apparmor.d -> profiles

profiles/torbrowser.Tor.tor

@@ -0,0 +1,46 @@
+include <tunables/global>
+include <tunables/torbrowser>
+
+@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor
+
+profile torbrowser_tor @{torbrowser_tor_executable} {
+  include <abstractions/base>
+
+  network netlink raw,
+  network tcp,
+  network udp,
+
+  /etc/host.conf r,
+  /etc/nsswitch.conf r,
+  /etc/passwd r,
+  /etc/resolv.conf r,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/tor mr,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/ rw,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/** rw,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/lock rwk,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
+
+  # Support some of the included pluggable transports
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
+  @{PROC}/sys/net/core/somaxconn r,
+  include <abstractions/ssl_certs>
+
+  # Silence file_inherit logs
+  deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
+  deny @{torbrowser_home_dir}/{browser/,}features/*.xpi r,
+  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/.parentlock rw,
+  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
+  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
+  # Silence logs from included pluggable transports
+  deny /etc/hosts r,
+  deny /etc/services r,
+
+  @{PROC}/sys/kernel/random/uuid r,
+  /sys/devices/system/cpu/ r,
+
+  # OnionShare compatibility
+  /tmp/onionshare/** rw,
+
+  include <local/torbrowser.Tor.tor>
+}