summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch
blob: d6f8bf6f756046228a4c08bd68a8717d07aec484 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 0df7ad9..ae26e61 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -1,13 +1,15 @@
 # Last modified
 #include <tunables/global>
 
-/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
+/usr/local/lib/tor-browser/firefox {
   #include <abstractions/gnome>
+  #include <abstractions/gstreamer>
+  #include <abstractions/ibus>
 
   # Uncomment the following line if you don't want the Tor Browser
   # to have direct access to your sound hardware. Note that this is not
   # enough to have working sound support in Tor Browser.
-  # #include <abstractions/audio>
+  #include <abstractions/audio>
 
   # Uncomment the following lines if you want to give the Tor Browser read-write
   # access to most of your personal files.
@@ -17,40 +19,52 @@
   #dbus,
   network tcp,
 
+  /etc/asound.conf r,
   deny /etc/host.conf r,
-  deny /etc/hosts r,
-  deny /etc/nsswitch.conf r,
+  /etc/hosts r,
+  /etc/nsswitch.conf r,
   deny /etc/resolv.conf r,
-  deny /etc/passwd r,
-  deny /etc/group r,
+  /etc/passwd r,
+  /etc/group r,
   deny /etc/mailcap r,
+  deny @{HOME}/.local/share/gvfs-metadata/home r,
+  deny /run/resolvconf/resolv.conf r,
 
-  deny /etc/machine-id r,
-  deny /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
 
   @{PROC}/[0-9]*/mountinfo r,
   @{PROC}/[0-9]*/stat r,
   @{PROC}/[0-9]*/task/*/stat r,
   @{PROC}/sys/kernel/random/uuid r,
 
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/ r,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/* r,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/.** rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/.** rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/ r,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** r,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/*.so mr,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/components/*.so mr,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/browser/components/*.so mr,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox rix,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profiles.ini r,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/ r,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/** rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor Px,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}Desktop/ rw,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}Desktop/** rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}Downloads/ rw,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}Downloads/** rwk,
+  /usr/local/lib/tor-browser/ r,
+  /usr/local/lib/tor-browser/** r,
+  /usr/local/lib/tor-browser/*.so{,.6} mr,
+  /usr/local/lib/tor-browser/**/*.so mr,
+  /usr/local/lib/tor-browser/browser/* r,
+  /usr/local/lib/tor-browser/TorBrowser/Data/Browser/profiles.ini r,
+
+  owner "@{HOME}/Tor Browser/" rw,
+  owner "@{HOME}/Tor Browser/**" rwk,
+  owner "@{HOME}/Persistent/Tor Browser/" rw,
+  owner "@{HOME}/Persistent/Tor Browser/**" rwk,
+  owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/" rw,
+  owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/**" rwk,
+  owner @{HOME}/.mozilla/firefox/bookmarks/places.sqlite rwk,
+  owner /live/persistence/TailsData_unlocked/bookmarks/places.sqlite rwk,
+  owner @{HOME}/.tor-browser/profile.default/ r,
+  owner @{HOME}/.tor-browser/profile.default/** rwk,
+
+  /etc/xul-ext/ r,
+  /etc/xul-ext/** r,
+  /usr/local/share/tor-browser-extensions/ r,
+  /usr/local/share/tor-browser-extensions/** rk,
+  /usr/share/xul-ext/ r,
+  /usr/share/xul-ext/** r,
+
+  /usr/share/doc/tails/website/ r,
+  /usr/share/doc/tails/website/** r,
 
   /etc/mailcap r,
   /etc/mime.types r,
@@ -65,6 +79,7 @@
 
   /sys/devices/system/cpu/ r,
   /sys/devices/system/cpu/present r,
+  deny /sys/devices/virtual/block/*/uevent r,
 
   # Should use abstractions/gstreamer instead once merged upstream
   /etc/udev/udev.conf r,
@@ -72,6 +87,16 @@
   /sys/devices/pci[0-9]*/**/uevent r,
   owner /{dev,run}/shm/shmfd-* rw,
 
+  /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Cix -> gst_plugin_scanner,
+  owner @{HOME}/.gstreamer*/ rw,
+  owner @{HOME}/.gstreamer*/** rw,
+  owner @{PROC}/[0-9]*/fd/ r,
+
+  deny /usr/bin/pulseaudio x,
+
+  /usr/local/lib/tor-browser/firefox Pix,
+  /usr/bin/seahorse-tool Ux,
+
   # KDE 4
   owner @{HOME}/.kde/share/config/* r,