AppArmor: silence a denial for access we don't need

[torbrowser-launcher.git] / apparmor / torbrowser.Tor.tor

diff --git a/apparmor/torbrowser.Tor.tor b/apparmor/torbrowser.Tor.tor
index 7106a75c3a20e67e98e6f8e7e0059a1fcfe9c0b4..f5b8177908d8e5e69855ec5dad2e6e6ba1717e77 100644 (file)
--- a/apparmor/torbrowser.Tor.tor
+++ b/apparmor/torbrowser.Tor.tor
@@ -16,17 +16,25 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
   /etc/resolv.conf r,
   owner @{torbrowser_home_dir}/TorBrowser/Tor/tor mr,
   owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/ rw,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/* rw,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/** rw,
   owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/lock rwk,
   owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
   owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
 
+  # Support some of the included pluggable transports
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
+  @{PROC}/sys/net/core/somaxconn r,
+  #include <abstractions/ssl_certs>
+
   # Silence file_inherit logs
   deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
   deny @{torbrowser_home_dir}/{browser/,}features/*.xpi r,
   deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/.parentlock rw,
   deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
   deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
+  # Silence logs from included pluggable transports
+  deny /etc/hosts r,
+  deny /etc/services r,
 
   @{PROC}/sys/kernel/random/uuid r,
   /sys/devices/system/cpu/ r,