[Pkg-privacy-commits] [torbrowser-launcher] 01/26: AppArmor: deny access to DRM nodes (/dev/dri/*), to decrease attack surface a bit.
Ulrike Uhlig
u-guest at moszumanska.debian.org
Sat Jan 28 11:59:27 UTC 2017
This is an automated email from the git hooks/post-receive script.
u-guest pushed a commit to annotated tag v0.2.7
in repository torbrowser-launcher.
commit a6af773968e2b8a36d72bf40a770dcd9211a1858
Author: intrigeri <intrigeri at boum.org>
Date: Mon Jul 25 10:40:53 2016 +0000
AppArmor: deny access to DRM nodes (/dev/dri/*), to decrease attack surface a bit.
References: https://labs.riseup.net/code/issues/11547
With this change applied, I could successfully test the
http://webglsamples.org/book/book.html WebGL demo.
---
apparmor/torbrowser.Browser.firefox | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index e1cda06..a8a2683 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -83,6 +83,10 @@
/sys/devices/pci[0-9]*/**/uevent r,
owner /{dev,run}/shm/shmfd-* rw,
+ # Deny access to DRM nodes, that's granted by the X abstraction, which is
+ # sourced by the gnome abstraction, that we include.
+ deny /dev/dri/** rwklx,
+
# KDE 4
owner @{HOME}/.kde/share/config/* r,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git
More information about the Pkg-privacy-commits
mailing list