[Pkg-privacy-commits] [torbrowser-launcher] 01/02: Add patches to make torbrowser-launcher work with AppArmor enabled on Linux 4.14.

Intrigeri intrigeri at moszumanska.debian.org
Thu Oct 26 11:40:54 UTC 2017 

This is an automated email from the git hooks/post-receive script.

intrigeri pushed a commit to branch debian/sid
in repository torbrowser-launcher.

commit a9ddd00736431e7764a7fd6e99fe427ebf8c76c6
Author: intrigeri <intrigeri at boum.org>
Date:   Thu Oct 26 11:37:44 2017 +0000

    Add patches to make torbrowser-launcher work with AppArmor enabled on Linux 4.14.
---
 ...d-rules-needed-with-new-mediation-support.patch | 51 ++++++++++++++++++++++
 ...ant-access-to-mostly-innocuous-stuff-Fire.patch | 23 ++++++++++
 debian/patches/series                              |  2 +
 3 files changed, 76 insertions(+)

diff --git a/debian/patches/0004-AppArmor-add-rules-needed-with-new-mediation-support.patch b/debian/patches/0004-AppArmor-add-rules-needed-with-new-mediation-support.patch
new file mode 100644
index 0000000..df7d9e0
--- /dev/null
+++ b/debian/patches/0004-AppArmor-add-rules-needed-with-new-mediation-support.patch
@@ -0,0 +1,51 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Thu, 26 Oct 2017 11:12:05 +0000
+Subject: AppArmor: add rules needed with new mediation support added in Linux 4.14.
+Forwarded: https://github.com/micahflee/torbrowser-launcher/pull/294
+
+---
+ apparmor/torbrowser.Browser.firefox | 3 +++
+ apparmor/torbrowser.Tor.tor         | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index b1883c6..39ac6a2 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -15,8 +15,11 @@
+   # @{HOME}/ r,
+ 
+   #dbus,
++  network netlink raw,
+   network tcp,
+ 
++  ptrace (trace) peer=@{profile_name},
++
+   deny /etc/host.conf r,
+   deny /etc/hosts r,
+   deny /etc/nsswitch.conf r,
+diff --git a/apparmor/torbrowser.Tor.tor b/apparmor/torbrowser.Tor.tor
+index 2410637..0ccd737 100644
+--- a/apparmor/torbrowser.Tor.tor
++++ b/apparmor/torbrowser.Tor.tor
+@@ -3,6 +3,7 @@
+ /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor {
+   #include <abstractions/base>
+ 
++  network netlink raw,
+   network tcp,
+   network udp,
+ 
+@@ -17,6 +18,12 @@
+   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/Tor,Lib}/*.so mr,
+   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/Tor,Lib}/*.so.* mr,
+ 
++  # Silence file_inherit logs
++  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/{browser/,}omni.ja r,
++  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/.parentlock rw,
++  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/extensions/*.xpi r,
++  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/startupCache/* r,
++
+   @{PROC}/sys/kernel/random/uuid r,
+   /sys/devices/system/cpu/ r,
+ 
diff --git a/debian/patches/0005-AppArmor-grant-access-to-mostly-innocuous-stuff-Fire.patch b/debian/patches/0005-AppArmor-grant-access-to-mostly-innocuous-stuff-Fire.patch
new file mode 100644
index 0000000..3a1abf4
--- /dev/null
+++ b/debian/patches/0005-AppArmor-grant-access-to-mostly-innocuous-stuff-Fire.patch
@@ -0,0 +1,23 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Thu, 26 Oct 2017 11:12:52 +0000
+Subject: AppArmor: grant access to mostly innocuous stuff Firefox tries to read.
+Forwarded: https://github.com/micahflee/torbrowser-launcher/pull/294
+---
+ apparmor/torbrowser.Browser.firefox | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index 39ac6a2..6a2c148 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -31,6 +31,10 @@
+   deny /etc/machine-id r,
+   deny /var/lib/dbus/machine-id r,
+ 
++  /dev/ r,
++  /dev/shm/ r,
++
++  owner @{PROC}/@{pid}/fd/ r,
+   owner @{PROC}/@{pid}/mountinfo r,
+   owner @{PROC}/@{pid}/stat r,
+   owner @{PROC}/@{pid}/status r,
diff --git a/debian/patches/series b/debian/patches/series
index ba90726..d26ae6d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
 0001-AppArmor-support-sysvinit-systems.patch
 0002-Update-mirror-list.patch
 0003-AppArmor-allow-the-tor-process-to-modify-its-data-di.patch
+0004-AppArmor-add-rules-needed-with-new-mediation-support.patch
+0005-AppArmor-grant-access-to-mostly-innocuous-stuff-Fire.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git

More information about the Pkg-privacy-commits mailing list