apparmor-profile-torbrowser allows access to user home folder

nurmagoz · August 31, 2022, 4:31pm

apparmor-profile-torbrowser was blocking the ability of TB to access to any /home/user/folder except for /Downloads and the one where TB exist.

Now the profile doenst do any of that instead it allowed the access to all folders.

Patrick · July 7, 2023, 9:30pm

File /etc/apparmor.d/home.tor-browser.firefox uses:

include <abstractions/user-download>

That means it uses the rules which are written in this file::

/etc/apparmor.d/abstractions/user-download

This file is owned by the apparmor package. Why do I think so? Commands:

dpkg -S /etc/apparmor.d/abstractions/user-download

shows:

apparmor: /etc/apparmor.d/abstractions/user-download

File /etc/apparmor.d/abstractions/user-download contains AppArmor rules which one could argue are too lenient.

AppArmor upstream file location:

It contains for example, quote:

owner @{HOME}/[^.]* rwl,

Patrick · July 7, 2023, 9:37pm

Reported a bug upstream:

Patrick · October 24, 2023, 12:44pm

Commented again.

For developers:

sudoedit /etc/apparmor.d/home.tor-browser.firefox && sudo aa-enforce /etc/apparmor.d/home.tor-browser.firefox && torbrowser && sudo apparmor-info --boot && sudo aa-logprof

Patrick · October 25, 2023, 11:20pm

This has been fixed and is now in the developers repository.

github.com

Kicksecure/apparmor-profile-torbrowser/blob/master/etc/apparmor.d/home.tor-browser.firefox

# Last Modified: Tue Oct 24 16:34:53 2023
include <tunables/global>

## Copyright (C) 2014 troubadour <trobador@riseup.net>
## Copyright (C) 2014 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.


/**/*-browser/Browser/firefox flags=(attach_disconnected) {
  include <abstractions/X>
  include <abstractions/audio>
  include <abstractions/base>
  include <abstractions/fonts>
  include <abstractions/user-tmp>
  include <local/home.tor-browser.firefox>

  capability sys_admin,
  capability sys_chroot,
  capability sys_ptrace,

This file has been truncated. show original

Patrick · November 26, 2023, 6:21am

This is now in the testers repository.

Patrick · November 28, 2023, 4:17pm

github.com/Kicksecure/apparmor-profile-torbrowser

Allow downloads directory under different syntaxes

Kicksecure:master ← ben-grande:tbb-download

opened 11:25AM - 28 Nov 23 UTC

ben-grande

+4 -2

Download directory can now: - be capitalized or not with trailing 's' or not. …- be set by XDG_DOWNLOAD_DIR internal AppArmor variable. - the home directory now uses the HOME internal AA variable. - every subfolder inside the download dir is also allowed, helps saving files in directories in a organized manner. --- Hello, I think the profile should allow everything inside the download directory plus its different names. Please verify if the changes makes sense to Kicksecure.

Patrick · February 16, 2024, 1:42pm

This commit might have caused a regression.

Files in sub folders in home folder: blocked by AppArmor
Files in home folder not in a sub folder: not blocked by AppArmor

I don’t really have time to perfect this. This will hopefully be fixed or at least then a maintainer is available who knows more about AppArmor and can investigate such issues when apparmor.d gets available in Whonix which is TODO.

Patrick · February 16, 2024, 1:47pm

Actually no regression or to a much lesser degree. No file in ~/home folder (which is not in ~/home/Downloads folder can be read by the browser.

But the file names (not contents!) can be read if these are in ~/home folder. This is also unwanted. But by denying read access to all of ~/home then the user would be unable to navigate to ~/home/Downloads.

Is this issue applicable to, solvable in apparmor.d? @roddhjav

roddhjav · February 21, 2024, 12:04am

In apparmor.d for Firefox/TorBrowser (and all browsers), I use both:

abstractions/user-download-strict to allow read write on well defined download directrory
abstractions/user-read to allow read access on labelled directory (ie: covered by a XDG style variable)

This is the best way I found to maintain usability without allowing everything in /home/*/: restrict write, allow read from well defined directory.

But the file names (not contents!) can be read if these are in ~/home folder. This is also unwanted.

You might have something like owner @{HOME}/ r, in the profile. You should test if you can safely deny it or not.

Patrick · March 4, 2024, 10:21am

This is now in the stable repository.