Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Tor Browser Bundle 2.2.x AppArmor profile by Anonymous
- # Based on Firefox profile from Jamie Strandboge <jamie@canonical.com>
- #include <tunables/global>
- # We want to confine the binaries that match:
- /**/tor-browser_*/App/Firefox/firefox {
- # FIXME: Some of these abstractions may be a tad permissive
- #include <abstractions/audio>
- #include <abstractions/cups-client>
- #include <abstractions/dbus-session>
- #include <abstractions/gnome>
- #include <abstractions/ibus>
- # Tor should be doing our DNS
- # #include <abstractions/nameservice>
- # This is 100% UNSAFE. Allows full read+write access to /home,
- # with only a few minor exceptions!!
- # #include <abstractions/ubuntu-browsers.d/firefox>
- # Default profile allows downloads to ~/Downloads and uploads from ~/Public
- owner @{HOME}/Public/ r,
- owner @{HOME}/Public/* r,
- owner @{HOME}/Downloads/ r,
- owner @{HOME}/Downloads/* rw,
- # TBB file access
- /**/tor-browser_*/Data/profile/ rk,
- /**/tor-browser_*/Data/profile/** rwk,
- /**/tor-browser_*/tmp/** rwk,
- /**/tor-browser_*/App/Firefox/** rixm,
- /**/tor-browser_*/.event/* rk,
- /**/tor-browser_*/.cache/* rwk,
- /**/tor-browser_*/.pulse-cookie rwk,
- # for networking, only allow connections to localhost
- # network tcp dst 127.0.0.1, # TODO: Needs AppArmor 3.0?
- network tcp, # :(
- /etc/mime.types r,
- /etc/mailcap r,
- /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
- /usr/share/xubuntu/applications/defaults.list r,
- owner @{HOME}/.local/share/applications/defaults.list r,
- owner @{HOME}/.local/share/applications/mimeapps.list r,
- owner @{HOME}/.local/share/applications/mimeinfo.cache r,
- /etc/timezone r,
- /etc/wildmidi/wildmidi.cfg r,
- # Firefox likes to inspect its own proc entry, possibly for FS info during
- # downloads?
- @{PROC}/ r,
- @{PROC}/[0-9]*/cmdline r,
- @{PROC}/[0-9]*/mountinfo r,
- @{PROC}/**/stat r,
- # FIXME: Not sure why this is needed.. Possibly for JIT optimizations?
- # If you're paranoid, you can probably throw a "deny" in front of here
- /sys/devices/system/cpu/** r,
- # FIXME: Firefox needs /etc/password for some gnome shiz :(
- /etc/passwd r,
- /etc/nsswitch.conf r,
- # No DNS for you, firefox.
- deny /etc/resolv.conf r,
- deny /etc/hosts r,
- deny /etc/host.conf r,
- # TODO: This is noisy. Should be silent. Apparmor bug??
- #deny network dgram,
- network dgram,
- }
- /**/tor-browser_*/App/tor {
- #include <abstractions/base>
- network tcp,
- # TODO: This is noisy. Should be silent. Apparmor bug??
- # XXX: Why does Tor need UDP?
- #deny network dgram,
- network dgram,
- /**/tor-browser_*/Data/Tor/* rwk,
- /**/tor-browser_*/tmp/* rwk,
- /**/tor-browser_*/Lib/* mrix,
- /**/tor-browser_*/Lib/libz/* mrix,
- }
- /**/tor-browser_*/App/vidalia {
- # #include <abstractions/nameservice>
- #include <abstractions/fonts>
- #include <abstractions/freedesktop.org>
- #include <abstractions/dbus-session>
- #include <abstractions/ibus>
- # TODO: :(. Can't restrict to localhost till Apparmor 3.0
- network tcp,
- # We can't use abstractions/base for these because
- # it conflicts with the ability to launch tor+firefox somehow (??)
- /etc/ld.so.cache r,
- /usr/lib/** mr,
- /lib/** mr,
- /dev/urandom r,
- /usr/share/** rk, # Icons, themes, etc
- /etc/xdg/Trolltech.conf rk,
- /etc/locale.alias r,
- /etc/localtime r,
- deny /proc/** r, # Who needs /proc? STFU, plz
- /**/tor-browser_*/App/tor px,
- /**/tor-browser_*/App/Firefox/firefox px,
- /**/tor-browser_*/tmp/* rwk,
- /**/tor-browser_*/Data/Vidalia/* rwk,
- /**/tor-browser_*/Data/Tor/port.conf r,
- /**/tor-browser_*/Lib/* mrix,
- /**/tor-browser_*/Lib/libz/* mrix,
- /etc/ssl/certs/ r,
- /etc/ssl/certs/** r,
- # Trolltech nonsense...
- deny /**/tor-browser_*/.config/ w,
- deny /**/tor-browser_*/.config/** rwmk,
- # XXX: WTF?? Why does vidalia need my xauth???
- deny @{HOME}/.Xauthority rwmk,
- # XXX: WTF?? /etc/passwd?
- deny /etc/passwd rmk,
- # XXX: Vidalia needs DNS?
- deny /etc/nsswitch.conf rmk,
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement