AppArmor: Support pluggable transports especially meek

author Roger Shimizu <rosh@debian.org>

Wed, 6 May 2020 08:01:41 +0000 (17:01 +0900)

committer Roger Shimizu <rosh@debian.org>

Wed, 6 May 2020 08:01:41 +0000 (17:01 +0900)
author Roger Shimizu <rosh@debian.org>
Wed, 6 May 2020 08:01:41 +0000 (17:01 +0900)
committer Roger Shimizu <rosh@debian.org>
Wed, 6 May 2020 08:01:41 +0000 (17:01 +0900)
diff --git a/apparmor/torbrowser.Tor.tor b/apparmor/torbrowser.Tor.tor

index b0bfce057e4130bf7044c1847929dbfa6be6f55e..f5b8177908d8e5e69855ec5dad2e6e6ba1717e77 100644 (file)
--- a/apparmor/torbrowser.Tor.tor
+++ b/apparmor/torbrowser.Tor.tor
@@ -24,6 +24,7 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
    # Support some of the included pluggable transports
    owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
    @{PROC}/sys/net/core/somaxconn r,
+  #include <abstractions/ssl_certs>
  
    # Silence file_inherit logs
    deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
@@ -31,6 +32,9 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
    deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/.parentlock rw,
    deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
    deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
+  # Silence logs from included pluggable transports
+  deny /etc/hosts r,
+  deny /etc/services r,
  
    @{PROC}/sys/kernel/random/uuid r,
    /sys/devices/system/cpu/ r,
author	Roger Shimizu <rosh@debian.org>
	Wed, 6 May 2020 08:01:41 +0000 (17:01 +0900)
committer	Roger Shimizu <rosh@debian.org>
	Wed, 6 May 2020 08:01:41 +0000 (17:01 +0900)