[Pkg-privacy-commits] [torbrowser-launcher] 385/476: Import AppArmor profiles updates from upstream (Closes: #761663).

Ximin Luo infinity0 at moszumanska.debian.org
Sat Aug 22 13:22:02 UTC 2015 

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch debian
in repository torbrowser-launcher.

commit 855cb91f5d5774a40bec0860cd7bc55e204a5255
Author: intrigeri <intrigeri at boum.org>
Date:   Tue Sep 16 03:10:16 2014 +0000

    Import AppArmor profiles updates from upstream (Closes: #761663).
    
    These patches come straight from the pull request that I've submitted earlier
    today, and that was quickly merged upstream:
    https://github.com/micahflee/torbrowser-launcher/pull/133
    
    We can drop them as soon as upstream releases a new version.
---
 ...rowser-read-access-on-its-profile-directo.patch | 23 ++++++++++++++++++++
 ...clude-the-fonts-abstraction-in-the-start-.patch | 24 +++++++++++++++++++++
 ...clude-the-freedesktop.org-abstraction-in-.patch | 23 ++++++++++++++++++++
 ...low-start-tor-browser-read-access-on-dash.patch | 25 ++++++++++++++++++++++
 ...low-start-tor-browser-to-read-usr-share-z.patch | 24 +++++++++++++++++++++
 debian/patches/series                              |  5 +++++
 6 files changed, 124 insertions(+)

diff --git a/debian/patches/0001-Grant-the-browser-read-access-on-its-profile-directo.patch b/debian/patches/0001-Grant-the-browser-read-access-on-its-profile-directo.patch
new file mode 100644
index 0000000..28b8871
--- /dev/null
+++ b/debian/patches/0001-Grant-the-browser-read-access-on-its-profile-directo.patch
@@ -0,0 +1,23 @@
+From: intrigeri <intrigeri at boum.org>
+Origin: https://github.com/micahflee/torbrowser-launcher/commit/fadacb9c1bca73f7ab9dcba2c622d9d2502cead5
+Date: Mon, 15 Sep 2014 16:45:53 +0000
+Subject: Grant the browser read access on its profile directory.
+
+For some reason, it now needs this to work properly. Given we already grant it
+write access to all child files and directories, this seems to make sense.
+---
+ apparmor/torbrowser.Browser.firefox | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index 198120b..0df7ad9 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -44,6 +44,7 @@
+   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/browser/components/*.so mr,
+   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox rix,
+   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profiles.ini r,
++  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/ r,
+   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/** rwk,
+   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor Px,
+   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}Desktop/ rw,
diff --git a/debian/patches/0002-AppArmor-include-the-fonts-abstraction-in-the-start-.patch b/debian/patches/0002-AppArmor-include-the-fonts-abstraction-in-the-start-.patch
new file mode 100644
index 0000000..4c704b6
--- /dev/null
+++ b/debian/patches/0002-AppArmor-include-the-fonts-abstraction-in-the-start-.patch
@@ -0,0 +1,24 @@
+From: intrigeri <intrigeri at boum.org>
+Origin: https://github.com/micahflee/torbrowser-launcher/commit/2173b6e81bfb43bded615fd8bf4fdfd7d24621fe
+Date: Mon, 15 Sep 2014 16:47:20 +0000
+Subject: AppArmor: include the fonts abstraction in the start-tor-browser
+ profile.
+
+Otherwise, when it runs zenity, fonts are garbled (each char is replaced with
+a square) on current Debian sid.
+---
+ apparmor/torbrowser.start-tor-browser | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/apparmor/torbrowser.start-tor-browser b/apparmor/torbrowser.start-tor-browser
+index 9c2e5e8..f0bc429 100644
+--- a/apparmor/torbrowser.start-tor-browser
++++ b/apparmor/torbrowser.start-tor-browser
+@@ -3,6 +3,7 @@
+ /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}start-tor-browser {
+   #include <abstractions/base>
+   #include <abstractions/bash>
++  #include <abstractions/fonts>
+ 
+   capability sys_ptrace,
+ 
diff --git a/debian/patches/0003-AppArmor-include-the-freedesktop.org-abstraction-in-.patch b/debian/patches/0003-AppArmor-include-the-freedesktop.org-abstraction-in-.patch
new file mode 100644
index 0000000..b12210d
--- /dev/null
+++ b/debian/patches/0003-AppArmor-include-the-freedesktop.org-abstraction-in-.patch
@@ -0,0 +1,23 @@
+From: intrigeri <intrigeri at boum.org>
+Origin: https://github.com/micahflee/torbrowser-launcher/commit/b4c30f0a29d33cbc1b3140dd4fc10256137fc09e
+Date: Mon, 15 Sep 2014 16:48:26 +0000
+Subject: AppArmor: include the freedesktop.org abstraction in the
+ start-tor-browser profile.
+
+It now needs access to /usr/share/pixmaps/.
+---
+ apparmor/torbrowser.start-tor-browser | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/apparmor/torbrowser.start-tor-browser b/apparmor/torbrowser.start-tor-browser
+index f0bc429..1f5fcf1 100644
+--- a/apparmor/torbrowser.start-tor-browser
++++ b/apparmor/torbrowser.start-tor-browser
+@@ -4,6 +4,7 @@
+   #include <abstractions/base>
+   #include <abstractions/bash>
+   #include <abstractions/fonts>
++  #include <abstractions/freedesktop.org>
+ 
+   capability sys_ptrace,
+ 
diff --git a/debian/patches/0004-AppArmor-allow-start-tor-browser-read-access-on-dash.patch b/debian/patches/0004-AppArmor-allow-start-tor-browser-read-access-on-dash.patch
new file mode 100644
index 0000000..a5222c1
--- /dev/null
+++ b/debian/patches/0004-AppArmor-allow-start-tor-browser-read-access-on-dash.patch
@@ -0,0 +1,25 @@
+From: intrigeri <intrigeri at boum.org>
+Origin: https://github.com/micahflee/torbrowser-launcher/commit/ea3b6af185d734766905861f8f5a76ba84b515b1
+Date: Mon, 15 Sep 2014 16:49:47 +0000
+Subject: AppArmor: allow start-tor-browser read access on dash.
+
+We already do this for most other executable files start-tor-browser runs.
+No idea why it used to work without this permission, but oh well, it now
+needs it.
+---
+ apparmor/torbrowser.start-tor-browser | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/apparmor/torbrowser.start-tor-browser b/apparmor/torbrowser.start-tor-browser
+index 1f5fcf1..78fcb1b 100644
+--- a/apparmor/torbrowser.start-tor-browser
++++ b/apparmor/torbrowser.start-tor-browser
+@@ -11,7 +11,7 @@
+ 
+   /bin/cat rix,
+   /bin/bash r,
+-  /bin/dash ix,
++  /bin/dash rix,
+   /bin/grep rix,
+   /bin/ln rix,
+   /bin/mkdir rix,
diff --git a/debian/patches/0005-AppArmor-allow-start-tor-browser-to-read-usr-share-z.patch b/debian/patches/0005-AppArmor-allow-start-tor-browser-to-read-usr-share-z.patch
new file mode 100644
index 0000000..fa34988
--- /dev/null
+++ b/debian/patches/0005-AppArmor-allow-start-tor-browser-to-read-usr-share-z.patch
@@ -0,0 +1,24 @@
+From: intrigeri <intrigeri at boum.org>
+Origin: https://github.com/micahflee/torbrowser-launcher/commit/aa831b7f51b8719d44dc83635629aaf3d5a6e482
+Date: Mon, 15 Sep 2014 16:50:45 +0000
+Subject: AppArmor: allow start-tor-browser to read
+ /usr/share/zenity/zenity.ui.
+
+When start-tor-browser runs zenity (under the start-tor-browser confinement),
+unsurprisingly that one needs to read its own files. On current Debian unstable,
+this includes /usr/share/zenity/zenity.ui.
+---
+ apparmor/torbrowser.start-tor-browser | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/apparmor/torbrowser.start-tor-browser b/apparmor/torbrowser.start-tor-browser
+index 78fcb1b..3ca6368 100644
+--- a/apparmor/torbrowser.start-tor-browser
++++ b/apparmor/torbrowser.start-tor-browser
+@@ -48,5 +48,6 @@
+   /usr/lib{,32,64}/** mr,
+   /usr/share/file/magic.mgc r,
+   /usr/share/file/magic/ r,
++  /usr/share/zenity/zenity.ui r,
+ 
+ }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..159947f
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,5 @@
+0001-Grant-the-browser-read-access-on-its-profile-directo.patch
+0002-AppArmor-include-the-fonts-abstraction-in-the-start-.patch
+0003-AppArmor-include-the-freedesktop.org-abstraction-in-.patch
+0004-AppArmor-allow-start-tor-browser-read-access-on-dash.patch
+0005-AppArmor-allow-start-tor-browser-to-read-usr-share-z.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git

More information about the Pkg-privacy-commits mailing list