From: Roger Shimizu <rosh@debian.org>
Date: Wed, 6 May 2020 08:01:41 +0000 (+0900)
Subject: AppArmor: Support pluggable transports especially meek
X-Git-Url: https://git.lizzy.rs/?a=commitdiff_plain;h=50e62ceccd4697e881b50f8bda8ba6757267a6c7;p=torbrowser-launcher.git

AppArmor: Support pluggable transports especially meek
---

diff --git a/apparmor/torbrowser.Tor.tor b/apparmor/torbrowser.Tor.tor
index b0bfce0..f5b8177 100644
--- a/apparmor/torbrowser.Tor.tor
+++ b/apparmor/torbrowser.Tor.tor
@@ -24,6 +24,7 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
   # Support some of the included pluggable transports
   owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
   @{PROC}/sys/net/core/somaxconn r,
+  #include <abstractions/ssl_certs>
 
   # Silence file_inherit logs
   deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
@@ -31,6 +32,9 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
   deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/.parentlock rw,
   deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
   deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
+  # Silence logs from included pluggable transports
+  deny /etc/hosts r,
+  deny /etc/services r,
 
   @{PROC}/sys/kernel/random/uuid r,
   /sys/devices/system/cpu/ r,