Allow Tor Browser to view other HTML files in /usr/share/doc

Originally created by @sajolida on #16432 (Redmine)

Right now, the AppArmor profile of Tor Browser in Tails only allows viewing files in `/usr/share/doc/tails/website`.

For example, if I install ikiwiki, I have no way of viewing the HTML documentation included in the package.

We are also facing this problem in Whiskers where it’s currently impossible to view the doc included in the Debian package: https://gitlab.com/scif/whiskers/issues/95.

So relaxing the AppArmor limitations on `/usr/share/doc` make sense in 2 different contexts that Tails wants to support:

Additional Software (like ikiwiki) introduced in 3.9.
Tails derivatives (like Whiskers) as per https://tails.boum.org/contribute/derivatives/.

What would be the best approach to solve this?

Edit the AppArmor profile in https://git.tails.boum.org/tails/tree/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch? I could submit a branch for this.

Is it possible to relax the AppArmor limitations at runtime? This could work for Tails derivatives but not for Additional Software.

Attachments

Edited May 21, 2020 by sajolida

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information