[Pkg-privacy-commits] [Git][pkg-privacy-team/torbrowser-launcher][debian/sid] 2 commits: Make lintian slightly happy
Roger Shimizu
rosh at debian.org
Fri Sep 14 16:47:19 BST 2018
Roger Shimizu pushed to branch debian/sid at Privacy Maintainers / torbrowser-launcher
Commits:
8b15bbd4 by Roger Shimizu at 2018-09-09T15:22:50Z
Make lintian slightly happy
* debian/source/lintian-overrides:
- Rename from debian/source.lintian-overrides
* debian/control:
- Rename tag X-Python-Version to XS-Python-Version.
- - - - -
df0873bb by Roger Shimizu at 2018-09-12T15:42:03Z
d/patches: Cherry-pick three upstream commits
3 commits to fix appamor profile for Web Content process.
Closes: #908463
- - - - -
8 changed files:
- debian/changelog
- debian/control
- + debian/patches/0019-AppArmor-confine-Firefox-60-Web-Content-processes-un.patch
- + debian/patches/0020-AppArmor-give-Tor-Browser-s-Web-Content-process-some.patch
- + debian/patches/0021-AppArmor-give-Web-Content-processes-read-access-to-t.patch
- debian/patches/series
- − debian/source.lintian-overrides
- + debian/source/lintian-overrides
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+torbrowser-launcher (0.2.9-5) UNRELEASED; urgency=medium
+
+ * debian/source/lintian-overrides:
+ - Rename from debian/source.lintian-overrides
+ * debian/control:
+ - Rename tag X-Python-Version to XS-Python-Version.
+ * debian/patches:
+ - Cherry-pick three upstream commits to fix appamor profile for
+ Web Content process (Closes: #908463).
+
+ -- Roger Shimizu <rosh at debian.org> Mon, 10 Sep 2018 00:22:29 +0900
+
torbrowser-launcher (0.2.9-4) unstable; urgency=medium
[ Ulrike Uhlig ]
=====================================
debian/control
=====================================
@@ -10,7 +10,7 @@ Build-Depends:
help2man,
lsb-release,
python-all (>= 2.7.3-4)
-X-Python-Version: >= 2.7
+XS-Python-Version: >= 2.7
Standards-Version: 3.9.8
Homepage: https://micahflee.com/torbrowser-launcher/
Vcs-Git: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher.git
=====================================
debian/patches/0019-AppArmor-confine-Firefox-60-Web-Content-processes-un.patch
=====================================
@@ -0,0 +1,63 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Mon, 10 Sep 2018 07:55:18 +0000
+Subject: AppArmor: confine Firefox 60 "Web Content" processes under the
+ torbrowser_plugin_container AppArmor profile.
+
+(cherry picked from commit 678d083491ceba5201d96b514173890944928540)
+---
+ apparmor/torbrowser.Browser.firefox | 4 +++-
+ apparmor/torbrowser.Browser.plugin-container | 5 ++++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index 69354d1..9f269e1 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -54,7 +54,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+ owner @{torbrowser_home_dir}/components/*.so mr,
+ owner @{torbrowser_home_dir}/browser/components/*.so mr,
+ owner @{torbrowser_home_dir}/firefox rix,
+- owner @{torbrowser_home_dir}/plugin-container px -> torbrowser_plugin_container,
+ owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/updater ix,
+ owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/0/MozUpdater/bgupdate/updater ix,
+ owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
+@@ -64,6 +63,9 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+ owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
+ owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
+
++ # Web Content processes
++ owner @{torbrowser_firefox_executable} px -> torbrowser_plugin_container,
++
+ /etc/mailcap r,
+ /etc/mime.types r,
+
+diff --git a/apparmor/torbrowser.Browser.plugin-container b/apparmor/torbrowser.Browser.plugin-container
+index fe95fdb..c1c4ccb 100644
+--- a/apparmor/torbrowser.Browser.plugin-container
++++ b/apparmor/torbrowser.Browser.plugin-container
+@@ -1,6 +1,8 @@
+ #include <tunables/global>
+ #include <tunables/torbrowser>
+
++@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
++
+ profile torbrowser_plugin_container {
+ #include <abstractions/gnome>
+
+@@ -52,7 +54,6 @@ profile torbrowser_plugin_container {
+ owner @{torbrowser_home_dir}/fonts/ r,
+ owner @{torbrowser_home_dir}/fonts/** r,
+ owner @{torbrowser_home_dir}/omni.ja r,
+- owner @{torbrowser_home_dir}/plugin-container ixmr,
+ owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
+ owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw,
+ owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
+@@ -62,6 +63,8 @@ profile torbrowser_plugin_container {
+ owner @{torbrowser_home_dir}/Downloads/ rwk,
+ owner @{torbrowser_home_dir}/Downloads/** rwk,
+
++ owner @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container,
++
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/cpu/present r,
+ /sys/devices/system/node/ r,
=====================================
debian/patches/0020-AppArmor-give-Tor-Browser-s-Web-Content-process-some.patch
=====================================
@@ -0,0 +1,30 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Mon, 10 Sep 2018 07:55:36 +0000
+Subject: AppArmor: give Tor Browser's Web Content process some more innocuous
+ access it now needs.
+
+(cherry picked from commit 45265423d7fea40f93a3924146933aa6e94f0d97)
+---
+ apparmor/torbrowser.Browser.plugin-container | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/apparmor/torbrowser.Browser.plugin-container b/apparmor/torbrowser.Browser.plugin-container
+index c1c4ccb..ae2a9ba 100644
+--- a/apparmor/torbrowser.Browser.plugin-container
++++ b/apparmor/torbrowser.Browser.plugin-container
+@@ -34,6 +34,7 @@ profile torbrowser_plugin_container {
+
+ /dev/shm/ r,
+
++ owner @{PROC}/@{pid}/environ r,
+ owner @{PROC}/@{pid}/fd/ r,
+ owner @{PROC}/@{pid}/mountinfo r,
+ owner @{PROC}/@{pid}/stat r,
+@@ -51,6 +52,7 @@ profile torbrowser_plugin_container {
+ owner @{torbrowser_home_dir}/browser/components/*.so mr,
+ owner @{torbrowser_home_dir}/defaults/pref/ r,
+ owner @{torbrowser_home_dir}/defaults/pref/*.js r,
++ owner @{torbrowser_home_dir}/dependentlibs.list r,
+ owner @{torbrowser_home_dir}/fonts/ r,
+ owner @{torbrowser_home_dir}/fonts/** r,
+ owner @{torbrowser_home_dir}/omni.ja r,
=====================================
debian/patches/0021-AppArmor-give-Web-Content-processes-read-access-to-t.patch
=====================================
@@ -0,0 +1,22 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Mon, 10 Sep 2018 09:41:49 +0000
+Subject: AppArmor: give Web Content processes read access to the startup
+ cache, otherwise they fail to load
+
+(cherry picked from commit eb328f2abe7b681c779a6cb7e49657ac93ecd005)
+---
+ apparmor/torbrowser.Browser.plugin-container | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/apparmor/torbrowser.Browser.plugin-container b/apparmor/torbrowser.Browser.plugin-container
+index ae2a9ba..7ec8a00 100644
+--- a/apparmor/torbrowser.Browser.plugin-container
++++ b/apparmor/torbrowser.Browser.plugin-container
+@@ -57,6 +57,7 @@ profile torbrowser_plugin_container {
+ owner @{torbrowser_home_dir}/fonts/** r,
+ owner @{torbrowser_home_dir}/omni.ja r,
+ owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
++ owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
+ owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw,
+ owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
+ owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
=====================================
debian/patches/series
=====================================
@@ -16,3 +16,6 @@
0016-Remove-apparmor-local-path-from-setup.py.patch
0017-AppArmor-allow-Firefox-to-read-usr-share-glib-2.0-sc.patch
0018-AppArmor-adjust-Firefox-binary-path-for-Tor-Browser-.patch
+0019-AppArmor-confine-Firefox-60-Web-Content-processes-un.patch
+0020-AppArmor-give-Tor-Browser-s-Web-Content-process-some.patch
+0021-AppArmor-give-Web-Content-processes-read-access-to-t.patch
=====================================
debian/source.lintian-overrides deleted
=====================================
@@ -1 +0,0 @@
-torbrowser-launcher source: debian-watch-may-check-gpg-signature
=====================================
debian/source/lintian-overrides
=====================================
@@ -0,0 +1 @@
+torbrowser-launcher source: debian-watch-does-not-check-gpg-signature
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/compare/6e1b7e180746f815abee1bb1332eef77256db163...df0873bbdaaec729841b0aa564da04951e49711a
--
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/compare/6e1b7e180746f815abee1bb1332eef77256db163...df0873bbdaaec729841b0aa564da04951e49711a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-commits/attachments/20180914/1c03bdeb/attachment-0001.html>
More information about the Pkg-privacy-commits
mailing list