diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser new file mode 100644 index 000000000..c03a4f21e --- /dev/null +++ b/apparmor.d/groups/whonix/torbrowser @@ -0,0 +1,145 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = torbrowser "tor browser" +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{data_dirs} = @{lib_dirs}/TorBrowser/Data/ +@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{cache_dirs} = @{data_dirs}/Browser/Caches + +@{exec_path} = @{lib_dirs}/firefox.* +profile torbrowser @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + capability sys_admin, # If kernel.unprivileged_userns_clone = 1 + capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 + + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{lib_dirs}/{,**} r, + @{lib_dirs}/*.so mr, + @{lib_dirs}/glxtest rPx -> torbrowser-glxtest, + @{lib_dirs}/plugin-container rPx -> torbrowser-plugin-container, + @{lib_dirs}/vaapitest rPx -> torbrowser-vaapitest, + + # Desktop integration + @{bin}/exo-open rPx -> child-open, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/xdg-open rPx -> child-open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, + + /usr/share/@{name}/{,**} r, + /usr/share/doc/{,**} r, + /usr/share/egl/{,**} r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/libdrm/*.ids r, + /usr/share/xul-ext/kwallet5/* r, + + /etc/@{name}.d/{,**} r, + /etc/igfx_user_feature{,_next}.txt w, + /etc/libva.conf r, + /etc/mailcap r, + /etc/mime.types r, + /etc/opensc.conf r, + /etc/sysconfig/proxy r, + /etc/xdg/* r, + /etc/xul-ext/kwallet5.js r, + + /var/lib/nscd/services r, + + owner @{lib_dirs}/.cache/{,**} rw, + owner @{lib_dirs}/Downloads/{,**} rw, + owner @{lib_dirs}/fonts/** r, + + owner @{config_dirs}/ rw, + owner @{config_dirs}/** rwk, + + owner @{cache_dirs}/ rw, + owner @{cache_dirs}/** rwk, + + /tmp/ r, + /var/tmp/ r, + owner /tmp/user/@{uid}/ rw, + owner /tmp/user/@{uid}/* rwk, + owner /tmp/user/@{uid}/Temp-@{uuid}/ rw, + owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk, + owner /tmp/user/@{uid}/@{name}/ rw, + owner /tmp/user/@{uid}/@{name}/* rwk, + owner /tmp/@{name}/ rw, + owner /tmp/@{name}/* rwk, + owner /tmp/Temp-@{uuid}/ rw, + owner "/tmp/Tor Project*/" rw, + owner "/tmp/Tor Project*/**" rwk, + owner "/tmp/Tor Project*" rwk, + + @{run}/mount/utab r, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/bus/ r, + @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, + @{sys}/class/ r, + @{sys}/class/**/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/renderD[0-9]*/ r, + @{sys}/devices/@{pci}/irq r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index[0-9]/size r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/present r, + @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-1.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj w, + owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/environ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/whonix/torbrowser-glxtest b/apparmor.d/groups/whonix/torbrowser-glxtest new file mode 100644 index 000000000..ddb6b2985 --- /dev/null +++ b/apparmor.d/groups/whonix/torbrowser-glxtest @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = torbrowser "tor browser" +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{data_dirs} = @{lib_dirs}/TorBrowser/Data/ +@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{cache_dirs} = @{data_dirs}/Browser/Caches + +@{exec_path} = @{lib_dirs}/glxtest +profile torbrowser-glxtest @{exec_path} { + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{config_dirs}/.parentlock rw, + + owner /tmp/@{name}/.parentlock rw, + + @{sys}/bus/pci/devices/ r, + @{sys}/devices/@{pci}/class r, + + owner @{PROC}/@{pid}/cmdline r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/whonix/torbrowser-plugin-container b/apparmor.d/groups/whonix/torbrowser-plugin-container new file mode 100644 index 000000000..8241e84d9 --- /dev/null +++ b/apparmor.d/groups/whonix/torbrowser-plugin-container @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = torbrowser "tor browser" +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{data_dirs} = @{lib_dirs}/TorBrowser/Data/ +@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{cache_dirs} = @{data_dirs}/Browser/Caches + +@{exec_path} = @{lib_dirs}/plugin-container +profile torbrowser-plugin-container @{exec_path} { + include + + signal (receive) set=(term, kill) peer=torbrowser, + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/groups/whonix/torbrowser-start b/apparmor.d/groups/whonix/torbrowser-start new file mode 100644 index 000000000..3cf0368c8 --- /dev/null +++ b/apparmor.d/groups/whonix/torbrowser-start @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ + +@{exec_path} = @{lib_dirs}/start-tor-browser +profile torbrowser-start @{exec_path} { + include + include + + @{exec_path} rm, + + @{bin}/bash rix, + @{bin}/cp rix, + @{bin}/dirname rix, + @{bin}/env r, + @{bin}/expr rix, + @{bin}/file rix, + @{bin}/getconf rix, + @{bin}/grep rix, + @{bin}/id rix, + @{bin}/ln rix, + @{bin}/mkdir rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sh rix, + @{bin}/sh rix, + @{lib_dirs}/abicheck rix, + @{lib_dirs}/firefox rix, + + @{lib_dirs}/firefox.* rPx -> torbrowser, + + /etc/magic r, + + owner @{HOME}/.tb/tor-browser/* rw, + + owner @{lib_dirs}/.local/* rw, + owner @{lib_dirs}/sed@{rand6} rw, + owner @{lib_dirs}/start-tor-browser.desktop rw, + + include if exists +} diff --git a/apparmor.d/groups/whonix/torbrowser-vaapitest b/apparmor.d/groups/whonix/torbrowser-vaapitest new file mode 100644 index 000000000..42056a672 --- /dev/null +++ b/apparmor.d/groups/whonix/torbrowser-vaapitest @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = torbrowser "tor browser" +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{data_dirs} = @{lib_dirs}/TorBrowser/Data/ +@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{cache_dirs} = @{data_dirs}/Browser/Caches + +@{exec_path} = @{lib_dirs}/vaapitest +profile torbrowser-vaapitest @{exec_path} { + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /etc/igfx_user_feature{,_next}.txt w, + /etc/libva.conf r, + + owner /tmp/@{name}/.parentlock rw, + + @{sys}/devices/@{pci}/{irq,revision,resource} r, + @{sys}/devices/@{pci}/config r, + + deny @{config_dirs}/.parentlock rw, + deny @{config_dirs}/startupCache/** r, + deny @{user_cache_dirs}/startupCache/* r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper new file mode 100644 index 000000000..73d5c091f --- /dev/null +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ + +@{exec_path} = @{bin}/torbrowser +profile torbrowser-wrapper @{exec_path} { + include + include + include + + @{exec_path} rm, + + @{bin}/{,ba,da}sh rix, + @{bin}/basename rix, + @{bin}/dirname rix, + @{bin}/grep rix, + @{bin}/id rix, + @{bin}/mktemp rix, + @{bin}/mount rix, + @{bin}/str_replace rix, + @{bin}/systemctl rCx -> systemctl, + @{bin}/tty rix, + @{bin}/whoami rix, + + @{lib_dirs}/start-tor-browser rPx -> torbrowser-start, + @{lib}/msgcollector/msgcollector rPx, + @{lib}/open-link-confirmation/open-link-confirmation rPx, + + @{lib}/helper-scripts/* r, + + /etc/torbrowser.d/{,*} r, + + owner @{lib_dirs}/TorBrowser/Data/Browser/profile.default/prefs.js r, + + owner /tmp/tmp.@{rand10} rw, + + owner @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + + profile systemctl { + include + include + + @{bin}/systemctl mr, + + /etc/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{md5}/ r, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/system.journal* r, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r, + + include if exists + } + + include if exists +}