AppArmor: move to plugin-container, and extend, the commented-out lines that help...

Apparently these permissions are now needed by plugin-container, not by the
master firefox process.

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 5ccf8a3bc90fbc16bf2e5a5e8223da81329ea9f6..1ab099b9a216360654f4ee8cb903e25abc7c6ae5 100644 (file)
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -4,11 +4,6 @@
 /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
   #include <abstractions/gnome>
 
-  # Uncomment the following line if you don't want the Tor Browser
-  # to have direct access to your sound hardware. Note that this is not
-  # enough to have working sound support in Tor Browser.
-  # #include <abstractions/audio>
-
   # Uncomment the following lines if you want to give the Tor Browser read-write
   # access to most of your personal files.
   # #include <abstractions/user-download>

diff --git a/apparmor/torbrowser.Browser.plugin-container b/apparmor/torbrowser.Browser.plugin-container
index 21faf53724174b90697c3d6c8ac8d781bdff830c..ef2b706447280e54696e0cd76bdf8af2d84a2292 100644 (file)
--- a/apparmor/torbrowser.Browser.plugin-container
+++ b/apparmor/torbrowser.Browser.plugin-container
@@ -4,6 +4,13 @@
 profile torbrowser_plugin_container {
   #include <abstractions/gnome>
 
+  # Uncomment the following lines if you don'want the Tor Browser
+  # to have direct access to your sound hardware.
+  # #include <abstractions/audio>
+  # /etc/asound.conf r,
+  # owner @{PROC}/@{pid}/fd/ r,
+  # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
+
   deny /etc/host.conf r,
   deny /etc/hosts r,
   deny /etc/nsswitch.conf r,