felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): torbrowser: do not give access to user dirs by default.

Browse source 
- Remove read-only access to most user dirs.
- Remove read-write access to download directories.

fix #490
This commit is contained in:
Alexandre Pujol 2024-09-16 13:36:29 +01:00
parent 2805ed9dd9
commit 7858cae330
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
5 changed files with 9 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/app/firefox
View file

@ -29,8 +29,6 @@
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
include <abstractions/uim> include <abstractions/uim>
include <abstractions/user-download-strict>
include <abstractions/user-read-strict>
# userns, # userns,

2
apparmor.d/groups/browsers/firefox
View file

@ -16,6 +16,8 @@ include <tunables/global>
profile firefox @{exec_path} flags=(attach_disconnected) { profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/firefox> include <abstractions/app/firefox>
include <abstractions/user-download-strict>
include <abstractions/user-read-strict>
signal (send) set=(term, kill) peer=keepassxc-proxy, signal (send) set=(term, kill) peer=keepassxc-proxy,

2
apparmor.d/groups/browsers/firefox-glxtest
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{name} = firefox{,.sh,-esr,-bin} @{name} = firefox{,-esr,-bin}
@{lib_dirs} = @{lib}/@{name} /opt/@{name} @{lib_dirs} = @{lib}/@{name} /opt/@{name}
@{config_dirs} = @{HOME}/.mozilla/ @{config_dirs} = @{HOME}/.mozilla/
@{cache_dirs} = @{user_cache_dirs}/mozilla/ @{cache_dirs} = @{user_cache_dirs}/mozilla/

4
apparmor.d/groups/browsers/torbrowser
View file

@ -17,6 +17,9 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/firefox> include <abstractions/app/firefox>
# Uncomment if you want to give the Tor Browser access to the common download directory.
# include <abstractions/user-download-strict>
@{exec_path} mrix, @{exec_path} mrix,
@{lib_dirs}/abicheck ix, @{lib_dirs}/abicheck ix,
@ -41,6 +44,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
owner "@{tmp}/Tor Project*/**" rwk, owner "@{tmp}/Tor Project*/**" rwk,
# Due to the nature of the browser, we silence much more than for Firefox. # Due to the nature of the browser, we silence much more than for Firefox.
deny capability sys_ptrace,
deny network inet dgram, # TOR does not work over UDP deny network inet dgram, # TOR does not work over UDP
deny network inet6 dgram, deny network inet6 dgram,
deny network inet6 stream, # TOR does not work over IPv6 deny network inet6 stream, # TOR does not work over IPv6

2
apparmor.d/profiles-s-z/thunderbird
View file

@ -16,6 +16,8 @@ include <tunables/global>
profile thunderbird @{exec_path} { profile thunderbird @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/firefox> include <abstractions/app/firefox>
include <abstractions/user-download-strict>
include <abstractions/user-read-strict>
#aa:dbus own bus=session name=org.mozilla.thunderbird #aa:dbus own bus=session name=org.mozilla.thunderbird