#include <tunables/global>
#include <tunables/torbrowser>

@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor

profile torbrowser_tor @{torbrowser_tor_executable} {
  #include <abstractions/base>

  network netlink raw,
  network tcp,
  network udp,

  /etc/host.conf r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/resolv.conf r,
  owner @{torbrowser_home_dir}/TorBrowser/Tor/tor mr,
  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/ rw,
  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/** rw,
  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/lock rwk,
  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,

  # Support some of the included pluggable transports
  owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
  @{PROC}/sys/net/core/somaxconn r,
  #include <abstractions/ssl_certs>

  # Silence file_inherit logs
  deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
  deny @{torbrowser_home_dir}/{browser/,}features/*.xpi r,
  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/.parentlock rw,
  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
  # Silence logs from included pluggable transports
  deny /etc/hosts r,
  deny /etc/services r,

  @{PROC}/sys/kernel/random/uuid r,
  /sys/devices/system/cpu/ r,

  # OnionShare compatibility
  /tmp/onionshare/** rw,

  #include <local/torbrowser.Tor.tor>
}