X-Git-Url: https://git.lizzy.rs/?a=blobdiff_plain;f=apparmor%2Ftorbrowser.Browser.plugin-container;h=7ec8a00c30b0348d578f6c5c2f9fb20e9824321b;hb=f3c066ad6c8f89fac81a8794a9f7c78ef64f4fe4;hp=121404489ec0ef24134b30a18c55fcc09c2800b7;hpb=6608523a5b087c37863b8ffe523605c3ad6df8b8;p=torbrowser-launcher.git diff --git a/apparmor/torbrowser.Browser.plugin-container b/apparmor/torbrowser.Browser.plugin-container index 1214044..7ec8a00 100644 --- a/apparmor/torbrowser.Browser.plugin-container +++ b/apparmor/torbrowser.Browser.plugin-container @@ -1,18 +1,23 @@ #include #include +@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real + profile torbrowser_plugin_container { #include - # Uncomment the following lines if you don'want the Tor Browser + # Uncomment the following lines if you want Tor Browser # to have direct access to your sound hardware. You will also - # need to remove the "deny" word in the machine-id lines further - # bellow. + # need to remove, further bellow: + # - the "deny" word in the machine-id lines + # - the rules that deny reading /etc/pulse/client.conf + # and executing /usr/bin/pulseaudio # #include # /etc/asound.conf r, - # owner @{PROC}/@{pid}/fd/ r, # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw, + signal (receive) set=("term") peer=torbrowser_firefox, + deny /etc/host.conf r, deny /etc/hosts r, deny /etc/nsswitch.conf r, @@ -24,6 +29,13 @@ profile torbrowser_plugin_container { deny /etc/machine-id r, deny /var/lib/dbus/machine-id r, + /etc/mime.types r, + /usr/share/applications/gnome-mimeapps.list r, + + /dev/shm/ r, + + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/status r, @@ -40,11 +52,12 @@ profile torbrowser_plugin_container { owner @{torbrowser_home_dir}/browser/components/*.so mr, owner @{torbrowser_home_dir}/defaults/pref/ r, owner @{torbrowser_home_dir}/defaults/pref/*.js r, + owner @{torbrowser_home_dir}/dependentlibs.list r, owner @{torbrowser_home_dir}/fonts/ r, owner @{torbrowser_home_dir}/fonts/** r, owner @{torbrowser_home_dir}/omni.ja r, - owner @{torbrowser_home_dir}/plugin-container ixmr, owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r, + owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r, owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw, owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r, owner @{torbrowser_home_dir}/TorBrowser/Tor/ r, @@ -53,6 +66,8 @@ profile torbrowser_plugin_container { owner @{torbrowser_home_dir}/Downloads/ rwk, owner @{torbrowser_home_dir}/Downloads/** rwk, + owner @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container, + /sys/devices/system/cpu/ r, /sys/devices/system/cpu/present r, /sys/devices/system/node/ r, @@ -66,7 +81,7 @@ profile torbrowser_plugin_container { owner /{dev,run}/shm/shmfd-* rw, # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s) - owner /dev/shm/org.chromium.* rw, + owner /{dev,run}/shm/org.chromium.* rw, # Deny access to DRM nodes, that's granted by the X abstraction, which is # sourced by the gnome abstraction, that we include. @@ -78,5 +93,9 @@ profile torbrowser_plugin_container { deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r, + # Silence denial logs about PulseAudio + deny /etc/pulse/client.conf r, + deny /usr/bin/pulseaudio x, + #include }