feat(profiles): add torbrowser profiles.

roddhjav · Dec 9, 2023 · c84af9e · c84af9e
1 parent ccf4b4d
commit c84af9e
Show file tree

Hide file tree

Showing 6 changed files with 360 additions and 0 deletions.
diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser
@@ -0,0 +1,145 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{name} = torbrowser "tor browser"
+@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
+@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{cache_dirs} = @{data_dirs}/Browser/Caches
+
+@{exec_path} = @{lib_dirs}/firefox.*
+profile torbrowser @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.FileManager1>
+  include <abstractions/bus/org.freedesktop.login1>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/bus/org.freedesktop.RealtimeKit1>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gstreamer>
+  include <abstractions/gtk>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/opencl>
+  include <abstractions/ssl_certs>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/vulkan>
+
+  capability sys_admin, # If kernel.unprivileged_userns_clone = 1
+  capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
+
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mrix,
+
+  @{lib_dirs}/{,**}             r,
+  @{lib_dirs}/*.so              mr,
+  @{lib_dirs}/glxtest           rPx -> torbrowser-glxtest,
+  @{lib_dirs}/plugin-container  rPx -> torbrowser-plugin-container,
+  @{lib_dirs}/vaapitest         rPx -> torbrowser-vaapitest,
+
+  # Desktop integration
+  @{bin}/exo-open                                    rPx -> child-open,
+  @{bin}/lsb_release                                 rPx -> lsb_release,
+  @{bin}/xdg-open                                    rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
+  @{lib}/gio-launch-desktop                          rPx -> child-open,
+
+  /usr/share/@{name}/{,**} r,
+  /usr/share/doc/{,**} r,
+  /usr/share/egl/{,**} r,
+  /usr/share/icu/@{int}.@{int}/*.dat r,
+  /usr/share/libdrm/*.ids r,
+  /usr/share/xul-ext/kwallet5/* r,
+
+  /etc/@{name}.d/{,**} r,
+  /etc/igfx_user_feature{,_next}.txt w,
+  /etc/libva.conf r,
+  /etc/mailcap r,
+  /etc/mime.types r,
+  /etc/opensc.conf r,
+  /etc/sysconfig/proxy r,
+  /etc/xdg/* r,
+  /etc/xul-ext/kwallet5.js r,
+
+  /var/lib/nscd/services r,
+
+  owner @{lib_dirs}/.cache/{,**} rw,
+  owner @{lib_dirs}/Downloads/{,**} rw,
+  owner @{lib_dirs}/fonts/** r,
+
+  owner @{config_dirs}/ rw,
+  owner @{config_dirs}/** rwk,
+
+  owner @{cache_dirs}/ rw,
+  owner @{cache_dirs}/** rwk,
+
+        /tmp/ r,
+        /var/tmp/ r,
+  owner /tmp/user/@{uid}/ rw,
+  owner /tmp/user/@{uid}/* rwk,
+  owner /tmp/user/@{uid}/Temp-@{uuid}/ rw,
+  owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk,
+  owner /tmp/user/@{uid}/@{name}/ rw,
+  owner /tmp/user/@{uid}/@{name}/* rwk,
+  owner /tmp/@{name}/ rw,
+  owner /tmp/@{name}/* rwk,
+  owner /tmp/Temp-@{uuid}/ rw,
+  owner "/tmp/Tor Project*/" rw,
+  owner "/tmp/Tor Project*/**" rwk, 
+  owner "/tmp/Tor Project*" rwk,
+
+  @{run}/mount/utab r,
+
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+
+  @{sys}/bus/ r,
+  @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
+  @{sys}/class/ r,
+  @{sys}/class/**/ r,
+  @{sys}/devices/**/uevent r,
+  @{sys}/devices/@{pci}/ r,
+  @{sys}/devices/@{pci}/drm/card@{int}/ r,
+  @{sys}/devices/@{pci}/drm/renderD[0-9]*/ r,
+  @{sys}/devices/@{pci}/irq r,
+  @{sys}/devices/system/cpu/cpu@{int}/cache/index[0-9]/size r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
+  @{sys}/devices/system/cpu/present r,
+  @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-1.scope/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,
+
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/oom_score_adj w,
+  owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
+  owner @{PROC}/@{pid}/smaps r,
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/statm r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
+  owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
+  owner @{PROC}/@{pids}/cmdline r,
+  owner @{PROC}/@{pids}/environ r,
+
+  include if exists <local/torbrowser>
+}
diff --git a/apparmor.d/groups/whonix/torbrowser-glxtest b/apparmor.d/groups/whonix/torbrowser-glxtest
@@ -0,0 +1,38 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{name} = torbrowser "tor browser"
+@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
+@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{cache_dirs} = @{data_dirs}/Browser/Caches
+
+@{exec_path} = @{lib_dirs}/glxtest
+profile torbrowser-glxtest @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/opencl-nvidia>
+  include <abstractions/vulkan>
+  include <abstractions/X-strict>
+
+  @{exec_path} mr,
+
+  owner @{config_dirs}/.parentlock rw,
+
+  owner /tmp/@{name}/.parentlock rw,
+
+  @{sys}/bus/pci/devices/ r,
+  @{sys}/devices/@{pci}/class r,
+
+  owner @{PROC}/@{pid}/cmdline r,
+
+  include if exists <local/torbrowser-glxtest>
+}
diff --git a/apparmor.d/groups/whonix/torbrowser-plugin-container b/apparmor.d/groups/whonix/torbrowser-plugin-container
@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{name} = torbrowser "tor browser"
+@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
+@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{cache_dirs} = @{data_dirs}/Browser/Caches
+
+@{exec_path} = @{lib_dirs}/plugin-container
+profile torbrowser-plugin-container @{exec_path} {
+  include <abstractions/base>
+
+  signal (receive) set=(term, kill) peer=torbrowser,
+
+  @{exec_path} mr,
+
+  include if exists <local/torbrowser-plugin-container>
+}
diff --git a/apparmor.d/groups/whonix/torbrowser-start b/apparmor.d/groups/whonix/torbrowser-start
@@ -0,0 +1,47 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+
+@{exec_path} = @{lib_dirs}/start-tor-browser
+profile torbrowser-start @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  @{bin}/bash                 rix,
+  @{bin}/cp                   rix,
+  @{bin}/dirname              rix,
+  @{bin}/env                  r,
+  @{bin}/expr                 rix,
+  @{bin}/file                 rix,
+  @{bin}/getconf              rix,
+  @{bin}/grep                 rix,
+  @{bin}/id                   rix,
+  @{bin}/ln                   rix,
+  @{bin}/mkdir                rix,
+  @{bin}/rm                   rix,
+  @{bin}/sed                  rix,
+  @{bin}/sh                   rix,
+  @{bin}/sh                   rix,
+  @{lib_dirs}/abicheck        rix,
+  @{lib_dirs}/firefox         rix,
+
+  @{lib_dirs}/firefox.* rPx -> torbrowser,
+
+  /etc/magic r,
+
+  owner @{HOME}/.tb/tor-browser/* rw,
+
+  owner @{lib_dirs}/.local/* rw,
+  owner @{lib_dirs}/sed@{rand6} rw,
+  owner @{lib_dirs}/start-tor-browser.desktop rw,
+
+  include if exists <local/torbrowser-start>
+}
diff --git a/apparmor.d/groups/whonix/torbrowser-vaapitest b/apparmor.d/groups/whonix/torbrowser-vaapitest
@@ -0,0 +1,40 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{name} = torbrowser "tor browser"
+@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
+@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{cache_dirs} = @{data_dirs}/Browser/Caches
+
+@{exec_path} = @{lib_dirs}/vaapitest
+profile torbrowser-vaapitest @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dri-enumerate>
+  include <abstractions/dri-common>
+  include <abstractions/nvidia>
+  include <abstractions/vulkan>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /etc/igfx_user_feature{,_next}.txt w,
+  /etc/libva.conf r,
+
+  owner /tmp/@{name}/.parentlock rw,
+
+  @{sys}/devices/@{pci}/{irq,revision,resource} r,
+  @{sys}/devices/@{pci}/config r,
+
+  deny @{config_dirs}/.parentlock rw,
+  deny @{config_dirs}/startupCache/** r,
+  deny @{user_cache_dirs}/startupCache/* r,
+
+  include if exists <local/torbrowser-vaapitest>
+}
diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper
@@ -0,0 +1,65 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+
+@{exec_path} = @{bin}/torbrowser
+profile torbrowser-wrapper @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} rm,
+
+  @{bin}/{,ba,da}sh              rix,
+  @{bin}/basename                rix,
+  @{bin}/dirname                 rix,
+  @{bin}/grep                    rix,
+  @{bin}/id                      rix,
+  @{bin}/mktemp                  rix,
+  @{bin}/mount                   rix,
+  @{bin}/str_replace             rix,
+  @{bin}/systemctl               rCx -> systemctl,
+  @{bin}/tty                     rix,
+  @{bin}/whoami                  rix,
+
+  @{lib_dirs}/start-tor-browser  rPx -> torbrowser-start,
+  @{lib}/msgcollector/msgcollector rPx,
+  @{lib}/open-link-confirmation/open-link-confirmation rPx,
+
+  @{lib}/helper-scripts/* r,
+
+  /etc/torbrowser.d/{,*} r,
+
+  owner @{lib_dirs}/TorBrowser/Data/Browser/profile.default/prefs.js r,
+
+  owner /tmp/tmp.@{rand10} rw,
+
+  owner @{run}/mount/utab r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemd-common>
+
+    @{bin}/systemctl mr,
+
+    /etc/machine-id r,
+
+    /{run,var}/log/journal/ r,
+    /{run,var}/log/journal/@{md5}/ r,
+    /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r,
+    /{run,var}/log/journal/@{md5}/system.journal* r,
+    /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
+
+    include if exists <local/torbrowser-wrapper_systemctl>
+  }
+
+  include if exists <local/torbrowser-wrapper>
+}