## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Begin Tor Local AppArmor Profile for Anonymity Distributions

#### meta start
#### project Whonix
#### category tor and security
#### gateway_only yes
#### description
## Local AppArmor Profile for Anonymity Distributions
##
## AUDIT desired.
#### meta end

## Workaround for: config-package-dev clashes with AppArmor profiles
## https://github.com/Whonix/Whonix/issues/66

## A profile /etc/apparmor.d/anondist could not cover the system_tor
## profile, since that is enforced by the Tor systemd unit file.
## https://github.com/Whonix/Whonix/issues/67

  ## Anonymity Distributions
  /etc/hosts.anondist r,
  /etc/resolv.conf.anondist r,
  /etc/resolv.conf.whonix r,
  /run/tor r,
  /run/tor/log rwk,

## Add permissions for obfsproxy.
## AUDIT:
## These profile rules may be too permissive. Needs audit and someone dedicated
## to work on AppArmor profiles. It's not a serious security issue in any case,
## because AppArmor isn't enabled by default in Debian stretch yet and little
## work is being done on it at time of writing. So it's a lax AppArmor profile
## versus no AppArmor at all.

  ## anon-connection-wizard
  /etc/ r,
  /etc/torrc.d/ r,
  /etc/torrc.d/* rw,

  /usr/local/etc/torrc.d/ r,
  /usr/local/etc/torrc.d/* rw,

  ## obfsproxy
  /usr/local/lib/python*/** r,
  /var/log/tor/log rw,
  /dev/urandom r,
  /dev/random r,
  /usr/** r,
  /etc/python*/sitecustomize.py r,
  ## https://forums.whonix.org/t/after-last-apt-get-upgrade-gateway-doesnt-connect-to-tor-anymore
  #/usr/bin/obfsproxy rix,

  ## snowflake
  ## Nowadays already done in upstream /etc/apparmor.d/abstractions/tor file.
  #/usr/bin/snowflake-client ix,

## End Tor Local AppArmor Profile for Anonymity Distributions