apparmor/torbrowser.Browser.firefox

   1 # Last modified
   2 #include <tunables/global>
   3
   4 /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
   5   #include <abstractions/gnome>
   6   #include <abstractions/user-download>
   7
   8   # Comment out the following line if you don't want the Tor Browser
   9   # to have direct access to your sound hardware. Note that "#include"
  10   # is *not* a comment, it is valid AppArmor rules syntax.
  11   #include <abstractions/audio>
  12
  13   #dbus,
  14   network tcp,
  15
  16   deny /etc/host.conf r,
  17   deny /etc/hosts r,
  18   deny /etc/nsswitch.conf r,
  19   deny /etc/resolv.conf r,
  20   deny /etc/passwd r,
  21   deny /etc/group r,
  22   deny /etc/mailcap r,
  23
  24   deny @{PROC}/[0-9]*/stat r,
  25   deny @{PROC}/[0-9]*/mountinfo r,
  26   deny @{PROC}/[0-9]*/task/** r,
  27   deny @{PROC}/[0-9]*/fd/ r,
  28   deny @{PROC}/[0-9]*/stat r,
  29   deny @{PROC}/[0-9]*/task/*/stat r,
  30
  31   deny /etc/machine-id r,
  32   deny /var/lib/dbus/machine-id r,
  33
  34   @{PROC}/sys/kernel/random/uuid r,
  35
  36   ## Missing in <abstractions/user-download> #######
  37   # Without this line, access is denied to @{HOME},
  38   # [dD]ownload{,s}, Desktop... for downloads.
  39   @{HOME}/ r,
  40   ##################################################
  41
  42   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/ r,
  43   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/* r,
  44   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/.** rwk,
  45   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** r,
  46   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/*.so mr,
  47   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/components/*.so mr,
  48   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/browser/components/*.so mr,
  49   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox rix,
  50   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Data/Browser/profiles.ini r,
  51   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Data/Browser/profile.default/** rwk,
  52   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Data/Tor/* rwk,
  53   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Tor/* mr,
  54   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Tor/tor Px,
  55   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Desktop/ r,
  56   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Desktop/** rwk,
  57   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Downloads/ r,
  58   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Downloads/** rwk,
  59
  60   /etc/mailcap r,
  61   /etc/mime.types r,
  62
  63   /usr/share/ r,
  64   /usr/share/mime/ r,
  65   /usr/share/themes/ r,
  66   /usr/share/applications/** rk,
  67   /usr/share/gnome/applications/ r,
  68   /usr/share/gnome/applications/kde4/ r,
  69   /usr/share/poppler/cMap/ r,
  70
  71   /sys/devices/system/cpu/ r,
  72   /sys/devices/system/cpu/present r,
  73
  74   # Should use abstractions/gstreamer instead once merged upstream
  75   /etc/udev/udev.conf r,
  76   /run/udev/data/+pci:* r,
  77   /sys/devices/pci[0-9]*/**/uevent r,
  78   owner /{dev,run}/shm/shmfd-* rw,
  79
  80   # KDE 4
  81   owner @{HOME}/.kde/share/config/* r,
  82
  83   # Xfce4
  84   /etc/xfce4/defaults.list r,
  85   /usr/share/xfce4/applications/ r,
  86 }