diff --git a/etc/apparmor.d/torbrowser.Browser.firefox b/etc/apparmor.d/torbrowser.Browser.firefox index d0aded9..3be3872 100644 --- a/etc/apparmor.d/torbrowser.Browser.firefox +++ b/etc/apparmor.d/torbrowser.Browser.firefox @@ -1,10 +1,11 @@ #include #include -@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox +@{torbrowser_firefox_executable} = /usr/local/lib/tor-browser/firefox profile torbrowser_firefox @{torbrowser_firefox_executable} { #include + #include # Uncomment the following lines if you want to give the Tor Browser read-write # access to most of your personal files. @@ -25,13 +26,16 @@ deny /etc/passwd r, deny /etc/group r, deny /etc/mailcap r, + deny @{HOME}/.local/share/gvfs-metadata/home r, + deny /run/resolvconf/resolv.conf r, - deny /etc/machine-id r, - deny /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, /dev/ r, /dev/shm/ r, + owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, @@ -39,30 +43,32 @@ owner @{PROC}/@{pid}/task/*/stat r, @{PROC}/sys/kernel/random/uuid r, - owner @{torbrowser_installation_dir}/ r, - owner @{torbrowser_installation_dir}/* r, - owner @{torbrowser_installation_dir}/.** rwk, - owner @{torbrowser_installation_dir}/update.test/ rwk, - owner @{torbrowser_home_dir}/.** rwk, - owner @{torbrowser_home_dir}/ rw, - owner @{torbrowser_home_dir}/** rwk, - owner @{torbrowser_home_dir}.bak/ rwk, - owner @{torbrowser_home_dir}.bak/** rwk, - owner @{torbrowser_home_dir}/*.so mr, - owner @{torbrowser_home_dir}/.cache/fontconfig/ rwk, - owner @{torbrowser_home_dir}/.cache/fontconfig/** rwkl, - owner @{torbrowser_home_dir}/components/*.so mr, - owner @{torbrowser_home_dir}/browser/components/*.so mr, - owner @{torbrowser_home_dir}/firefox rix, - owner @{torbrowser_home_dir}/plugin-container px -> torbrowser_plugin_container, - owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/updater ix, - owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/0/MozUpdater/bgupdate/updater ix, - owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r, - owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/ r, - owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px, - owner @{torbrowser_home_dir}/TorBrowser/Tor/ r, - owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr, - owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr, + @{torbrowser_home_dir}/ r, + @{torbrowser_home_dir}/** mr, + @{torbrowser_home_dir}/plugin-container px -> torbrowser_plugin_container, + + owner "@{HOME}/Tor Browser/" rw, + owner "@{HOME}/Tor Browser/**" rwk, + owner "@{HOME}/Persistent/Tor Browser/" rw, + owner "@{HOME}/Persistent/Tor Browser/**" rwk, + owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/" rw, + owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/**" rwk, + owner @{HOME}/.mozilla/firefox/bookmarks/ rwk, + owner @{HOME}/.mozilla/firefox/bookmarks/** rwk, + owner /live/persistence/TailsData_unlocked/bookmarks/ rwk, + owner /live/persistence/TailsData_unlocked/bookmarks/** rwk, + owner @{HOME}/.tor-browser/profile.default/ r, + owner @{HOME}/.tor-browser/profile.default/** rwk, + + /etc/xul-ext/ r, + /etc/xul-ext/** r, + /usr/local/share/tor-browser-extensions/ r, + /usr/local/share/tor-browser-extensions/** rk, + /usr/share/{xul-,web}ext/ r, + /usr/share/{xul-,web}ext/** r, + + /usr/share/doc/tails/website/ r, + /usr/share/doc/tails/website/** r, /etc/mailcap r, /etc/mime.types r, @@ -70,6 +76,7 @@ /usr/share/ r, /usr/share/mime/ r, /usr/share/themes/ r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/applications/** rk, /usr/share/gnome/applications/ r, /usr/share/gnome/applications/kde4/ r, @@ -85,12 +92,6 @@ /sys/devices/system/node/node[0-9]*/meminfo r, deny /sys/devices/virtual/block/*/uevent r, - # Should use abstractions/gstreamer instead once merged upstream - /etc/udev/udev.conf r, - /run/udev/data/+pci:* r, - /sys/devices/pci[0-9]*/**/uevent r, - owner /{dev,run}/shm/shmfd-* rw, - # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s) owner /{dev,run}/shm/org.chromium.* rw, @@ -104,6 +105,32 @@ deny @{HOME}/.cache/fontconfig/** rw, deny @{HOME}/.config/gtk-2.0/ rw, deny @{HOME}/.config/gtk-2.0/** rw, + deny @{HOME}/.mozilla/firefox/bookmarks/ r, + deny @{PROC}/@{pid}/net/route r, + deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, + deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r, + deny /usr/local/lib/tor-browser/TorBrowser/UpdateInfo/ rw, + deny /usr/local/lib/tor-browser/update.test/ rw, + + /usr/local/lib/tor-browser/firefox Pix, + + # Grant access to assistive technologies + # (otherwise, Firefox crashes when Orca is enabled: + # https://labs.riseup.net/code/issues/9261) + owner @{HOME}/.cache/at-spi2-*/ rw, + owner @{HOME}/.cache/at-spi2-*/socket rw, + + # Spell checking (the "enchant" abstraction includes these rules + # too, but it allows way more stuff than what we need) + /usr/share/hunspell/ r, + /usr/share/hunspell/* r, + + # Deny access to the list of recently used files. This overrides the + # access to it that's granted by the freedesktop.org abstraction. + deny @{HOME}/.local/share/recently-used.xbel* rw, + + # Silence denial logs about permissions we don't need + deny /dev/dri/ rwklx, deny @{PROC}/@{pid}/net/route r, deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r, @@ -119,5 +146,10 @@ /etc/xfce4/defaults.list r, /usr/share/xfce4/applications/ r, - #include + # Deny access to global tmp directories, that's granted by the user-tmp + # abstraction, which is sourced by the gnome abstraction, that we include. + deny owner /var/tmp/** rwklx, + deny /var/tmp/ rwklx, + deny owner /tmp/** rwklx, + deny /tmp/ rwklx, } diff --git a/etc/apparmor.d/torbrowser.Browser.plugin-container b/etc/apparmor.d/torbrowser.Browser.plugin-container index fe95fdb..7ebf9d6 100644 --- a/etc/apparmor.d/torbrowser.Browser.plugin-container +++ b/etc/apparmor.d/torbrowser.Browser.plugin-container @@ -10,9 +10,9 @@ profile torbrowser_plugin_container { # - the "deny" word in the machine-id lines # - the rules that deny reading /etc/pulse/client.conf # and executing /usr/bin/pulseaudio - # #include - # /etc/asound.conf r, - # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw, + #include + /etc/asound.conf r, + owner @{HOME}/.tor-browser/profile.default/tmp/mozilla-temp-* rw, signal (receive) set=("term") peer=torbrowser_firefox, @@ -24,8 +24,8 @@ profile torbrowser_plugin_container { deny /etc/group r, deny /etc/mailcap r, - deny /etc/machine-id r, - deny /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, /etc/mime.types r, /usr/share/applications/gnome-mimeapps.list r, @@ -39,28 +39,27 @@ profile torbrowser_plugin_container { owner @{PROC}/@{pid}/task/*/stat r, @{PROC}/sys/kernel/random/uuid r, - owner @{torbrowser_home_dir}/*.dat r, - owner @{torbrowser_home_dir}/*.manifest r, - owner @{torbrowser_home_dir}/*.so mr, - owner @{torbrowser_home_dir}/.cache/fontconfig/ rw, - owner @{torbrowser_home_dir}/.cache/fontconfig/** rw, - owner @{torbrowser_home_dir}/browser/** r, - owner @{torbrowser_home_dir}/components/*.so mr, - owner @{torbrowser_home_dir}/browser/components/*.so mr, - owner @{torbrowser_home_dir}/defaults/pref/ r, - owner @{torbrowser_home_dir}/defaults/pref/*.js r, - owner @{torbrowser_home_dir}/fonts/ r, - owner @{torbrowser_home_dir}/fonts/** r, - owner @{torbrowser_home_dir}/omni.ja r, - owner @{torbrowser_home_dir}/plugin-container ixmr, - owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r, - owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw, - owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r, - owner @{torbrowser_home_dir}/TorBrowser/Tor/ r, - owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr, - owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr, - owner @{torbrowser_home_dir}/Downloads/ rwk, - owner @{torbrowser_home_dir}/Downloads/** rwk, + @{torbrowser_home_dir}/ r, + @{torbrowser_home_dir}/** mr, + @{torbrowser_home_dir}/plugin-container ixmr, + + owner @{HOME}/.tor-browser/profile.default/tmp/* rw, + + owner "@{HOME}/Tor Browser/" rw, + owner "@{HOME}/Tor Browser/**" rwk, + owner "@{HOME}/Persistent/Tor Browser/" rw, + owner "@{HOME}/Persistent/Tor Browser/**" rwk, + + owner @{HOME}/.tor-browser/profile.default/extensions/*.xpi r, + /etc/xul-ext/ r, + /etc/xul-ext/** r, + /usr/local/share/tor-browser-extensions/ r, + /usr/local/share/tor-browser-extensions/** rk, + /usr/share/xul-ext/ r, + /usr/share/xul-ext/** r, + + /usr/share/doc/tails/website/ r, + /usr/share/doc/tails/website/** r, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/present r, @@ -86,10 +85,16 @@ profile torbrowser_plugin_container { deny @{PROC}/@{pid}/net/route r, deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r, + deny @{HOME}/.cache/fontconfig/ w, # Silence denial logs about PulseAudio deny /etc/pulse/client.conf r, deny /usr/bin/pulseaudio x, - #include + # Deny access to global tmp directories, that's granted by the user-tmp + # abstraction, which is sourced by the gnome abstraction, that we include. + deny owner /var/tmp/** rwklx, + deny /var/tmp/ rwklx, + deny owner /tmp/** rwklx, + deny /tmp/ rwklx, } diff --git a/etc/apparmor.d/tunables/torbrowser b/etc/apparmor.d/tunables/torbrowser index 9b31139..f77e082 100644 --- a/etc/apparmor.d/tunables/torbrowser +++ b/etc/apparmor.d/tunables/torbrowser @@ -1,2 +1 @@ -@{torbrowser_installation_dir}=@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_* -@{torbrowser_home_dir}=@{torbrowser_installation_dir}/Browser +@{torbrowser_home_dir}=/usr/local/lib/tor-browser