# #include <abstractions/user-download>
# @{HOME}/ r,
+ # Uncomment the following lines if you want Tor Browser
+ # to have direct access to your sound hardware. You will also
+ # need to remove, further bellow:
+ # - the "deny" word in the machine-id lines
+ # - the rules that deny reading /etc/pulse/client.conf
+ # and executing /usr/bin/pulseaudio
+ # #include <abstractions/audio>
+ # /etc/asound.conf r,
+ # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
+
#dbus,
network netlink raw,
network tcp,
- ptrace (trace) peer=torbrowser_plugin_container,
- signal (send) set=("term") peer=torbrowser_plugin_container,
+ ptrace (trace) peer=@{profile_name},
+ signal (receive, send) set=("term") peer=@{profile_name},
deny /etc/host.conf r,
deny /etc/hosts r,
/dev/ r,
/dev/shm/ r,
+ owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
owner @{torbrowser_home_dir}/*.so mr,
owner @{torbrowser_home_dir}/.cache/fontconfig/ rwk,
owner @{torbrowser_home_dir}/.cache/fontconfig/** rwkl,
- owner @{torbrowser_home_dir}/components/*.so mr,
- owner @{torbrowser_home_dir}/browser/components/*.so mr,
+ owner @{torbrowser_home_dir}/browser/** r,
+ owner @{torbrowser_home_dir}/{,browser/}components/*.so mr,
+ owner @{torbrowser_home_dir}/Downloads/ rwk,
+ owner @{torbrowser_home_dir}/Downloads/** rwk,
owner @{torbrowser_home_dir}/firefox rix,
- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/updater ix,
- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/0/MozUpdater/bgupdate/updater ix,
+ owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/* rw,
+ owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/{,MozUpdater/bgupdate/}updater ix,
+ owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/.parentwritetest rw,
owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/ r,
+ owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/{,**} rwk,
+ owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
- # Web Content processes
- owner @{torbrowser_firefox_executable} px -> torbrowser_plugin_container,
+ # parent Firefox process when restarting after upgrade, Web Content processes
+ owner @{torbrowser_firefox_executable} ixmr -> torbrowser_firefox,
/etc/mailcap r,
/etc/mime.types r,
+++ /dev/null
-#include <tunables/global>
-#include <tunables/torbrowser>
-
-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
-
-profile torbrowser_plugin_container {
- #include <abstractions/gnome>
-
- # Uncomment the following lines if you want Tor Browser
- # to have direct access to your sound hardware. You will also
- # need to remove, further bellow:
- # - the "deny" word in the machine-id lines
- # - the rules that deny reading /etc/pulse/client.conf
- # and executing /usr/bin/pulseaudio
- # #include <abstractions/audio>
- # /etc/asound.conf r,
- # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
-
- signal (receive) set=("term") peer=torbrowser_firefox,
-
- deny /etc/host.conf r,
- deny /etc/hosts r,
- deny /etc/nsswitch.conf r,
- deny /etc/resolv.conf r,
- deny /etc/passwd r,
- deny /etc/group r,
- deny /etc/mailcap r,
-
- deny /etc/machine-id r,
- deny /var/lib/dbus/machine-id r,
-
- /etc/mime.types r,
- /usr/share/applications/gnome-mimeapps.list r,
-
- /dev/shm/ r,
-
- owner @{PROC}/@{pid}/environ r,
- owner @{PROC}/@{pid}/fd/ r,
- owner @{PROC}/@{pid}/mountinfo r,
- owner @{PROC}/@{pid}/stat r,
- owner @{PROC}/@{pid}/status r,
- owner @{PROC}/@{pid}/task/*/stat r,
- @{PROC}/sys/kernel/random/uuid r,
-
- owner @{torbrowser_home_dir}/*.dat r,
- owner @{torbrowser_home_dir}/*.manifest r,
- owner @{torbrowser_home_dir}/*.so mr,
- owner @{torbrowser_home_dir}/.cache/fontconfig/ rw,
- owner @{torbrowser_home_dir}/.cache/fontconfig/** rw,
- owner @{torbrowser_home_dir}/browser/** r,
- owner @{torbrowser_home_dir}/components/*.so mr,
- owner @{torbrowser_home_dir}/browser/components/*.so mr,
- owner @{torbrowser_home_dir}/defaults/pref/ r,
- owner @{torbrowser_home_dir}/defaults/pref/*.js r,
- owner @{torbrowser_home_dir}/dependentlibs.list r,
- owner @{torbrowser_home_dir}/fonts/ r,
- owner @{torbrowser_home_dir}/fonts/** r,
- owner @{torbrowser_home_dir}/omni.ja r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
- owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]*/update.{status,version} r,
- owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]/updater rw,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/{,profile.default/}.parentwritetest rw,
- owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
- owner @{torbrowser_home_dir}/Downloads/ rwk,
- owner @{torbrowser_home_dir}/Downloads/** rwk,
-
- owner @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container,
-
- /sys/devices/system/cpu/ r,
- /sys/devices/system/cpu/present r,
- /sys/devices/system/node/ r,
- /sys/devices/system/node/node[0-9]*/meminfo r,
- deny /sys/devices/virtual/block/*/uevent r,
-
- # Should use abstractions/gstreamer instead once merged upstream
- /etc/udev/udev.conf r,
- /run/udev/data/+pci:* r,
- /sys/devices/pci[0-9]*/**/uevent r,
- owner /{dev,run}/shm/shmfd-* rw,
-
- # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
- owner /{dev,run}/shm/org.chromium.* rw,
-
- # Deny access to DRM nodes, that's granted by the X abstraction, which is
- # sourced by the gnome abstraction, that we include.
- deny /dev/dri/** rwklx,
-
- # Silence denial logs about permissions we don't need
- deny /dev/dri/ rwklx,
- deny @{PROC}/@{pid}/net/route r,
- deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
- deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
-
- # Silence denial logs about PulseAudio
- deny /etc/pulse/client.conf r,
- deny /usr/bin/pulseaudio x,
-
- #include <local/torbrowser.Browser.plugin-container>
-}