From 7858cae3300f46269e67d1f0d43fda678251b0d2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 16 Sep 2024 13:36:29 +0100
Subject: [PATCH] feat(profile): torbrowser: do not give access to user dirs by
 default.

- Remove read-only access to most user dirs.
- Remove read-write access to download directories.

fix #490
---
 apparmor.d/abstractions/app/firefox        | 2 --
 apparmor.d/groups/browsers/firefox         | 2 ++
 apparmor.d/groups/browsers/firefox-glxtest | 2 +-
 apparmor.d/groups/browsers/torbrowser      | 4 ++++
 apparmor.d/profiles-s-z/thunderbird        | 2 ++
 5 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 89ea1f747..7eb223b09 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -29,8 +29,6 @@
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
-  include <abstractions/user-download-strict>
-  include <abstractions/user-read-strict>
 
   # userns,
 
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index 75c3c0f86..ef8bf5842 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -16,6 +16,8 @@ include <tunables/global>
 profile firefox @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/firefox>
+  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>
 
   signal (send) set=(term, kill) peer=keepassxc-proxy,
 
diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
index 995f94f8f..02bbb92a6 100644
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{name} = firefox{,.sh,-esr,-bin}
+@{name} = firefox{,-esr,-bin}
 @{lib_dirs} = @{lib}/@{name} /opt/@{name}
 @{config_dirs} = @{HOME}/.mozilla/
 @{cache_dirs} = @{user_cache_dirs}/mozilla/
diff --git a/apparmor.d/groups/browsers/torbrowser b/apparmor.d/groups/browsers/torbrowser
index 6b9b6dbab..c0c4a893e 100644
--- a/apparmor.d/groups/browsers/torbrowser
+++ b/apparmor.d/groups/browsers/torbrowser
@@ -17,6 +17,9 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/firefox>
 
+  # Uncomment if you want to give the Tor Browser access to the common download directory.
+  # include <abstractions/user-download-strict>
+
   @{exec_path} mrix,
 
   @{lib_dirs}/abicheck           ix,
@@ -41,6 +44,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   owner "@{tmp}/Tor Project*/**" rwk,
 
   # Due to the nature of the browser, we silence much more than for Firefox.
+  deny capability sys_ptrace,
   deny network inet dgram, # TOR does not work over UDP
   deny network inet6 dgram,
   deny network inet6 stream, # TOR does not work over IPv6
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index 28b0a4836..dbf045333 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -16,6 +16,8 @@ include <tunables/global>
 profile thunderbird @{exec_path} {
   include <abstractions/base>
   include <abstractions/app/firefox>
+  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>
 
   #aa:dbus own bus=session name=org.mozilla.thunderbird