[Pkg-privacy-commits] [torbrowser-launcher] 179/476: added base apparmor profiles for TBB 3.5+
Ximin Luo
infinity0 at moszumanska.debian.org
Sat Aug 22 13:21:35 UTC 2015
This is an automated email from the git hooks/post-receive script.
infinity0 pushed a commit to branch debian
in repository torbrowser-launcher.
commit a3908af8815568da21f4ac153b440d7dd74aaf19
Author: Micah Lee <micah at micahflee.com>
Date: Mon Dec 30 13:50:55 2013 -0800
added base apparmor profiles for TBB 3.5+
---
apparmor/license.txt | 32 +++++++++++++++
apparmor/tor-browser.Browser.firefox | 74 ++++++++++++++++++++++++++++++++++
apparmor/tor-browser.Tor.tor | 22 ++++++++++
apparmor/tor-browser.start-tor-browser | 41 +++++++++++++++++++
setup.py | 1 +
5 files changed, 170 insertions(+)
diff --git a/apparmor/license.txt b/apparmor/license.txt
new file mode 100644
index 0000000..564063c
--- /dev/null
+++ b/apparmor/license.txt
@@ -0,0 +1,32 @@
+These AppArmor profiles are based on https://gitorious.org/tbb-apparmor/tbb-apparmor/
+Originally written by Radostan Riedel <raybuntu at googlemail.com>
+
+--
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+ * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+
+ * Neither the names of the copyright owners nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/apparmor/tor-browser.Browser.firefox b/apparmor/tor-browser.Browser.firefox
new file mode 100644
index 0000000..8b34b9c
--- /dev/null
+++ b/apparmor/tor-browser.Browser.firefox
@@ -0,0 +1,74 @@
+#include <tunables/global>
+
+/home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/firefox {
+ #include <abstractions/base>
+ #include <abstractions/user-tmp>
+
+ network tcp,
+
+ deny /etc/host.conf r,
+ deny /etc/hosts r,
+ deny /etc/nsswitch.conf r,
+ deny /etc/resolv.conf r,
+ deny /proc/9881/mountinfo r,
+ deny @{HOME}/.config/user-dirs.dirs r,
+ deny @{HOME}/.gtk-bookmarks r,
+ deny @{HOME}/.local/share/recently-used.xbel* rw,
+
+ /bin/dash rix,
+ /dev/dri/card0 rw,
+ /etc/X11/cursors/* r,
+ /etc/drirc r,
+ /etc/fonts/** r,
+ /etc/gnome-vfs-2.0/modules/ r,
+ /etc/gnome-vfs-2.0/modules/default-modules.conf r,
+ /etc/gnome-vfs-2.0/modules/extra-modules.conf r,
+ /etc/mailcap r,
+ /etc/mime.types r,
+ /etc/passwd r,
+ /lib{,32,64}/*.so mr,
+ /lib{,32,64}/*.so.* mr,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/.mozilla/ w,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/.mozilla/*/ w,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/** r,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/*.so mr,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/browser/components/*.so mr,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/components/*.so mr,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Browser/firefox rix,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Browser/ r,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Browser/** rwk,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Desktop/ rw,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Desktop/** rw,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Downloads/ rw,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Downloads/** rw,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Tor/tor Px,
+ /run/gdm3/** r,
+ /sys/devices/system/cpu/present r,
+ /tmp/.X0-lock r,
+ /usr/lib{,32,64}/** mr,
+ /usr/share/fonts/** r,
+ /usr/share/gvfs/remote-volume-monitors/ r,
+ /usr/share/gvfs/remote-volume-monitors/afc.monitor r,
+ /usr/share/gvfs/remote-volume-monitors/gdu.monitor r,
+ /usr/share/gvfs/remote-volume-monitors/gphoto2.monitor r,
+ /usr/share/icons/ r,
+ /usr/share/icons/** r,
+ /usr/share/mime/mime.cache r,
+ /usr/share/pixmaps/ r,
+ /usr/share/themes/Default/** r,
+ /var/cache/fontconfig/* r,
+ owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini r,
+ owner @{HOME}/.icons/ r,
+ owner @{HOME}/.icons/** r,
+ owner @{HOME}/.local/share/icons/ r,
+ owner @{HOME}/.themes/** r,
+ @{PROC}/[0-9]*/maps r,
+ @{PROC}/[0-9]*/mounts r,
+ @{PROC}/[0-9]*/stat r,
+ @{PROC}/[0-9]*/task/*/stat r,
+ @{PROC}/cpuinfo r,
+ @{PROC}/filesystems r,
+ @{PROC}/meminfo r,
+ @{PROC}/stat r,
+
+}
diff --git a/apparmor/tor-browser.Tor.tor b/apparmor/tor-browser.Tor.tor
new file mode 100644
index 0000000..cd4e4c9
--- /dev/null
+++ b/apparmor/tor-browser.Tor.tor
@@ -0,0 +1,22 @@
+#include <tunables/global>
+
+/home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Tor/tor {
+ #include <abstractions/base>
+
+ network tcp,
+ network udp,
+
+ /etc/host.conf r,
+ /etc/nsswitch.conf r,
+ /etc/passwd r,
+ /etc/resolv.conf r,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Tor/tor mr,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Tor/* rw,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Data/Tor/lock rwk,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Lib/*.so mr,
+ /home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/Lib/*.so.* mr,
+ @{PROC}/meminfo r,
+ @{PROC}/sys/kernel/random/uuid r,
+ /sys/devices/system/cpu/ r,
+
+}
diff --git a/apparmor/tor-browser.start-tor-browser b/apparmor/tor-browser.start-tor-browser
new file mode 100644
index 0000000..b675d65
--- /dev/null
+++ b/apparmor/tor-browser.start-tor-browser
@@ -0,0 +1,41 @@
+#include <tunables/global>
+
+/home/*/.torbrowser/tbb/{stable,alpha}/{i686,x86_64}/tor-browser_*/start-tor-browser {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+
+ capability sys_ptrace,
+
+
+ /bin/cat rix,
+ /bin/dash ix,
+ /bin/grep rix,
+ /bin/ps rix,
+ /bin/sed rix,
+ /dev/pts/[0-9]* rw,
+ /dev/tty rw,
+ /etc/magic r,
+ /opt/tor-browser_en-US/Browser/firefox Px,
+ /opt/tor-browser_en-US/Tor/tor r,
+ /opt/tor-browser_en-US/start-tor-browser r,
+ @{PROC}/ r,
+ @{PROC}/[0-9]*/status r,
+ @{PROC}/[0-9]*/stat r,
+ @{PROC}/[0-9]*/cmdline r,
+ @{PROC}/meminfo r,
+ @{PROC}/sys/kernel/pid_max r,
+ @{PROC}/tty/drivers r,
+ @{PROC}/uptime r,
+ /{,var/}run/utmp r,
+ /dev/ptmx rw,
+ /usr/bin/dirname rix,
+ /usr/bin/expr rix,
+ /usr/bin/file rix,
+ /usr/bin/getconf rix,
+ /usr/bin/id rix,
+ /usr/bin/ldd rix,
+ /usr/lib{,32,64}/** mr,
+ /usr/share/file/magic.mgc r,
+ /usr/share/file/magic/ r,
+
+}
diff --git a/setup.py b/setup.py
index 31c4016..62c52e6 100644
--- a/setup.py
+++ b/setup.py
@@ -58,6 +58,7 @@ Tor Browser Launcher will get updated each time a new version of TBB is released
('/usr/share/pixmaps', ['img/torbrowser32.xpm', 'img/torbrowser80.xpm']),
('/usr/share/torbrowser-launcher', ['keys/erinn.asc', 'keys/sebastian.asc', 'keys/alexandre.asc', 'keys/mike.asc', 'keys/mike-2013-09.asc', 'torproject.pem', 'mirrors.txt', 'modem.ogg']),
('/usr/share/torbrowser-launcher/locale/en', ['locale/en/messages.pot']),
+ ('/etc/apparmor.d/', ['apparmor/tor-browser.Browser.firefox', 'apparmor/tor-browser.start-tor-browser', 'apparmor/tor-browser.Tor.tor']),
# unpackaged third party libraries
('/usr/share/torbrowser-launcher/lib/txsocksx', file_list('lib/txsocksx-0.0.2/txsocksx')),
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git
More information about the Pkg-privacy-commits
mailing list