[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [Git][tpo/applications/torbrowser-launcher][main] 2 commits: Update/Add Additional Abstractions for AppArmor

Title: GitLab

asciiwolf pushed to branch main at The Tor Project / Applications / torbrowser-launcher

Commits:

  • e049fdcc
    by Thomas Ward at 2024-10-05T10:14:32+00:00 
    Update/Add Additional Abstractions for AppArmor
  • 851ff330
    by asciiwolf at 2024-10-05T10:14:32+00:00 
    There are two abstraction sets added.

- The first is D-Bus session abstractions.

There are D-Bus denies for opening dialog boxes and file open boxes, which need D-Bus abstractions to access the user sessions. Fixed by including abstractions/dbus-session (which also implicitly imports abstractions/dbus-session-strict for systemd user sessions) in the AppArmor rules, if the abstractions exist.

The abstractions/dbus-session rule also requires adding an AppArmor owner rule for the ~/.cache/ibus/dbus-* socket. Otherwise, keyboard input will stop working.

- The second is X abstractions.

Observed initially in #588, systems that do NOT have GNOME installed on them, such as Lubuntu which uses LXQt and has ZERO GNOME components, will have issues accessing X11 sockets.

In such systems, the implied abstractions/gnome already part of the AppArmor profile do not exist. Therefore, AppArmor will not import abstractions/gnome which includes the X abstractions because the GNOME abstractions definition does not exist.

In such cases, components of the UI will not properly function with dialog boxes. This is why this is separately explicitly required, despite GNOME abstractions including X abstractions.

1 changed file:

Changes:

  • apparmor/torbrowser.Browser.firefox
    ... ... @@ -11,6 +11,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    11 11 
       #include <abstractions/mesa>
    12 12 
       #include <abstractions/opencl>
    13 13 
       #include if exists <abstractions/vulkan>
    14 
    +  #include if exists <abstractions/dbus-session>
    15 
    +  #include if exists <abstractions/X>
    14 16
    15 17 
       deny capability sys_ptrace,
    16 18
    ... ... @@ -26,6 +28,9 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    26 28 
       network netlink raw,
    27 29 
       network tcp,
    28 30
    31 
    +  # ibus socket
    32 
    +  owner @{HOME}/.cache/ibus/dbus-* rw,
    33 
    +
    29 34 
       ptrace (trace) peer=@{profile_name},
    30 35 
       signal (receive, send) set=("term") peer=@{profile_name},
    31 36


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications · Help 

    _______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits