felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): add torbrowser

Browse source 
The same profiles are now used for torbrowser on either it is running on whonix or not.
This commit is contained in:
Alexandre Pujol 2024-09-12 22:54:20 +01:00
parent ecf4eaee14
commit 7b4db8fd41
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
10 changed files with 241 additions and 93 deletions
Download patch file Download diff file Expand all files Collapse all files

73
apparmor.d/groups/whonix/torbrowser
View file

@ -1,73 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{name} = torbrowser "tor browser"
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
@{config_dirs} = @{data_dirs}/Browser/*.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/firefox{,.real}
profile torbrowser @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app/firefox>
@{exec_path} mrix,
@{lib_dirs}/abicheck rix,
@{lib_dirs}/updater rPx,
/usr/share/homepage/{,**} r,
owner @{lib_dirs}/.cache/{,**} rw,
owner @{lib_dirs}/.local/{,**} rw,
owner @{lib_dirs}/Downloads/{,**} rw,
owner @{lib_dirs}/fonts/** r,
owner @{lib_dirs}/TorBrowser/UpdateInfo/{,**} rw,
owner "@{tmp}/Tor Project*" rwk,
owner "@{tmp}/Tor Project*/" rw,
owner "@{tmp}/Tor Project*/**" rwk,
# Due to the nature of the browser, we silence much more than for Firefox.
deny network inet dgram, # TOR does not work over UDP
deny network inet6 dgram,
deny dbus (send receive) bus=session path=/ca/desrt/dconf/Writer/user,
deny @{bin}/lsb_release x,
deny @{lib_dirs}/crashreporter x,
deny @{lib_dirs}/glxtest x,
deny @{lib_dirs}/minidump-analyzer x,
deny @{lib_dirs}/pingsender x,
deny /usr/share/dconf/** r,
deny /etc/dconf/** r,
deny /etc/fstab r,
deny /etc/group r,
deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/machine-id r,
deny /etc/mailcap r,
deny /etc/nsswitch.conf r,
deny /etc/os-release r,
deny /etc/passwd r,
deny /etc/resolv.conf r,
deny /var/lib/dbus/machine-id r,
deny owner @{user_config_dirs}/dconf/user r,
deny owner @{user_config_dirs}/gtk-*/{,**} rw,
deny owner @{run}/user/@{uid}/dconf/ rw,
deny owner @{run}/user/@{uid}/dconf/user rw,
deny @{sys}/class/input/ r,
deny @{sys}/devices/system/cpu/*/cache/index@{int}/size r,
deny @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r,
deny @{sys}/devices/virtual/block/*/uevent r,
deny @{PROC}/@{pid}/net/if_inet6 r,
deny @{PROC}/@{pid}/net/route r,
include if exists <local/torbrowser>
}
# vim:syntax=apparmor

33
apparmor.d/groups/whonix/torbrowser-glxtest
View file

@ -1,33 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{name} = torbrowser "tor browser"
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
@{config_dirs} = @{data_dirs}/Browser/*.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/glxtest
profile torbrowser-glxtest @{exec_path} {
include <abstractions/base>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/X-strict>
@{exec_path} mr,
owner @{config_dirs}/.parentlock rw,
owner @{tmp}/@{name}/.parentlock rw,
owner @{PROC}/@{pid}/cmdline r,
include if exists <local/torbrowser-glxtest>
}
# vim:syntax=apparmor

27
apparmor.d/groups/whonix/torbrowser-plugin-container
View file

@ -1,27 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{name} = torbrowser "tor browser"
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
@{config_dirs} = @{data_dirs}/Browser/*.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/plugin-container
profile torbrowser-plugin-container @{exec_path} {
include <abstractions/base>
signal (receive) set=(term, kill) peer=torbrowser,
@{exec_path} mr,
include if exists <local/torbrowser-plugin-container>
}
# vim:syntax=apparmor

51
apparmor.d/groups/whonix/torbrowser-start
View file

@ -1,51 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{exec_path} = @{lib_dirs}/start-tor-browser
profile torbrowser-start @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} rm,
@{sh_path} rix,
@{bin}/cp rix,
@{bin}/dirname rix,
@{bin}/env r,
@{bin}/expr rix,
@{bin}/file rix,
@{bin}/getconf rix,
@{bin}/grep rix,
@{bin}/id rix,
@{bin}/ln rix,
@{bin}/mkdir rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/sh rix,
@{bin}/srm rix,
@{lib_dirs}/abicheck rix,
@{lib_dirs}/firefox{,.real} rPx,
/etc/magic r,
owner @{lib_dirs}/.config/ibus/{,**} rw,
owner @{lib_dirs}/.local/* rw,
owner @{lib_dirs}/sed@{rand6} rw,
owner @{lib_dirs}/start-tor-browser.desktop rw,
owner @{lib_dirs}/TorBrowser/Tor/tor r,
owner @{HOME}/.xsession-errors rw,
owner @{HOME}/.tb/tor-browser/* rw,
include if exists <local/torbrowser-start>
}
# vim:syntax=apparmor

30
apparmor.d/groups/whonix/torbrowser-updater
View file

@ -1,30 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{exec_path} = @{lib_dirs}/updater
profile torbrowser-updater @{exec_path} {
include <abstractions/base>
include <abstractions/desktop>
@{exec_path} mr,
@{lib_dirs}/*.so mr,
@{lib_dirs}/firefox{,.real} rPx,
owner @{lib_dirs}/{,**} rw,
owner @{tmp}/#@{int} rw,
deny owner @{lib_dirs}/Downloads/** rw,
include if exists <local/torbrowser-updater>
}
# vim:syntax=apparmor

33
apparmor.d/groups/whonix/torbrowser-vaapitest
View file

@ -1,33 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{name} = torbrowser "tor browser"
@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
@{config_dirs} = @{data_dirs}/Browser/*.default/
@{cache_dirs} = @{data_dirs}/Browser/Caches
@{exec_path} = @{lib_dirs}/vaapitest
profile torbrowser-vaapitest @{exec_path} {
include <abstractions/base>
include <abstractions/graphics>
network netlink raw,
@{exec_path} mr,
owner @{tmp}/@{name}/.parentlock rw,
deny @{config_dirs}/.parentlock rw,
deny @{config_dirs}/startupCache/** r,
deny @{user_cache_dirs}/startupCache/* r,
include if exists <local/torbrowser-vaapitest>
}
# vim:syntax=apparmor

34
apparmor.d/groups/whonix/torbrowser-wrapper
View file

@ -17,24 +17,24 @@ profile torbrowser-wrapper @{exec_path} {
@{exec_path} rm,
@{sh_path} rix,
@{bin}/basename rix,
@{bin}/cp rix,
@{bin}/dirname rix,
@{bin}/grep rix,
@{bin}/id rix,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/mount rix,
@{bin}/str_replace rix,
@{bin}/sudo rCx -> sudo,
@{bin}/systemctl rCx -> systemctl,
@{bin}/touch rix,
@{bin}/tty rix,
@{bin}/whoami rix,
@{bin}/basename ix,
@{bin}/cp ix,
@{bin}/dirname ix,
@{bin}/grep ix,
@{bin}/id ix,
@{bin}/mkdir ix,
@{bin}/mktemp ix,
@{bin}/mount ix,
@{bin}/str_replace ix,
@{bin}/sudo Cx -> sudo,
@{bin}/systemctl Cx -> systemctl,
@{bin}/touch ix,
@{bin}/tty ix,
@{bin}/whoami ix,
@{lib_dirs}/start-tor-browser rPx,
@{lib}/msgcollector/msgcollector rPx,
@{lib}/open-link-confirmation/open-link-confirmation rPx,
@{lib_dirs}/start-tor-browser Px, # torbrowser-start
@{lib}/msgcollector/msgcollector Px,
@{lib}/open-link-confirmation/open-link-confirmation Px,
@{lib}/helper-scripts/* r,