The latest TBB profile. I put it here first.
File ‘/etc/apparmor.d/home.user.tor-browser_en-US.Browser.firefox’
# Last Modified: Thu Feb 20 21:22:24 2014
#include <tunables/global>
/home/user/tor-browser_en-US/Browser/firefox {
#include <abstractions/base>
#include <abstractions/user-tmp>
#include <abstractions/bash>
capability sys_ptrace,
network,
network tcp,
deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /proc/9881/mountinfo r,
deny @{HOME}/.config/user-dirs.dirs r,
deny @{HOME}/.gtk-bookmarks r,
deny @{HOME}/.local/share/recently-used.xbel* rw,
/bin/dash rix,
/bin/open rix,
/bin/ps rix,
/dev/dri/card0 rw,
/dev/vboxuser rw,
/dev/tty r,
/etc/drirc r,
/etc/X11/cursors/* r,
/etc/fonts/** r,
/etc/mime.types r,
/etc/mailcap r,
deny /etc/passwd r,
deny /etc/resolv.conf.whonix r,
deny /etc/hosts.whonix r,
owner @{HOME}/tor-browser_en-US/.mozilla/ w,
owner @{HOME}/tor-browser_en-US/.mozilla/*/ w,
owner @{HOME}/tor-browser_en-US/Browser/** r,
owner @{HOME}/tor-browser_en-US/Browser/*.so mr,
owner @{HOME}/tor-browser_en-US/Browser/browser/components/*.so mr,
owner @{HOME}/tor-browser_en-US/Browser/components/*.so mr,
owner @{HOME}/tor-browser_en-US/Browser/firefox rix,
owner @{HOME}/tor-browser_en-US/Data/Browser/ r,
owner @{HOME}/tor-browser_en-US/Data/Browser/** rwk,
owner @{HOME}/tor-browser_en-US/Desktop/ rw,
owner @{HOME}/tor-browser_en-US/Desktop/** rw,
owner @{HOME}/tor-browser_en-US/Downloads/ rw,
owner @{HOME}/tor-browser_en-US/Downloads/** rw,
owner @{HOME}/tor-browser_en-US/Tor/tor Px,
## Authentification for user. Probably required with Gnome.
deny /run/gdm3/** r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/* r,
/tmp/.X0-lock r,
## Looks like a nvidia audio driver. Hardware dependent.
deny /usr/lib/i386-linux-gnu/dri/swrast_dri.so m,
## Alphabets libraries.
/usr/lib/i386-linux-gnu/pango/1.6.0/modules/* m,
/usr/share/ r,
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/share/icons/ r,
/usr/share/icons/** r,
deny /usr/share/mime/ r,
deny /usr/share/mime/** r,
/usr/share/pixmaps/ r,
/usr/share/pixmaps/** r,
/usr/share/themes/ r,
/usr/share/themes/** r,
## Desktop environment dependent.
deny /usr/share/applications/** r,
/var/cache/fontconfig/* r,
/var/lib/dbus/machine-id r,
## In 'Edit/Preferences', set 'Saves files to' -> 'Downloads'.
owner @{HOME}/Downloads/* rw,
owner @{HOME}/.Xauthority r,
deny owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.icons/ r,
owner @{HOME}/.icons/** r,
owner @{HOME}/.local/share/icons/ r,
owner @{HOME}/.themes/** r,
deny owner @{HOME}/.local/share/gvfs-metadata/home r,
owner @{HOME}/.cache/ r,
owner @{HOME}/.cache/* rwk,
@{PROC} r,
@{PROC}/[0-9]*/maps r,
deny @{PROC}/[0-9]*/mounts r,
deny @{PROC}/[0-9]*/mountinfo r,
@{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/task/*/stat r,
@{PROC}/cpuinfo r,
@{PROC}/filesystems r,
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/uptime r,
}
I believe it is not too lax as is. I have used it for a few days.There will certainly be some situations when it will flash some denied messages, so the more people use it, the better the testing.
The procedure to enforce the profile.
- Copy/paste the the code in kwrite.
- Save the file as ‘home.user.tor-browser_en-US.Browser.firefox’
- Copy the file in ‘/etc/apparmor.d’
- ‘sudo chown root:root /etc/apparmor.d/user.tor-browser_en-US.Browser.firefox’
- ‘sudo chmod +x /etc/apparmor.d/user.tor-browser_en-US.Browser.firefox’
- ‘sudo aa-enforce /etc/apparmor.d/user.tor-browser_en-US.Browser.firefox’
Start the Tor browser.
‘sudo aa-status’ should output
AppArmor available in kernel.
2 profiles are loaded.
2 profiles are in enforce mode.
/*
/home/user/tor-browser_en-US/Browser/firefox
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
/home/user/tor-browser_en-US/Browser/firefox (5735)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
You should see more info there, as I have cleaned the ‘apparmor.d’ directory to leave only the profile under test. AppArmor loads some profile by default.
Adrelanos, a problem I can foresee. In Whonix, TBB is installed in ‘/home/user’, the default home directory. If a user decides to change this to his name or whatever, and I am sure some do, then he would have to modify the profile.
Radostan Riedel, the author of the profile I have based mine on, installs TBB in ‘/opt’. That seems to be a fair move, as it refers to a non modifiable location.
Before linking the profile in the wiki, perhaps I should wait for more testing?