i2p.plugins.tor-updater/etc/apparmor.d/torbrowser.Tor.tor

#include <tunables/global>
#include <tunables/torbrowser>

@{torbrowser_tor_executable} = @{HOME}/.i2p/plugins/i2p.plugins.tor-manager/unpack/tor-browser_en-US/Browser/TorBrowser/Tor/tor

profile torbrowser_tor @{torbrowser_tor_executable} {
	#include <abstractions/base>

	network netlink raw,
	network tcp,
	network udp,

	/etc/host.conf r,
	/etc/nsswitch.conf r,
	/etc/passwd r,
	/etc/resolv.conf r,
	owner @{torbrowser_home_dir}/TorBrowser/Tor/tor mr,
	owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/ rw,
	owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/** rw,
	owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/lock rwk,
	owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
	owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,

	# Support some of the included pluggable transports
	owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
	@{PROC}/sys/net/core/somaxconn r,
	#include <abstractions/ssl_certs>

	# Silence file_inherit logs
	deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
	deny @{torbrowser_home_dir}/{browser/,}features/*.xpi r,
	deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/.parentlock rw,
	deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
	deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
	# Silence logs from included pluggable transports
	deny /etc/hosts r,
	deny /etc/services r,

	@{PROC}/sys/kernel/random/uuid r,
	/sys/devices/system/cpu/ r,

	# OnionShare compatibility
	/tmp/onionshare/** rw,

	#include <local/torbrowser.Tor.tor>
}
Add apparmor profile generation and default apparmor profiles 2022-01-31 02:09:02 -05:00			`#include <tunables/global>`
			`#include <tunables/torbrowser>`

			`@{torbrowser_tor_executable} = @{HOME}/.i2p/plugins/i2p.plugins.tor-manager/unpack/tor-browser_en-US/Browser/TorBrowser/Tor/tor`

			`profile torbrowser_tor @{torbrowser_tor_executable} {`
			`#include <abstractions/base>`

			`network netlink raw,`
			`network tcp,`
			`network udp,`

			`/etc/host.conf r,`
			`/etc/nsswitch.conf r,`
			`/etc/passwd r,`
			`/etc/resolv.conf r,`
			`owner @{torbrowser_home_dir}/TorBrowser/Tor/tor mr,`
			`owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/ rw,`
			`owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/** rw,`
			`owner @{torbrowser_home_dir}/TorBrowser/Data/Tor/lock rwk,`
			`owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,`
			`owner @{torbrowser_home_dir}/TorBrowser/Tor/.so. mr,`

			`# Support some of the included pluggable transports`
			`owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,`
			`@{PROC}/sys/net/core/somaxconn r,`
			`#include <abstractions/ssl_certs>`

			`# Silence file_inherit logs`
			`deny @{torbrowser_home_dir}/{browser/,}omni.ja r,`
			`deny @{torbrowser_home_dir}/{browser/,}features/*.xpi r,`
			`deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/.parentlock rw,`
			`deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,`
			`deny @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,`
			`# Silence logs from included pluggable transports`
			`deny /etc/hosts r,`
			`deny /etc/services r,`

			`@{PROC}/sys/kernel/random/uuid r,`
			`/sys/devices/system/cpu/ r,`

			`# OnionShare compatibility`
			`/tmp/onionshare/** rw,`

			`#include <local/torbrowser.Tor.tor>`
			`}`