From 9a29967458f85d9cffd4253d4aaad5e7aefa84a9 Mon Sep 17 00:00:00 2001
From: segfault <segfault@riseup.net>
Date: Tue, 4 Jun 2024 03:10:30 +0200
Subject: [PATCH 1/6] Allow access to tmp directories

We run Tor Browser in a Flatpak now, which doesn't allow access to the
host's /tmp and /var/tmp. The Flatpak runtime also unsets the TMPDIR
environment variable, so we can't easily make Tor Browser use a custom
TMPDIR in the Flatpak. Therefore we allow it access to /tmp inside the
Flatpak.
---
 apparmor/torbrowser.Browser.firefox | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 5769224..d21bcf9 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -205,13 +205,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # Silence denial logs about permissions we don't need (Tails-specific)
   deny /usr/local/lib/tor-browser/update.test/ rw,
 
-  # Deny access to global tmp directories, that's granted by the user-tmp
-  # abstraction, which is sourced by the gnome abstraction, that we include.
-  deny owner /var/tmp/**     rwklx,
-  deny /var/tmp/             rwklx,
-  deny owner /tmp/**         rwklx,
-  deny /tmp/                 rwklx,
-
   # Deny access to GVFS
   deny @{HOME}/.local/share/gvfs-metadata/home r,
 
-- 
GitLab


From ac16a8fa4415c7e4c21a30d578ed71ee59519574 Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Tue, 28 Jan 2025 11:00:45 +0100
Subject: [PATCH 2/6] Use variables

---
 apparmor/torbrowser.Browser.firefox | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index d21bcf9..4ecbac3 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -20,11 +20,11 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # @{HOME}/ r,
 
   # Allow access required in flatpak
-  owner /run/user/[0-9]*/doc/** rw,
-  owner /home/amnesia/.var/app/org.boum.tails.TorBrowser/** rwkl,
+  owner @{run}/user/@{uid}/doc/** rw,
+  owner @{HOME}/.var/app/org.boum.tails.TorBrowser/** rwkl,
   /.flatpak-info r,
-  /run/host/** r,
-  /run/user/[0-9]*/pulse/config r,
+  @{run}/host/** r,
+  @{run}/user/@{uid}/pulse/config r,
 
 
   # Audio support
@@ -114,7 +114,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # The Wayland Proxy prevents certain types of Wayland issues from
   # crashing the client application. Details:
   # https://mastransky.wordpress.com/2023/12/22/wayland-proxy-load-balancer/
-  owner @{run}/user/[0-9]*/wayland-proxy-@{pid} rw,
+  owner @{run}/user/@{uid}/wayland-proxy-@{pid} rw,
 
   # Silence denial logs about permissions we don't need
   deny @{HOME}/.cache/fontconfig/ rw,
@@ -124,7 +124,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   deny @{PROC}/@{pid}/net/route r,
   deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
   deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
-  deny /run/user/[0-9]*/dconf/user rw,
+  deny @{run}/user/@{uid}/dconf/user rw,
   deny /usr/bin/lsb_release x,
 
   # Silence denial logs about PulseAudio
@@ -142,7 +142,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   /sys/class/ r,
   /sys/bus/ r,
   /sys/class/hidraw/ r,
-  /run/udev/data/c24{5,7,9}:* r,
+  @{run}/udev/data/c24{5,7,9}:* r,
   /dev/hidraw* rw,
   # Yubikey NEO also needs this:
   /sys/devices/**/hidraw/hidraw*/uevent r,
-- 
GitLab


From 7f51336a9e899295977a8fd28c7c30f22ad90498 Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Tue, 28 Jan 2025 11:04:21 +0100
Subject: [PATCH 3/6] Allow another path necessary for the File Chooser XDG
 Desktop Portal

---
 apparmor/torbrowser.Browser.firefox | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 4ecbac3..8cdbad6 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -20,6 +20,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # @{HOME}/ r,
 
   # Allow access required in flatpak
+  owner @{run}/flatpak/doc/** rw,
   owner @{run}/user/@{uid}/doc/** rw,
   owner @{HOME}/.var/app/org.boum.tails.TorBrowser/** rwkl,
   /.flatpak-info r,
-- 
GitLab


From 600d420c0135fa5bdf4ecfa2ff487a9d53bc6047 Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Tue, 28 Jan 2025 11:05:41 +0100
Subject: [PATCH 4/6] Allow more specific path

---
 apparmor/torbrowser.Browser.firefox | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 8cdbad6..1b852a0 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -21,7 +21,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
 
   # Allow access required in flatpak
   owner @{run}/flatpak/doc/** rw,
-  owner @{run}/user/@{uid}/doc/** rw,
+  owner @{run}/user/@{uid}/doc/by-app/org.boum.tails.TorBrowser/** rw,
   owner @{HOME}/.var/app/org.boum.tails.TorBrowser/** rwkl,
   /.flatpak-info r,
   @{run}/host/** r,
-- 
GitLab


From 8d667f852c677a37e3bacdd22dbed47819479356 Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Tue, 28 Jan 2025 11:07:48 +0100
Subject: [PATCH 5/6] Reorder lines and improve comment

---
 apparmor/torbrowser.Browser.firefox | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 1b852a0..46fa7d5 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -19,14 +19,13 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # #include <abstractions/user-download>
   # @{HOME}/ r,
 
-  # Allow access required in flatpak
-  owner @{run}/flatpak/doc/** rw,
-  owner @{run}/user/@{uid}/doc/by-app/org.boum.tails.TorBrowser/** rw,
-  owner @{HOME}/.var/app/org.boum.tails.TorBrowser/** rwkl,
+  # Flatpak and XDG Desktop Portal support
   /.flatpak-info r,
   @{run}/host/** r,
   @{run}/user/@{uid}/pulse/config r,
-
+  owner @{HOME}/.var/app/org.boum.tails.TorBrowser/** rwkl,
+  owner @{run}/flatpak/doc/** rw,
+  owner @{run}/user/@{uid}/doc/by-app/org.boum.tails.TorBrowser/** rw,
 
   # Audio support
   /{,usr/}bin/pulseaudio Pixr,
-- 
GitLab


From 340eea38f46a8bdae12a027e3f125b6a76609b6a Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Tue, 28 Jan 2025 17:10:22 +0100
Subject: [PATCH 6/6] Allow correct pulse directory under flatpak

While @{run}/user/@{uid}/pulse/ exists there is no config in there,
but there is one in @{run}/flatpak/pulse/.
---
 apparmor/torbrowser.Browser.firefox | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 46fa7d5..23e5a82 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -21,8 +21,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
 
   # Flatpak and XDG Desktop Portal support
   /.flatpak-info r,
+  @{run}/flatpak/pulse/config r,
   @{run}/host/** r,
-  @{run}/user/@{uid}/pulse/config r,
   owner @{HOME}/.var/app/org.boum.tails.TorBrowser/** rwkl,
   owner @{run}/flatpak/doc/** rw,
   owner @{run}/user/@{uid}/doc/by-app/org.boum.tails.TorBrowser/** rw,
-- 
GitLab