Confining Tor Browser Bundle with AppArmor?

I usually start TBB from double clicking on /tor-browser_en-US/start-tor-browser.desktop, or run /tor-browser_en-US/start-tor-browser/start-tor-browser in Konsole, is that OK? Is that the correct path used as the the function name in the AppArmor profile?

I’m not aware that an official TBB needs to be secured (Who knows what you’re running if it’s not an official release).

TBB is a completely self-contained package of everything it needs, and shouldn’t require or use any other files on your machine.

If you want further isolation for whatever reason, I’d recommend running it in a virtualized or container environment.


TBB couldn’t grant access to some files if it is confined, why aa-autodep and aa-genprof doesn’t work for TBB? Is there any executed file are out of confinement?

what’s wrong with this apparmor profile?

#include <tunables/global>

/home/alxso/tor-browser_en-US/start-tor-browser.desktop {
  #include <abstractions/base>
  #include <abstractions/audio>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/gnome>
  #include <abstractions/ibus>
  #include <abstractions/kde>

  /** r,
  deny /home/** r,
  /home/alxso/tor-browser_en-US/** rwx,

Should I replace the profiled program name and what it is?