AppArmor: Support pluggable transports especially meek

[torbrowser-launcher.git] / apparmor / torbrowser.Tor.tor

diff --git a/apparmor/torbrowser.Tor.tor b/apparmor/torbrowser.Tor.tor
index d9c805d6052e942a4fc28c7e4acdaca876d7708c..f5b8177908d8e5e69855ec5dad2e6e6ba1717e77 100644 (file)
--- a/apparmor/torbrowser.Tor.tor
+++ b/apparmor/torbrowser.Tor.tor
@@ -1,8 +1,12 @@
 #include <tunables/global>
+#include <tunables/torbrowser>
 
-/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor {
+@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor
+
+profile torbrowser_tor @{torbrowser_tor_executable} {
   #include <abstractions/base>
 
+  network netlink raw,
   network tcp,
   network udp,
 
@@ -10,16 +14,33 @@
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /etc/resolv.conf r,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor mr,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/* rw,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/lock rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Lib/*.so mr,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Lib/*.so.* mr,
-  @{PROC}/meminfo r,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/tor mr,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/ rw,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/** rw,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/lock rwk,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
+
+  # Support some of the included pluggable transports
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
+  @{PROC}/sys/net/core/somaxconn r,
+  #include <abstractions/ssl_certs>
+
+  # Silence file_inherit logs
+  deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
+  deny @{torbrowser_home_dir}/{browser/,}features/*.xpi r,
+  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/.parentlock rw,
+  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
+  deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
+  # Silence logs from included pluggable transports
+  deny /etc/hosts r,
+  deny /etc/services r,
+
   @{PROC}/sys/kernel/random/uuid r,
   /sys/devices/system/cpu/ r,
 
   # OnionShare compatibility
-  /tmp/onionshare_*/ rw,
-  /tmp/onionshare_*/* rw,
+  /tmp/onionshare/** rw,
+
+  #include <local/torbrowser.Tor.tor>
 }