[tor-commits] [Git][tpo/applications/torbrowser-launcher][main] 8 commits: Fix path variables in AppArmor profile

["boklm \(@boklm\) via tor-commits" <tor-commits@xxxxxxxxxxxxxxxxxxxx>]

Title: GitLab

boklm pushed to branch main at The Tor Project / Applications / torbrowser-launcher

Commits:

• 6ec48451
  by Fei1Yang at 2023-09-21T08:40:50+00:00

  Fix path variables in AppArmor profile
  

• 629493a6
  by anonym at 2023-09-28T15:06:51+02:00

  AppArmor: allow executing glxtest
  
  This "Firefox OpenGL probe utility" was added in Tor Browser 13.
  

• 41f20588
  by anonym at 2023-09-28T15:07:16+02:00

  AppArmor: allow reading/writing to /proc/PID/oom_score_adj
  
  Firefox adjusts the OOM scores of its processes so that if they are
  reaped they are killed in a sane order, e.g. the parent process last.
  
  Source: hal/linux/LinuxProcessPriority.cpp
  

• b257da03
  by anonym at 2023-09-28T15:08:01+02:00

  AppArmor: give read access to proc info about which command the browser's threads use
  

• 29e1fe41
  by anonym at 2023-09-28T15:08:17+02:00

  AppArmor: silence denial of sys_ptrace capability
  
  We already allow ptrace for its relevant subprocesses via ptrace
  rules, and I'm unsure if the full capability is really needed. I see
  lots of other profiles which have ptrace rules without the capability
  so I guess not. And I wonder if allowing the capability allows ptrace
  for arbitrary processes, which would be really bad.
  
  So let's assume it's not needed and we'll see what happens.
  

• b80e0078
  by anonym at 2023-09-28T15:08:58+02:00

  AppArmor: silence denial to read /sys/class/input/
  
  It is unclear to me what this is about.
  

• 25ebbe67
  by intrigeri at 2023-10-04T11:13:50+02:00

  Merge pull request #702 from Fei1Yang/apparmor-path
  
  Fix path variables in AppArmor profile

• 4652b442
  by intrigeri at 2023-10-04T11:25:46+02:00

  Merge pull request #709 from anonym/tor-browser-13.0
  
  Adapt AppArmor profile for Tor browser 13.0

3 changed files:

• apparmor/torbrowser.Browser.firefox
• apparmor/torbrowser.Tor.tor
• apparmor/tunables/torbrowser

Changes:

apparmor/torbrowser.Browser.firefox

---

1	1	#include <tunables/global>
2	2	#include <tunables/torbrowser>
3	3
4		-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
	4	+@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/firefox.real
5	5
6	6	profile torbrowser_firefox @{torbrowser_firefox_executable} {
7	7	#include <abstractions/audio>
...	...	@@ -12,6 +12,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
12	12	#include <abstractions/opencl>
13	13	#include if exists <abstractions/vulkan>
14	14
	15	+ deny capability sys_ptrace,
	16	+
15	17	# Uncomment the following lines if you want to give the Tor Browser read-write
16	18	# access to most of your personal files.
17	19	# #include <abstractions/user-download>
...	...	@@ -46,10 +48,13 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
46	48	owner @{PROC}/@{pid}/environ r,
47	49	owner @{PROC}/@{pid}/fd/ r,
48	50	owner @{PROC}/@{pid}/mountinfo r,
	51	+ owner @{PROC}/@{pid}/oom_score_adj rw,
49	52	owner @{PROC}/@{pid}/smaps r,
50	53	owner @{PROC}/@{pid}/stat r,
51	54	owner @{PROC}/@{pid}/statm r,
52	55	owner @{PROC}/@{pid}/status r,
	56	+ owner @{PROC}/@{pid}/task/ r,
	57	+ owner @{PROC}/@{pid}/task/*/comm r,
53	58	owner @{PROC}/@{pid}/task/*/stat r,
54	59	@{PROC}/sys/kernel/random/uuid r,
55	60
...	...	@@ -70,6 +75,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
70	75	owner @{torbrowser_home_dir}/Downloads/ rwk,
71	76	owner @{torbrowser_home_dir}/Downloads/** rwk,
72	77	owner @{torbrowser_home_dir}/firefox rix,
	78	+ owner @{torbrowser_home_dir}/glxtest ix,
73	79	owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/* rw,
74	80	owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/{,MozUpdater/bgupdate/}updater ix,
75	81	owner @{torbrowser_home_dir}/updater ix,
...	...	@@ -111,6 +117,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
111	117	/sys/devices/system/node/ r,
112	118	/sys/devices/system/node/node[0-9]*/meminfo r,
113	119	/sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_quota_us r,
	120	+ deny /sys/class/input/ r,
114	121	deny /sys/devices/virtual/block/*/uevent r,
115	122
116	123	# Should use abstractions/gstreamer instead once merged upstream

apparmor/torbrowser.Tor.tor

---

1	1	#include <tunables/global>
2	2	#include <tunables/torbrowser>
3	3
4		-@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor
	4	+@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/TorBrowser/Tor/tor
5	5
6	6	profile torbrowser_tor @{torbrowser_tor_executable} {
7	7	#include <abstractions/base>

apparmor/tunables/torbrowser

---

1		-@{torbrowser_installation_dir}=@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*
	1	+@{torbrowser_installation_dir}=@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser
2	2	@{torbrowser_home_dir}=@{torbrowser_installation_dir}/Browser

—
View it on GitLab.
You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications · Help

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits