fixed TBB apparmor profiles (#72)

author Micah Lee <micah@micahflee.com>

Thu, 2 Jan 2014 23:14:55 +0000 (15:14 -0800)

committer Micah Lee <micah@micahflee.com>

Thu, 2 Jan 2014 23:14:55 +0000 (15:14 -0800)
author Micah Lee <micah@micahflee.com>
Thu, 2 Jan 2014 23:14:55 +0000 (15:14 -0800)
committer Micah Lee <micah@micahflee.com>
Thu, 2 Jan 2014 23:14:55 +0000 (15:14 -0800)
diff --git a/apparmor/license.txt b/apparmor/license.txt

index 564063cbb3ca4dedb5c65c2e01fb09c9ab7cfe02..841cad6c5836dceb4f55c275db96e61eb7402c7d 100644 (file)
--- a/apparmor/license.txt
+++ b/apparmor/license.txt
@@ -1,4 +1,4 @@
-These AppArmor profiles are based on https://gitorious.org/tbb-apparmor/tbb-apparmor/
+TBB AppArmor profiles are based on https://gitorious.org/tbb-apparmor/tbb-apparmor/
  Originally written by Radostan Riedel <raybuntu@googlemail.com>
  
  --
diff --git a/apparmor/tor-browser.Browser.firefox b/apparmor/tor-browser.Browser.firefox

deleted file mode 100644 (file)

index 8b34b9c..0000000
--- a/apparmor/tor-browser.Browser.firefox
+++ /dev/null
@@ -1,74 +0,0 @@
-#include <tunables/global>
-
-/home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/firefox {
-  #include <abstractions/base>
-  #include <abstractions/user-tmp>
-
-  network tcp,
-
-  deny /etc/host.conf r,
-  deny /etc/hosts r,
-  deny /etc/nsswitch.conf r,
-  deny /etc/resolv.conf r,
-  deny /proc/9881/mountinfo r,
-  deny @{HOME}/.config/user-dirs.dirs r,
-  deny @{HOME}/.gtk-bookmarks r,
-  deny @{HOME}/.local/share/recently-used.xbel* rw,
-
-  /bin/dash rix,
-  /dev/dri/card0 rw,
-  /etc/X11/cursors/* r,
-  /etc/drirc r,
-  /etc/fonts/** r,
-  /etc/gnome-vfs-2.0/modules/ r,
-  /etc/gnome-vfs-2.0/modules/default-modules.conf r,
-  /etc/gnome-vfs-2.0/modules/extra-modules.conf r,
-  /etc/mailcap r,
-  /etc/mime.types r,
-  /etc/passwd r,
-  /lib{,32,64}/*.so mr,
-  /lib{,32,64}/*.so.* mr,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/.mozilla/ w,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/.mozilla/*/ w,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/** r,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/*.so mr,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/browser/components/*.so mr,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/components/*.so mr,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/firefox rix,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Browser/ r,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Browser/** rwk,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Desktop/ rw,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Desktop/** rw,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Downloads/ rw,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Downloads/** rw,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Tor/tor Px,
-  /run/gdm3/** r,
-  /sys/devices/system/cpu/present r,
-  /tmp/.X0-lock r,
-  /usr/lib{,32,64}/** mr,
-  /usr/share/fonts/** r,
-  /usr/share/gvfs/remote-volume-monitors/ r,
-  /usr/share/gvfs/remote-volume-monitors/afc.monitor r,
-  /usr/share/gvfs/remote-volume-monitors/gdu.monitor r,
-  /usr/share/gvfs/remote-volume-monitors/gphoto2.monitor r,
-  /usr/share/icons/ r,
-  /usr/share/icons/** r,
-  /usr/share/mime/mime.cache r,
-  /usr/share/pixmaps/ r,
-  /usr/share/themes/Default/** r,
-  /var/cache/fontconfig/* r,
-  owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini r,
-  owner @{HOME}/.icons/ r,
-  owner @{HOME}/.icons/** r,
-  owner @{HOME}/.local/share/icons/ r,
-  owner @{HOME}/.themes/** r,
-  @{PROC}/[0-9]*/maps r,
-  @{PROC}/[0-9]*/mounts r,
-  @{PROC}/[0-9]*/stat r,
-  @{PROC}/[0-9]*/task/*/stat r,
-  @{PROC}/cpuinfo r,
-  @{PROC}/filesystems r,
-  @{PROC}/meminfo r,
-  @{PROC}/stat r,
-
-}
diff --git a/apparmor/tor-browser.Tor.tor b/apparmor/tor-browser.Tor.tor

deleted file mode 100644 (file)

index cd4e4c9..0000000
--- a/apparmor/tor-browser.Tor.tor
+++ /dev/null
@@ -1,22 +0,0 @@
-#include <tunables/global>
-
-/home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Tor/tor {
-  #include <abstractions/base>
-
-  network tcp,
-  network udp,
-
-  /etc/host.conf r,
-  /etc/nsswitch.conf r,
-  /etc/passwd r,
-  /etc/resolv.conf r,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Tor/tor mr,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Tor/* rw,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Tor/lock rwk,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Lib/*.so mr,
-  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Lib/*.so.* mr,
-  @{PROC}/meminfo r,
-  @{PROC}/sys/kernel/random/uuid r,
-  /sys/devices/system/cpu/ r,
-
-}
diff --git a/apparmor/tor-browser.start-tor-browser b/apparmor/tor-browser.start-tor-browser

deleted file mode 100644 (file)

index b675d65..0000000
--- a/apparmor/tor-browser.start-tor-browser
+++ /dev/null
@@ -1,41 +0,0 @@
-#include <tunables/global>
-
-/home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/start-tor-browser {
-  #include <abstractions/base>
-  #include <abstractions/bash>
-
-  capability sys_ptrace,
-
-
-  /bin/cat rix,
-  /bin/dash ix,
-  /bin/grep rix,
-  /bin/ps rix,
-  /bin/sed rix,
-  /dev/pts/[0-9]* rw,
-  /dev/tty rw,
-  /etc/magic r,
-  /opt/tor-browser_en-US/Browser/firefox Px,
-  /opt/tor-browser_en-US/Tor/tor r,
-  /opt/tor-browser_en-US/start-tor-browser r,
-  @{PROC}/ r,
-  @{PROC}/[0-9]*/status r,
-  @{PROC}/[0-9]*/stat r,
-  @{PROC}/[0-9]*/cmdline r,
-  @{PROC}/meminfo r,
-  @{PROC}/sys/kernel/pid_max r,
-  @{PROC}/tty/drivers r,
-  @{PROC}/uptime r,
-  /{,var/}run/utmp r,
-  /dev/ptmx rw,
-  /usr/bin/dirname rix,
-  /usr/bin/expr rix,
-  /usr/bin/file rix,
-  /usr/bin/getconf rix,
-  /usr/bin/id rix,
-  /usr/bin/ldd rix,
-  /usr/lib{,32,64}/** mr,
-  /usr/share/file/magic.mgc r,
-  /usr/share/file/magic/ r,
-
-}
diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox

new file mode 100644 (file)

index 0000000..60aa9c9
--- /dev/null
+++ b/apparmor/torbrowser.Browser.firefox
@@ -0,0 +1,85 @@
+#include <tunables/global>
+
+/home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/firefox {
+  #include <abstractions/base>
+  #include <abstractions/user-tmp>
+
+  network tcp,
+
+  deny /etc/host.conf r,
+  deny /etc/hosts r,
+  deny /etc/nsswitch.conf r,
+  deny /etc/resolv.conf r,
+  deny /proc/9881/mountinfo r,
+  deny @{HOME}/.config/user-dirs.dirs r,
+  deny @{HOME}/.gtk-bookmarks r,
+  deny @{HOME}/.local/share/recently-used.xbel* rw,
+
+  /bin/dash rix,
+  /dev/dri/card0 rw,
+  /etc/X11/cursors/* r,
+  /etc/drirc r,
+  /etc/fonts/** r,
+  /etc/gnome/defaults.list r,
+  /etc/gnome-vfs-2.0/modules/ r,
+  /etc/gnome-vfs-2.0/modules/default-modules.conf r,
+  /etc/gnome-vfs-2.0/modules/extra-modules.conf r,
+  /etc/mailcap r,
+  /etc/mime.types r,
+  /etc/passwd r,
+  /lib{,32,64}/*.so mr,
+  /lib{,32,64}/*.so.* mr,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/.mozilla/ w,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/.mozilla/*/ w,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/** r,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/*.so mr,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/browser/components/*.so mr,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/components/*.so mr,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/firefox rix,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Browser/ r,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Browser/** rwk,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Desktop/ rw,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Desktop/** rw,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Downloads/ rw,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Downloads/** rw,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Tor/tor Px,
+  @{HOME}/.Xauthority r,
+  /run/gdm3/** r,
+  /sys/devices/system/cpu/present r,
+  /tmp/.X0-lock r,
+  /usr/lib{,32,64}/** mr,
+  /usr/local/share/fonts/ r,
+  /usr/share/ r,
+  /usr/share/applications/*.desktop r,
+  /usr/share/applications/mimeinfo.cache r,
+  /usr/share/fonts/ r,
+  /usr/share/fonts/** r,
+  /usr/share/gvfs/remote-volume-monitors/ r,
+  /usr/share/gvfs/remote-volume-monitors/afc.monitor r,
+  /usr/share/gvfs/remote-volume-monitors/gdu.monitor r,
+  /usr/share/gvfs/remote-volume-monitors/gphoto2.monitor r,
+  /usr/share/icons/ r,
+  /usr/share/icons/** r,
+  /usr/share/mime/ r,
+  /usr/share/mime/** r,
+  /usr/share/pixmaps/ r,
+  /usr/share/poppler/** r,
+  /usr/share/themes/** r,
+  /var/cache/fontconfig/* r,
+  owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini r,
+  owner @{HOME}/.icons/ r,
+  owner @{HOME}/.icons/** r,
+  owner @{HOME}/.local/share/icons/ r,
+  owner @{HOME}/.themes/** r,
+  @{PROC}/[0-9]*/maps r,
+  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/[0-9]*/stat r,
+  @{PROC}/[0-9]*/task/*/stat r,
+  @{PROC}/cpuinfo r,
+  @{PROC}/filesystems r,
+  @{PROC}/meminfo r,
+  @{PROC}/stat r,
+
+  dbus,
+
+}
diff --git a/apparmor/torbrowser.Tor.tor b/apparmor/torbrowser.Tor.tor

new file mode 100644 (file)

index 0000000..cd4e4c9
--- /dev/null
+++ b/apparmor/torbrowser.Tor.tor
@@ -0,0 +1,22 @@
+#include <tunables/global>
+
+/home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Tor/tor {
+  #include <abstractions/base>
+
+  network tcp,
+  network udp,
+
+  /etc/host.conf r,
+  /etc/nsswitch.conf r,
+  /etc/passwd r,
+  /etc/resolv.conf r,
+  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Tor/tor mr,
+  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Tor/* rw,
+  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Tor/lock rwk,
+  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Lib/*.so mr,
+  /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Lib/*.so.* mr,
+  @{PROC}/meminfo r,
+  @{PROC}/sys/kernel/random/uuid r,
+  /sys/devices/system/cpu/ r,
+
+}
diff --git a/apparmor/torbrowser.start-tor-browser b/apparmor/torbrowser.start-tor-browser

new file mode 100644 (file)

index 0000000..0751963
--- /dev/null
+++ b/apparmor/torbrowser.start-tor-browser
@@ -0,0 +1,41 @@
+#include <tunables/global>
+
+/home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/start-tor-browser {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+
+  capability sys_ptrace,
+
+
+  /bin/cat rix,
+  /bin/dash ix,
+  /bin/grep rix,
+  /bin/ps rix,
+  /bin/sed rix,
+  /dev/pts/[0-9]* rw,
+  /dev/tty rw,
+  /etc/magic r,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/firefox Px,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Tor/tor r,
+  @{HOME}/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/start-tor-browser r,
+  @{PROC}/ r,
+  @{PROC}/[0-9]*/status r,
+  @{PROC}/[0-9]*/stat r,
+  @{PROC}/[0-9]*/cmdline r,
+  @{PROC}/meminfo r,
+  @{PROC}/sys/kernel/pid_max r,
+  @{PROC}/tty/drivers r,
+  @{PROC}/uptime r,
+  /{,var/}run/utmp r,
+  /dev/ptmx rw,
+  /usr/bin/dirname rix,
+  /usr/bin/expr rix,
+  /usr/bin/file rix,
+  /usr/bin/getconf rix,
+  /usr/bin/id rix,
+  /usr/bin/ldd rix,
+  /usr/lib{,32,64}/** mr,
+  /usr/share/file/magic.mgc r,
+  /usr/share/file/magic/ r,
+
+}
diff --git a/setup.py b/setup.py

index 62c52e64df0796caad0e2b6f32a46b167bced50c..6d586f8c97b2b6eb0055bd04fdaccd7d8589c5a6 100644 (file)
--- a/setup.py
+++ b/setup.py
@@ -58,7 +58,7 @@ Tor Browser Launcher will get updated each time a new version of TBB is released
                    ('/usr/share/pixmaps', ['img/torbrowser32.xpm', 'img/torbrowser80.xpm']),
                    ('/usr/share/torbrowser-launcher', ['keys/erinn.asc', 'keys/sebastian.asc', 'keys/alexandre.asc', 'keys/mike.asc', 'keys/mike-2013-09.asc', 'torproject.pem', 'mirrors.txt', 'modem.ogg']),
                    ('/usr/share/torbrowser-launcher/locale/en', ['locale/en/messages.pot']),
-                  ('/etc/apparmor.d/', ['apparmor/tor-browser.Browser.firefox', 'apparmor/tor-browser.start-tor-browser', 'apparmor/tor-browser.Tor.tor']),
+                  ('/etc/apparmor.d/', ['apparmor/torbrowser.Browser.firefox', 'apparmor/torbrowser.start-tor-browser', 'apparmor/torbrowser.Tor.tor']),
  
                    # unpackaged third party libraries
                    ('/usr/share/torbrowser-launcher/lib/txsocksx', file_list('lib/txsocksx-0.0.2/txsocksx')),
author	Micah Lee <micah@micahflee.com>
	Thu, 2 Jan 2014 23:14:55 +0000 (15:14 -0800)
committer	Micah Lee <micah@micahflee.com>
	Thu, 2 Jan 2014 23:14:55 +0000 (15:14 -0800)
apparmor/license.txt		patch \| blob \| history
apparmor/tor-browser.Browser.firefox	[deleted file]	patch \| blob \| history
apparmor/tor-browser.Tor.tor	[deleted file]	patch \| blob \| history
apparmor/tor-browser.start-tor-browser	[deleted file]	patch \| blob \| history
apparmor/torbrowser.Browser.firefox	[new file with mode: 0644]	patch \| blob
apparmor/torbrowser.Tor.tor	[new file with mode: 0644]	patch \| blob
apparmor/torbrowser.start-tor-browser	[new file with mode: 0644]	patch \| blob
setup.py		patch \| blob \| history