torbrowser-AppArmor-profile.patch 11 KB
Newer Older
1
diff --git a/etc/apparmor.d/torbrowser.Browser.firefox b/etc/apparmor.d/torbrowser.Browser.firefox
2
index 9f269e1..8c7c830 100644
3 4
--- a/etc/apparmor.d/torbrowser.Browser.firefox
+++ b/etc/apparmor.d/torbrowser.Browser.firefox
5
@@ -1,10 +1,11 @@
6
 #include <tunables/global>
7
 #include <tunables/torbrowser>
8
 
9
-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
10
+@{torbrowser_firefox_executable} = /usr/local/lib/tor-browser/firefox.real
11 12
 
 profile torbrowser_firefox @{torbrowser_firefox_executable} {
13 14 15 16 17
   #include <abstractions/gnome>
+  #include <abstractions/ibus>
 
   # Uncomment the following lines if you want to give the Tor Browser read-write
   # access to most of your personal files.
18
@@ -25,13 +26,16 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
19 20
   deny /etc/passwd r,
   deny /etc/group r,
21 22 23 24
   deny /etc/mailcap r,
+  deny @{HOME}/.local/share/gvfs-metadata/home r,
+  deny /run/resolvconf/resolv.conf r,
 
25 26 27 28 29
-  deny /etc/machine-id r,
-  deny /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
 
30 31 32
   /dev/ r,
   /dev/shm/ r,
 
33
+  owner @{PROC}/@{pid}/environ r,
34
   owner @{PROC}/@{pid}/fd/ r,
35 36
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/stat r,
37
@@ -39,32 +43,34 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
38
   owner @{PROC}/@{pid}/task/*/stat r,
39 40
   @{PROC}/sys/kernel/random/uuid r,
 
41 42 43 44 45 46 47 48 49 50
-  owner @{torbrowser_installation_dir}/ r,
-  owner @{torbrowser_installation_dir}/* r,
-  owner @{torbrowser_installation_dir}/.** rwk,
-  owner @{torbrowser_installation_dir}/update.test/ rwk,
-  owner @{torbrowser_home_dir}/.** rwk,
-  owner @{torbrowser_home_dir}/ rw,
-  owner @{torbrowser_home_dir}/** rwk,
-  owner @{torbrowser_home_dir}.bak/ rwk,
-  owner @{torbrowser_home_dir}.bak/** rwk,
-  owner @{torbrowser_home_dir}/*.so mr,
51 52
-  owner @{torbrowser_home_dir}/.cache/fontconfig/ rwk,
-  owner @{torbrowser_home_dir}/.cache/fontconfig/** rwkl,
53 54 55 56 57 58 59 60 61 62 63 64 65
-  owner @{torbrowser_home_dir}/components/*.so mr,
-  owner @{torbrowser_home_dir}/browser/components/*.so mr,
-  owner @{torbrowser_home_dir}/firefox rix,
-  owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/updater ix,
-  owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/0/MozUpdater/bgupdate/updater ix,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/ r,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
+  @{torbrowser_home_dir}/ r,
+  @{torbrowser_home_dir}/** mr,
66
+
67 68
+  owner "@{HOME}/Tor Browser/" rw,
+  owner "@{HOME}/Tor Browser/**" rwk,
69 70
+  owner "@{HOME}/Persistent/Tor Browser/" rw,
+  owner "@{HOME}/Persistent/Tor Browser/**" rwk,
71 72
+  owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/" rw,
+  owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/**" rwk,
73
+  owner @{HOME}/.mozilla/firefox/bookmarks/ rwk,
74
+  owner @{HOME}/.mozilla/firefox/bookmarks/** rwk,
75
+  owner /live/persistence/TailsData_unlocked/bookmarks/ rwk,
76
+  owner /live/persistence/TailsData_unlocked/bookmarks/** rwk,
77 78 79 80 81 82 83
+  owner @{HOME}/.tor-browser/profile.default/ r,
+  owner @{HOME}/.tor-browser/profile.default/** rwk,
+
+  /etc/xul-ext/ r,
+  /etc/xul-ext/** r,
+  /usr/local/share/tor-browser-extensions/ r,
+  /usr/local/share/tor-browser-extensions/** rk,
84 85
+  /usr/share/{xul-,web}ext/ r,
+  /usr/share/{xul-,web}ext/** r,
86 87 88 89
+
+  /usr/share/doc/tails/website/ r,
+  /usr/share/doc/tails/website/** r,
 
90 91 92 93
   # Web Content processes
-  owner @{torbrowser_firefox_executable} px -> torbrowser_plugin_container,
+  @{torbrowser_firefox_executable} px -> torbrowser_plugin_container,
 
94 95
   /etc/mailcap r,
   /etc/mime.types r,
96
@@ -88,12 +94,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
97 98
   /sys/devices/system/node/node[0-9]*/meminfo r,
   deny /sys/devices/virtual/block/*/uevent r,
99
 
100 101 102 103 104 105 106 107 108
-  # Should use abstractions/gstreamer instead once merged upstream
-  /etc/udev/udev.conf r,
-  /run/udev/data/+pci:* r,
-  /sys/devices/pci[0-9]*/**/uevent r,
-  owner /{dev,run}/shm/shmfd-* rw,
-
   # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
   owner /{dev,run}/shm/org.chromium.* rw,
 
109
@@ -107,6 +107,29 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
110 111 112
   deny @{HOME}/.cache/fontconfig/** rw,
   deny @{HOME}/.config/gtk-2.0/ rw,
   deny @{HOME}/.config/gtk-2.0/** rw,
113
+  deny @{HOME}/.mozilla/firefox/bookmarks/ r,
114 115 116
+  deny @{PROC}/@{pid}/net/route r,
+  deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
+  deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
117 118
+  deny /usr/local/lib/tor-browser/update.test/ rw,
+
119 120 121 122 123 124
+  # Grant access to assistive technologies
+  # (otherwise, Firefox crashes when Orca is enabled:
+  # https://labs.riseup.net/code/issues/9261)
+  owner @{HOME}/.cache/at-spi2-*/ rw,
+  owner @{HOME}/.cache/at-spi2-*/socket rw,
+
125 126 127 128
+  # Spell checking (the "enchant" abstraction includes these rules
+  # too, but it allows way more stuff than what we need)
+  /usr/share/hunspell/                             r,
+  /usr/share/hunspell/*                            r,
129 130 131 132
+
+  # Deny access to the list of recently used files. This overrides the
+  # access to it that's granted by the freedesktop.org abstraction.
+  deny @{HOME}/.local/share/recently-used.xbel* rw,
133 134 135 136 137 138
+
+  # Silence denial logs about permissions we don't need
+  deny /dev/dri/   rwklx,
   deny @{PROC}/@{pid}/net/route r,
   deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
   deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
139
@@ -122,5 +145,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
140 141
   /etc/xfce4/defaults.list r,
   /usr/share/xfce4/applications/ r,
142 143
 
-  #include <local/torbrowser.Browser.firefox>
144 145 146 147 148 149 150
+  # Deny access to global tmp directories, that's granted by the user-tmp
+  # abstraction, which is sourced by the gnome abstraction, that we include.
+  deny owner /var/tmp/**     rwklx,
+  deny /var/tmp/             rwklx,
+  deny owner /tmp/**         rwklx,
+  deny /tmp/                 rwklx,
 }
151
diff --git a/etc/apparmor.d/torbrowser.Browser.plugin-container b/etc/apparmor.d/torbrowser.Browser.plugin-container
152
index 7ec8a00..346f2ad 100644
153 154
--- a/etc/apparmor.d/torbrowser.Browser.plugin-container
+++ b/etc/apparmor.d/torbrowser.Browser.plugin-container
155 156 157 158 159 160 161 162 163 164
@@ -1,7 +1,7 @@
 #include <tunables/global>
 #include <tunables/torbrowser>
 
-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
+@{torbrowser_firefox_executable} = /usr/local/lib/tor-browser/firefox.real
 
 profile torbrowser_plugin_container {
   #include <abstractions/gnome>
@@ -12,9 +12,9 @@ profile torbrowser_plugin_container {
165 166 167
   #  - the "deny" word in the machine-id lines
   #  - the rules that deny reading /etc/pulse/client.conf
   #    and executing /usr/bin/pulseaudio
168 169 170 171 172 173 174
-  # #include <abstractions/audio>
-  # /etc/asound.conf r,
-  # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
+  #include <abstractions/audio>
+  /etc/asound.conf r,
+  owner @{HOME}/.tor-browser/profile.default/tmp/mozilla-temp-* rw,
 
175 176
   signal (receive) set=("term") peer=torbrowser_firefox,
 
177
@@ -26,8 +26,8 @@ profile torbrowser_plugin_container {
178 179 180 181 182 183 184 185
   deny /etc/group r,
   deny /etc/mailcap r,
 
-  deny /etc/machine-id r,
-  deny /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
 
186 187
   /etc/mime.types r,
   /usr/share/applications/gnome-mimeapps.list r,
188
@@ -42,31 +42,29 @@ profile torbrowser_plugin_container {
189 190 191 192 193 194 195 196 197 198 199 200 201
   owner @{PROC}/@{pid}/task/*/stat r,
   @{PROC}/sys/kernel/random/uuid r,
 
-  owner @{torbrowser_home_dir}/*.dat r,
-  owner @{torbrowser_home_dir}/*.manifest r,
-  owner @{torbrowser_home_dir}/*.so mr,
-  owner @{torbrowser_home_dir}/.cache/fontconfig/   rw,
-  owner @{torbrowser_home_dir}/.cache/fontconfig/** rw,
-  owner @{torbrowser_home_dir}/browser/** r,
-  owner @{torbrowser_home_dir}/components/*.so mr,
-  owner @{torbrowser_home_dir}/browser/components/*.so mr,
-  owner @{torbrowser_home_dir}/defaults/pref/     r,
-  owner @{torbrowser_home_dir}/defaults/pref/*.js r,
202
-  owner @{torbrowser_home_dir}/dependentlibs.list r,
203 204 205 206
-  owner @{torbrowser_home_dir}/fonts/   r,
-  owner @{torbrowser_home_dir}/fonts/** r,
-  owner @{torbrowser_home_dir}/omni.ja r,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
207
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
208 209 210 211 212 213 214
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
-  owner @{torbrowser_home_dir}/Downloads/ rwk,
-  owner @{torbrowser_home_dir}/Downloads/** rwk,
215 216
-
-  owner @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container,
217 218 219
+  @{torbrowser_home_dir}/ r,
+  @{torbrowser_home_dir}/** mr,
+
220
+  owner @{HOME}/.tor-browser/profile.default/startupCache/* r,
221 222 223 224 225 226 227
+  owner @{HOME}/.tor-browser/profile.default/tmp/* rw,
+
+  owner "@{HOME}/Tor Browser/" rw,
+  owner "@{HOME}/Tor Browser/**" rwk,
+  owner "@{HOME}/Persistent/Tor Browser/" rw,
+  owner "@{HOME}/Persistent/Tor Browser/**" rwk,
+
228
+  owner @{HOME}/.tor-browser/profile.default/extensions/*.xpi r,
229 230 231 232
+  /etc/xul-ext/ r,
+  /etc/xul-ext/** r,
+  /usr/local/share/tor-browser-extensions/ r,
+  /usr/local/share/tor-browser-extensions/** rk,
233 234
+  /usr/share/{xul-,web}ext/ r,
+  /usr/share/{xul-,web}ext/** r,
235 236 237
+
+  /usr/share/doc/tails/website/ r,
+  /usr/share/doc/tails/website/** r,
238 239
+
+  @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container,
240 241 242
 
   /sys/devices/system/cpu/ r,
   /sys/devices/system/cpu/present r,
243
@@ -92,10 +90,16 @@ profile torbrowser_plugin_container {
244
   deny @{PROC}/@{pid}/net/route r,
245 246
   deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
   deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
247
+  deny @{HOME}/.cache/fontconfig/ w,
248
 
249 250 251 252
   # Silence denial logs about PulseAudio
   deny /etc/pulse/client.conf r,
   deny /usr/bin/pulseaudio x,
 
253 254 255 256 257 258 259 260
-  #include <local/torbrowser.Browser.plugin-container>
+  # Deny access to global tmp directories, that's granted by the user-tmp
+  # abstraction, which is sourced by the gnome abstraction, that we include.
+  deny owner /var/tmp/**     rwklx,
+  deny /var/tmp/             rwklx,
+  deny owner /tmp/**         rwklx,
+  deny /tmp/                 rwklx,
 }
261 262
diff --git a/etc/apparmor.d/tunables/torbrowser b/etc/apparmor.d/tunables/torbrowser
index 9b31139..f77e082 100644
263 264 265 266 267 268
--- a/etc/apparmor.d/tunables/torbrowser
+++ b/etc/apparmor.d/tunables/torbrowser
@@ -1,2 +1 @@
-@{torbrowser_installation_dir}=@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*
-@{torbrowser_home_dir}=@{torbrowser_installation_dir}/Browser
+@{torbrowser_home_dir}=/usr/local/lib/tor-browser