[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

How to add another path to tor-browser in AppArmor tor-browser-profile?

Hi!

How can I add another path to tor-browser in AppArmor tor-browser-profile “home.tor-browser.firefox” …

I want this:
/mnt/tor-browser-tmpfs/tor_browser/Browser/start-tor-browser

Must I edit this? /**/*-browser/Browser/firefox flags=(attach_disconnected) {

If so, what do I have to change it into?

Please help, thanks!

1 Like

I’d recommend creating a new profile for your second Tor Browser. Just copy the profile to another name in /etc/apparmor.d.

You would need to change /**/*-browser/Browser/firefox to /mnt/tor-browser-tmpfs/tor_browser/Browser/firefox

After that, reload the profile with apparmor_parser -r /etc/apparmor.d/profile_name or if you created a new one, enforce it with aa-enforce /etc/apparmor.d/profile_name.

Replace profile_name with the name of the apparmor profile

1 Like

sudo aa-enforce /etc/apparmor.d/tor_browser

ERROR: Values added to a non-existing variable @{HOMEDIRS}: /rw/home/ in tunables/home.d/live-mode

What to do?
Do I edit this?

## Missing in <abstractions/user-download> #######
# Without this line, access is denied to @{HOME},
# [dD]ownload{,s}, Desktop... for downloads.
@{HOME}/ r,
@{HOME}/* r,

When yes, which values?

Related:

You can try this workaround (not tested)

2 Likes

…thanks, I’ll try it out at weekend.

Removed: /etc/apparmor.d/tunables/home.d/live-mode

Now it’s working with:

#include <tunables/global>

/mnt/tor-browser-tmpfs/tor_browser/Browser/firefox flags=(attach_disconnected) {
    #include <abstractions/base>
    #include <abstractions/fonts>
    ##include <abstractions/kde>
    #include <abstractions/gnome>
    ##include <abstractions/audio>
    ##include <abstractions/user-download>
    #include <abstractions/user-tmp>
    #include <abstractions/X>

    signal,
    signal (send) peer=@{profile_name},

    deny /etc/host.conf r,
    deny /etc/hosts r,
    deny /etc/nsswitch.conf r,
    deny /etc/resolv.conf r,
    deny /etc/passwd r,
    deny /etc/group r,
    deny /etc/udev/udev.conf r,
    deny /etc/mailcap r,
    deny /etc/fstab r,

    deny @{PROC}/[0-9]*/stat r,
    deny @{PROC}/[0-9]*/mountinfo r,
    deny @{PROC}/[0-9]*/task/ r,
    deny @{PROC}/[0-9]*/task/** r,
    deny @{PROC}/sys/kernel/random/uuid r,
    deny @{PROC}/sys/vm/overcommit_memory r,
    deny @{PROC}/[0-9]*/cmdline r,

    /dev/shm/org.chromium.* rw,

    @{PROC}/*/environ r,
    @{PROC}/[0-9]*/status r,
    @{PROC}/[0-9]*/net/route r,
    @{PROC}/[0-9]*/net/arp r,
    @{PROC}/[0-9]*/uid_map rw,
    @{PROC}/[0-9]*/gid_map rw,
    @{PROC}/[0-9]*/setgroups rw,

    ## Added 20/12/2017
    deny @{PROC}/[0-9]*/net/route r,
    deny @{PROC}/[0-9]*/net/arp r,
    /dev/ r,
    /dev/shm/org.chromium.* rwk,

    ## Added 20/12/2017
    deny @{PROC}/[0-9]*/net/route r,
    deny @{PROC}/[0-9]*/net/arp r,
    /dev/ r,
    /dev/shm/org.chromium.* rwk,

    deny /run/udev/** r,
    deny /sys/devices/** r,

    ## Missing in <abstractions/user-download> #######
    # Without this line, access is denied to @{HOME},
    # [dD]ownload{,s}, Desktop... for downloads.
    #@{HOME}/ r,
    #@{HOME}/* r,
    ##################################################

    ## KDE 4 ##
    #@{HOME}/.kde/share/config/* r,

    ## Xfce4 ##
    #/etc/xfce4/defaults.list r,

    /etc/ld.so.conf.d/ r,
    /etc/ld.so.conf.d/* r,
    /etc/ld.so.conf r,
    /etc/debian_version r,

    /etc/mime.types r,
    #/etc/wildmidi/wildmidi.cfg r, # gstreamer

    ## VPN support.
    /run/resolvconf/resolv.conf r,

    /tmp/MozUpdater/bgupdate/updater rix,

    /usr/bin/ r,
    #/usr/bin/kde4-config rix,
    /usr/bin/lsb_release rix,
    /usr/bin/apt-cache rix,
    /usr/bin/dirname rix,

    /usr/lib/*-linux-gnu/** mrix,
    /usr/lib/python*/lib-dynload/* mr,

    /usr/local/share/applications/ r,
    /usr/local/share/applications/meminfo.cache r,
    /usr/local/share/applications/mimeinfo.cache r,

    /usr/local/lib/python*/dist-packages/ r,
    /usr/local/lib/python*/dist-packages/** r,

    /usr/share/ r,
    /usr/share/mime/ r,
    /usr/share/mime/** r,
    /usr/share/themes/ r,
    /usr/share/themes/** r,
    /usr/share/applications/** rk,
    #/usr/share/xfce4/applications/ r,
    /usr/share/poppler/cMap/ r,
    /usr/share/poppler/cMap/** r,
    /usr/share/libthai/ r,
    /usr/share/glib-2.0/schemas/gschemas.compiled r,
    /usr/share/libthai/** r,
    /usr/share/pyshared/lsb_release.py r,
    /usr/share/distro-info/debian.csv r,

    ## Distribution homepage
    #/usr/share/homepage/ r,
    #xul/usr/share/homepage/** r,

    #/usr/share/xul-ext/foxyproxy-standard/ r,
    #font/usr/share/xul-ext/foxyproxy-standard/** r,

    ## Not in abstractions/fonts ##
    #/usr/share/fontconfig/conf.avail/* r,
    /var/cache/fontconfig/ rk,

    ## For systems used in VirtualBox ##
    deny /var/lib/dbus/machine-id r,
    @{PROC}/[0-9]*/fd/ r,
    /dev/vboxuser rw,
    /bin/ps rix,
    /bin/dash rix,
    #/usr/bin/pulseaudio rix,
1 Like