apparmor-profile-torbrowser allows access to user home folder

apparmor-profile-torbrowser was blocking the ability of TB to access to any /home/user/folder except for /Downloads and the one where TB exist.

Now the profile doenst do any of that instead it allowed the access to all folders.

1 Like

File /etc/apparmor.d/home.tor-browser.firefox uses:

include <abstractions/user-download>

That means it uses the rules which are written in this file::

/etc/apparmor.d/abstractions/user-download

This file is owned by the apparmor package. Why do I think so? Commands:

dpkg -S /etc/apparmor.d/abstractions/user-download

shows:

apparmor: /etc/apparmor.d/abstractions/user-download

File /etc/apparmor.d/abstractions/user-download contains AppArmor rules which one could argue are too lenient.

AppArmor upstream file location:

It contains for example, quote:

owner @{HOME}/[^.]* rwl,

1 Like

Reported a bug upstream:

1 Like

Commented again.


For developers:

sudoedit /etc/apparmor.d/home.tor-browser.firefox && sudo aa-enforce /etc/apparmor.d/home.tor-browser.firefox && torbrowser && sudo apparmor-info --boot && sudo aa-logprof

This has been fixed and is now in the developers repository.

This is now in the testers repository.

1 Like
1 Like

This commit might have caused a regression.

  • Files in sub folders in home folder: blocked by AppArmor
  • Files in home folder not in a sub folder: not blocked by AppArmor

I don’t really have time to perfect this. This will hopefully be fixed or at least then a maintainer is available who knows more about AppArmor and can investigate such issues when apparmor.d gets available in Whonix which is TODO.

1 Like

Actually no regression or to a much lesser degree. No file in ~/home folder (which is not in ~/home/Downloads folder can be read by the browser.

But the file names (not contents!) can be read if these are in ~/home folder. This is also unwanted. But by denying read access to all of ~/home then the user would be unable to navigate to ~/home/Downloads.

Is this issue applicable to, solvable in apparmor.d? @roddhjav

1 Like

In apparmor.d for Firefox/TorBrowser (and all browsers), I use both:

  • abstractions/user-download-strict to allow read write on well defined download directrory
  • abstractions/user-read to allow read access on labelled directory (ie: covered by a XDG style variable)

This is the best way I found to maintain usability without allowing everything in /home/*/: restrict write, allow read from well defined directory.

But the file names (not contents!) can be read if these are in ~/home folder. This is also unwanted.

You might have something like owner @{HOME}/ r, in the profile. You should test if you can safely deny it or not.

2 Likes