From 064e9edec2f2baa442ec37f36712ffd5cf9bef72 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Sep 2024 13:18:03 +0100
Subject: [PATCH] fix(profile): ensure torbrowser-update can start torbrowser.

---
 apparmor.d/groups/browsers/torbrowser-updater   | 2 +-
 apparmor.d/groups/browsers/torbrowser-vaapitest | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/browsers/torbrowser-updater b/apparmor.d/groups/browsers/torbrowser-updater
index 3bc8e591d..5aaa82c2a 100644
--- a/apparmor.d/groups/browsers/torbrowser-updater
+++ b/apparmor.d/groups/browsers/torbrowser-updater
@@ -16,7 +16,7 @@ profile torbrowser-updater @{exec_path} {
   @{exec_path} mr,
 
   @{lib_dirs}/*.so              mr,
-  @{lib_dirs}/firefox{,.real}   Px,
+  @{lib_dirs}/firefox{,.real}   Px -> torbrowser,
 
   owner @{lib_dirs}/{,**} rw,
 
diff --git a/apparmor.d/groups/browsers/torbrowser-vaapitest b/apparmor.d/groups/browsers/torbrowser-vaapitest
index 7570d6ce4..cf68f3ea7 100644
--- a/apparmor.d/groups/browsers/torbrowser-vaapitest
+++ b/apparmor.d/groups/browsers/torbrowser-vaapitest
@@ -24,6 +24,7 @@ profile torbrowser-vaapitest @{exec_path} flags=(attach_disconnected) {
   deny @{lib_dirs}/{,browser/}omni.ja r,
   deny @{cache_dirs}/profile.default/startupCache/* r,
   deny @{config_dirs}/.parentlock rw,
+  deny @{config_dirs}/extensions/*.xpi r,
 
   include if exists <local/torbrowser-vaapitest>
 }