* r, + @{lib}/msgcollector/msgdispatcher_dispatch_x rPx, + + owner @{HOME}/.xsession-errors w, @{run}/msgcollector/ r, owner @{run}/msgcollector/user/{,**} rwk, + profile sudo { + include + include + + @{bin}/sudo mr, + @{lib}/msgcollector/* rPx, + + owner @{run}/msgcollector/user/msgdispatcher_x_* r, + + include if exists + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/whonix/open-link-confirmation b/apparmor.d/groups/whonix/open-link-confirmation index 8b6606b3..65488427 100644 --- a/apparmor.d/groups/whonix/open-link-confirmation +++ b/apparmor.d/groups/whonix/open-link-confirmation @@ -14,12 +14,15 @@ profile open-link-confirmation @{exec_path} { @{sh_path} rix, @{bin}/readlink rix, - @{bin}/whichbrowser rix, @{bin}/torbrowser rPx, + @{bin}/whichbrowser rix, + @{bin}/xdg-mime rPx, @{lib}/msgcollector/generic_gui_message rPx, @{lib}/msgcollector/striphtml rPx, /etc/open_link_confirm.d/{,**} r, + owner @{HOME}/.xsession-errors rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index 412c9252..edcf6b94 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -34,12 +34,15 @@ profile rads @{exec_path} { /usr/share/whonix/marker r, /etc/dpkg/origins/whonix r, + /etc/machine-id r, /etc/rads.d/{,**} r, /etc/whonix_version r, /etc/X11/default-display-manager r, owner @{run}/rads/{,**} rw, + owner /dev/tty@{int} rw, + profile systemctl { include include @@ -47,6 +50,8 @@ profile rads @{exec_path} { capability net_admin, capability sys_ptrace, + /etc/machine-id r, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/*.journal* r, diff --git a/apparmor.d/groups/whonix/sdwdate-start b/apparmor.d/groups/whonix/sdwdate-start index bcca090f..45b8151f 100644 --- a/apparmor.d/groups/whonix/sdwdate-start +++ b/apparmor.d/groups/whonix/sdwdate-start @@ -20,10 +20,12 @@ profile sdwdate-start @{exec_path} { @{bin}/mkfifo rix, @{bin}/inotifywait rix, + @{bin}/anondate-set rPx, + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/sdwdate/ rw, - owner @{run}/sdwdate/status rw, + owner @{run}/sdwdate/* rw, /dev/tty rw, diff --git a/apparmor.d/groups/whonix/sensible-browser b/apparmor.d/groups/whonix/sensible-browser index 7234ef78..3bbee878 100644 --- a/apparmor.d/groups/whonix/sensible-browser +++ b/apparmor.d/groups/whonix/sensible-browser @@ -24,5 +24,7 @@ profile sensible-browser @{exec_path} { /etc/open_link_confirm.d/{,**} r, + owner @{HOME}/.xsession-errors rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index 5a39fe86..da9125c1 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -23,8 +23,10 @@ profile systemcheck-canary @{exec_path} { @{lib}/systemcheck/canary rix, #aa:stack systemd-detect-virt systemd-notify - @{bin}/systemd-detect-virt rPx -> &systemd-detect-virt, - @{bin}/systemd-notify rPx -> &systemd-notify, + @{bin}/systemd-detect-virt rPx -> systemcheck-canary//&systemd-detect-virt, + @{bin}/systemd-notify rPx -> systemcheck-canary//&systemd-notify, + + /etc/systemcheck.d/{,**} r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser index cb63d603..341c1e1f 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -38,6 +38,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 + capability sys_ptrace, network inet stream, network inet6 stream, @@ -49,12 +50,22 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dirname rix, + @{bin}/expr rix, + @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, + @{lib_dirs}/abicheck rix, @{lib_dirs}/glxtest rPx, @{lib_dirs}/plugin-container rPx, + @{lib_dirs}/updater rPx, @{lib_dirs}/vaapitest rPx, + # Desktop integration + @{bin}/lsb_release rPx -> lsb_release, + /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, /usr/share/homepage/{,**} r, @@ -72,8 +83,10 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { /var/lib/nscd/services r, owner @{lib_dirs}/.cache/{,**} rw, + owner @{lib_dirs}/.local/{,**} rw, owner @{lib_dirs}/Downloads/{,**} rw, owner @{lib_dirs}/fonts/** r, + owner @{lib_dirs}/TorBrowser/UpdateInfo/{,**} rw, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -91,7 +104,6 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { owner @{tmp}/firefox/* rwk, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, - owner @{tmp}/Temp-@{uuid}/ rw, owner "@{tmp}/Tor Project*/" rw, owner "@{tmp}/Tor Project*/**" rwk, owner "@{tmp}/Tor Project*" rwk, diff --git a/apparmor.d/groups/whonix/torbrowser-start b/apparmor.d/groups/whonix/torbrowser-start index 443e0a9a..aa04ab91 100644 --- a/apparmor.d/groups/whonix/torbrowser-start +++ b/apparmor.d/groups/whonix/torbrowser-start @@ -15,7 +15,7 @@ profile torbrowser-start @{exec_path} { @{exec_path} rm, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cp rix, @{bin}/dirname rix, @{bin}/env r, @@ -29,6 +29,7 @@ profile torbrowser-start @{exec_path} { @{bin}/rm rix, @{bin}/sed rix, @{bin}/sh rix, + @{bin}/srm rix, @{lib_dirs}/abicheck rix, @{lib_dirs}/firefox{,.real} rPx, @@ -41,6 +42,7 @@ profile torbrowser-start @{exec_path} { owner @{lib_dirs}/start-tor-browser.desktop rw, owner @{lib_dirs}/TorBrowser/Tor/tor r, + owner @{HOME}/.xsession-errors rw, owner @{HOME}/.tb/tor-browser/* rw, include if exists diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index 8847bba3..e8e5bf7f 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -40,9 +40,11 @@ profile torbrowser-wrapper @{exec_path} { /etc/torbrowser.d/{,*} r, - owner @{HOME}/.tb/{,**} rw, owner /var/cache/tb-binary/{,**} rw, + owner @{HOME}/.tb/{,**} rw, + owner @{HOME}/.xsession-errors rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/mount/utab r, diff --git a/apparmor.d/groups/whonix/whonix-firewall-restarter b/apparmor.d/groups/whonix/whonix-firewall-restarter index 0ee710ca..99a8795d 100644 --- a/apparmor.d/groups/whonix/whonix-firewall-restarter +++ b/apparmor.d/groups/whonix/whonix-firewall-restarter @@ -35,10 +35,10 @@ profile whonix-firewall-restarter @{exec_path} { /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/*.journal* r, - owner /tmp/tmp.@{rand10} rw, + owner /tmp/tmp.@{rand10} rw, - @{run}/sdwdate/{,*} rw, - owner @{run}/updatesproxycheck/{,*} rw, + @{run}/sdwdate/{,*} rw, + owner @{run}/updatesproxycheck/{,*} rw, include if exists }