[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [Git][tpo/applications/torbrowser-launcher][main] 5 commits: AppArmor: allow unprivileged user namespaces

Title: GitLab

intrigeri pushed to branch main at The Tor Project / Applications / torbrowser-launcher

Commits:

  • 692e28a1
    by intrigeri at 2025-03-18T13:49:53+00:00 
    AppArmor: allow unprivileged user namespaces

Firefox uses userns to set up its own sandboxing.

On Debian, AppArmor was already allowing this by default, until a recent
upload (that is now in Trixie) updated the features pinning to a version that
now mediates usage of userns, so this functionality is now blocked by profiles
that don't explicitly allow it. Let's repair this.

Also reported as Debian#1098845.
  • 91db109a
    by intrigeri at 2025-03-18T14:02:01+00:00 
    AppArmor: allow reading cgroups-v2 CPU bandwidth quota information

Firefox uses this info to determine how many CPUs the current thread actually
has access to, which seems like a reasonable thing to do for an app like Firefox
which manages a bunch of child processes. The call chain is: get_num_cpus →
cgroups_num_cpus → init_cgroups → load_cgroups → cpu_quota → max → "cpu.max".
  • 7772a1ea
    by intrigeri at 2025-03-18T14:15:17+00:00 
    AppArmor: allow executing Firefox' own VA-API probe utility

This is necessary for Tor Browser to determine if VA-API is supported by the
host system, which in turn is needed to enable video hardware decoding.
  • 9eb8686d
    by intrigeri at 2025-03-18T14:18:41+00:00 
    AppArmor: allow reading intel-media-driver feature files

Firefox reads these files when it runs the vaapitest tool and the VAAPI driver
for the Intel GEN8+ Graphics family is installed.
  • 479b8f53
    by intrigeri at 2025-03-18T17:00:32+00:00 
    Merge branch 'AppArmor-updates-for-current-Debian' into 'main'

AppArmor: various updates including 1 important fix for Debian Trixie

See merge request tpo/applications/torbrowser-launcher!24

1 changed file:

Changes:

  • apparmor/torbrowser.Browser.firefox
    ... ... @@ -13,6 +13,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    13 13 
       #include if exists <abstractions/vulkan>
    14 14 
       #include if exists <abstractions/dbus-session-strict>
    15 15
    16 
    +  userns,
    17 
    +
    16 18 
       deny capability sys_ptrace,
    17 19
    18 20 
       # Uncomment the following lines if you want to give the Tor Browser read-write
    ... ... @@ -94,6 +96,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    94 96 
       owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
    95 97 
       owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so mr,
    96 98 
       owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so.* mr,
    99 
    +  owner @{torbrowser_home_dir}/vaapitest ix,
    100 
    +
    101 
    +  # intel-media-driver
    102 
    +  /etc/igfx_user_feature*.txt r,
    97 103
    98 104 
       # parent Firefox process when restarting after upgrade, Web Content processes
    99 105 
       owner @{torbrowser_firefox_executable} pxmr -> torbrowser_firefox,
    ... ... @@ -121,6 +127,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    121 127 
       /sys/devices/system/node/ r,
    122 128 
       /sys/devices/system/node/node[0-9]*/meminfo r,
    123 129 
       /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_quota_us r,
    130 
    +  /sys/fs/cgroup/user.slice/user-[0-9]*.slice/user@[0-9]*.service/app.slice/app-gnome-torbrowser-[0-9]*.scope/cpu.max r,
    124 131 
       deny /sys/class/input/ r,
    125 132 
       deny /sys/devices/virtual/block/*/uevent r,
    126 133


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications · Help 

    _______________________________________________
tor-commits mailing list -- tor-commits@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-commits-leave@xxxxxxxxxxxxxxxxxxxx