[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [Git][tpo/applications/torbrowser-launcher][main] 8 commits: Fix path variables in AppArmor profile



Title: GitLab

boklm pushed to branch main at The Tor Project / Applications / torbrowser-launcher

Commits:

  • 6ec48451
    by Fei1Yang at 2023-09-21T08:40:50+00:00
    Fix path variables in AppArmor profile
    
  • 629493a6
    by anonym at 2023-09-28T15:06:51+02:00
    AppArmor: allow executing glxtest
    
    This "Firefox OpenGL probe utility" was added in Tor Browser 13.
    
  • 41f20588
    by anonym at 2023-09-28T15:07:16+02:00
    AppArmor: allow reading/writing to /proc/PID/oom_score_adj
    
    Firefox adjusts the OOM scores of its processes so that if they are
    reaped they are killed in a sane order, e.g. the parent process last.
    
    Source: hal/linux/LinuxProcessPriority.cpp
    
  • b257da03
    by anonym at 2023-09-28T15:08:01+02:00
    AppArmor: give read access to proc info about which command the browser's threads use
    
  • 29e1fe41
    by anonym at 2023-09-28T15:08:17+02:00
    AppArmor: silence denial of sys_ptrace capability
    
    We already allow ptrace for its relevant subprocesses via ptrace
    rules, and I'm unsure if the full capability is really needed. I see
    lots of other profiles which have ptrace rules without the capability
    so I guess not. And I wonder if allowing the capability allows ptrace
    for arbitrary processes, which would be really bad.
    
    So let's assume it's not needed and we'll see what happens.
    
  • b80e0078
    by anonym at 2023-09-28T15:08:58+02:00
    AppArmor: silence denial to read /sys/class/input/
    
    It is unclear to me what this is about.
    
  • 25ebbe67
    by intrigeri at 2023-10-04T11:13:50+02:00
    Merge pull request #702 from Fei1Yang/apparmor-path
    
    Fix path variables in AppArmor profile
  • 4652b442
    by intrigeri at 2023-10-04T11:25:46+02:00
    Merge pull request #709 from anonym/tor-browser-13.0
    
    Adapt AppArmor profile for Tor browser 13.0

3 changed files:

Changes:

  • apparmor/torbrowser.Browser.firefox
    1 1
     #include <tunables/global>
    
    2 2
     #include <tunables/torbrowser>
    
    3 3
     
    
    4
    -@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
    
    4
    +@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/firefox.real
    
    5 5
     
    
    6 6
     profile torbrowser_firefox @{torbrowser_firefox_executable} {
    
    7 7
       #include <abstractions/audio>
    
    ... ... @@ -12,6 +12,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    12 12
       #include <abstractions/opencl>
    
    13 13
       #include if exists <abstractions/vulkan>
    
    14 14
     
    
    15
    +  deny capability sys_ptrace,
    
    16
    +
    
    15 17
       # Uncomment the following lines if you want to give the Tor Browser read-write
    
    16 18
       # access to most of your personal files.
    
    17 19
       # #include <abstractions/user-download>
    
    ... ... @@ -46,10 +48,13 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    46 48
       owner @{PROC}/@{pid}/environ r,
    
    47 49
       owner @{PROC}/@{pid}/fd/ r,
    
    48 50
       owner @{PROC}/@{pid}/mountinfo r,
    
    51
    +  owner @{PROC}/@{pid}/oom_score_adj rw,
    
    49 52
       owner @{PROC}/@{pid}/smaps r,
    
    50 53
       owner @{PROC}/@{pid}/stat r,
    
    51 54
       owner @{PROC}/@{pid}/statm r,
    
    52 55
       owner @{PROC}/@{pid}/status r,
    
    56
    +  owner @{PROC}/@{pid}/task/ r,
    
    57
    +  owner @{PROC}/@{pid}/task/*/comm r,
    
    53 58
       owner @{PROC}/@{pid}/task/*/stat r,
    
    54 59
       @{PROC}/sys/kernel/random/uuid r,
    
    55 60
     
    
    ... ... @@ -70,6 +75,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    70 75
       owner @{torbrowser_home_dir}/Downloads/ rwk,
    
    71 76
       owner @{torbrowser_home_dir}/Downloads/** rwk,
    
    72 77
       owner @{torbrowser_home_dir}/firefox rix,
    
    78
    +  owner @{torbrowser_home_dir}/glxtest ix,
    
    73 79
       owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/* rw,
    
    74 80
       owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/{,MozUpdater/bgupdate/}updater ix,
    
    75 81
       owner @{torbrowser_home_dir}/updater ix,
    
    ... ... @@ -111,6 +117,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    111 117
       /sys/devices/system/node/ r,
    
    112 118
       /sys/devices/system/node/node[0-9]*/meminfo r,
    
    113 119
       /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_quota_us r,
    
    120
    +  deny /sys/class/input/ r,
    
    114 121
       deny /sys/devices/virtual/block/*/uevent r,
    
    115 122
     
    
    116 123
       # Should use abstractions/gstreamer instead once merged upstream
    

  • apparmor/torbrowser.Tor.tor
    1 1
     #include <tunables/global>
    
    2 2
     #include <tunables/torbrowser>
    
    3 3
     
    
    4
    -@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor
    
    4
    +@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/TorBrowser/Tor/tor
    
    5 5
     
    
    6 6
     profile torbrowser_tor @{torbrowser_tor_executable} {
    
    7 7
       #include <abstractions/base>
    

  • apparmor/tunables/torbrowser
    1
    -@{torbrowser_installation_dir}=@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*
    
    1
    +@{torbrowser_installation_dir}=@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser
    
    2 2
     @{torbrowser_home_dir}=@{torbrowser_installation_dir}/Browser

  • _______________________________________________
    tor-commits mailing list
    tor-commits@xxxxxxxxxxxxxxxxxxxx
    https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits