[Pkg-privacy-commits] [Git][pkg-privacy-team/torbrowser-launcher][debian/sid] 3 commits: d/patches: Update patch 08 and 10 with upstreamed version
Roger Shimizu (@rosh)
rosh at debian.org
Sat May 22 19:16:09 BST 2021
Roger Shimizu pushed to branch debian/sid at Privacy Maintainers / torbrowser-launcher
Commits:
a6ee0899 by Roger Shimizu at 2021-05-23T01:46:17+09:00
d/patches: Update patch 08 and 10 with upstreamed version
Also add patch 11 to have local apparmor update.
- - - - -
e4e2a4f4 by Roger Shimizu at 2021-05-23T02:05:10+09:00
d/patches: Cherry-pick 3 patches from upstream
- - - - -
7285dddb by Roger Shimizu at 2021-05-23T03:12:52+09:00
Prepare to release 0.3.3-5
- - - - -
9 changed files:
- debian/changelog
- + debian/patches/08-AppArmor-allow-usage-of-cgroups.patch
- + debian/patches/10-AppArmor-allow-usage-of-the-IBus-input-framework.patch
- − debian/patches/10-keyboard-input-need-this-patch-to-communicate-with-ibu.patch
- debian/patches/08-Update-apparmor-profile.patch → debian/patches/11-Update-apparmor-profile.patch
- + debian/patches/12-Fix-small-typo-in-desktop-file.patch
- + debian/patches/13-AppArmor-include-vulkan-abstraction-if-it-s-available.patch
- + debian/patches/14-AppArmor-allow-access-needed-for-Firefox-sandboxing-vi.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+torbrowser-launcher (0.3.3-5) unstable; urgency=medium
+
+ * debian/patches:
+ - Update patch 08 and 10 with upstreamed version.
+ - Add patch 11 to have local apparmor update.
+ - Cherry-pick 3 patches from upstream.
+
+ -- Roger Shimizu <rosh at debian.org> Sun, 23 May 2021 03:12:52 +0900
+
torbrowser-launcher (0.3.3-4) unstable; urgency=medium
* debian/control:
=====================================
debian/patches/08-AppArmor-allow-usage-of-cgroups.patch
=====================================
@@ -0,0 +1,40 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Sun, 16 May 2021 14:00:51 +0000
+Subject: AppArmor: allow usage of cgroups
+
+Firefox uses cgroups to determine how many CPUs are available,
+and gather other information it needs about the CPUs.
+
+I did not investigate what are the consequences of Firefox
+lacking this information. I suspect performance, and thus UX,
+may be impacted.
+
+closes #547
+
+(cherry picked from commit 12477d3d5cb4438651d922f5feb7a5070b76b6d9)
+
+Closes: #980155
+---
+ apparmor/torbrowser.Browser.firefox | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index 57c0359..c00d4bb 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -36,6 +36,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+ /dev/ r,
+ /dev/shm/ r,
+
++ owner @{PROC}/@{pid}/cgroup r,
+ owner @{PROC}/@{pid}/environ r,
+ owner @{PROC}/@{pid}/fd/ r,
+ owner @{PROC}/@{pid}/mountinfo r,
+@@ -99,6 +100,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+ /sys/devices/system/cpu/present r,
+ /sys/devices/system/node/ r,
+ /sys/devices/system/node/node[0-9]*/meminfo r,
++ /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
+ deny /sys/devices/virtual/block/*/uevent r,
+
+ # Should use abstractions/gstreamer instead once merged upstream
=====================================
debian/patches/10-AppArmor-allow-usage-of-the-IBus-input-framework.patch
=====================================
@@ -0,0 +1,25 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Sun, 16 May 2021 13:52:28 +0000
+Subject: AppArmor: allow usage of the IBus input framework
+
+closes #540
+
+(cherry picked from commit 6d32fe1200d74d3cdc306429690823c3498c35d2)
+
+Closes: #976084
+---
+ apparmor/torbrowser.Browser.firefox | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index c00d4bb..a95d6e7 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -6,6 +6,7 @@
+ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+ #include <abstractions/audio>
+ #include <abstractions/gnome>
++ #include <abstractions/ibus>
+
+ # Uncomment the following lines if you want to give the Tor Browser read-write
+ # access to most of your personal files.
=====================================
debian/patches/10-keyboard-input-need-this-patch-to-communicate-with-ibu.patch deleted
=====================================
@@ -1,22 +0,0 @@
-From: Roger Shimizu <rosh at debian.org>
-Date: Mon, 26 Apr 2021 00:27:32 +0900
-Subject: keyboard input need this patch to communicate with ibus.
-
-Closes: #976084
----
- apparmor/torbrowser.Browser.firefox | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
-index 095b110..f1368db 100644
---- a/apparmor/torbrowser.Browser.firefox
-+++ b/apparmor/torbrowser.Browser.firefox
-@@ -150,5 +150,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
- # Yubikey NEO also needs this:
- /sys/devices/**/hidraw/hidraw*/uevent r,
-
-+ # ibus
-+ owner @{HOME}/.config/ibus/bus/* r,
-+
- #include <local/torbrowser.Browser.firefox>
- }
=====================================
debian/patches/08-Update-apparmor-profile.patch → debian/patches/11-Update-apparmor-profile.patch
=====================================
@@ -2,16 +2,16 @@ From: Roger Shimizu <rosh at debian.org>
Date: Sun, 25 Apr 2021 22:51:12 +0900
Subject: Update apparmor profile
-Closes: #980155
---
apparmor/torbrowser.Browser.firefox | 2 ++
- 1 file changed, 2 insertions(+)
+ apparmor/torbrowser.Tor.tor | 1 +
+ 2 files changed, 3 insertions(+)
diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
-index 57c0359..095b110 100644
+index a95d6e7..38a0df0 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
-@@ -90,6 +90,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+@@ -92,6 +92,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/usr/share/gnome/applications/ r,
/usr/share/gnome/applications/kde4/ r,
/usr/share/poppler/cMap/ r,
@@ -19,11 +19,23 @@ index 57c0359..095b110 100644
# Distribution homepage
/usr/share/homepage/ r,
-@@ -121,6 +122,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
- deny @{HOME}/.cache/fontconfig/** rw,
- deny @{HOME}/.config/gtk-2.0/ rw,
- deny @{HOME}/.config/gtk-2.0/** rw,
-+ deny @{PROC}/@{pid}/cgroup r,
- deny @{PROC}/@{pid}/net/route r,
- deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
- deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
+@@ -101,6 +102,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+ /sys/devices/system/cpu/present r,
+ /sys/devices/system/node/ r,
+ /sys/devices/system/node/node[0-9]*/meminfo r,
++ /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
+ /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
+ deny /sys/devices/virtual/block/*/uevent r,
+
+diff --git a/apparmor/torbrowser.Tor.tor b/apparmor/torbrowser.Tor.tor
+index f5b8177..e455ce9 100644
+--- a/apparmor/torbrowser.Tor.tor
++++ b/apparmor/torbrowser.Tor.tor
+@@ -38,6 +38,7 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
+
+ @{PROC}/sys/kernel/random/uuid r,
+ /sys/devices/system/cpu/ r,
++ /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+ # OnionShare compatibility
+ /tmp/onionshare/** rw,
=====================================
debian/patches/12-Fix-small-typo-in-desktop-file.patch
=====================================
@@ -0,0 +1,22 @@
+From: AsciiWolf <mail at asciiwolf.com>
+Date: Thu, 8 Oct 2020 14:12:19 +0200
+Subject: Fix small typo in desktop file
+
+(cherry picked from commit 56e8084b1d2a8029e7f43f34e42fcb5a979181a5)
+---
+ share/applications/torbrowser.desktop | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/share/applications/torbrowser.desktop b/share/applications/torbrowser.desktop
+index a80d4a4..ce64b83 100644
+--- a/share/applications/torbrowser.desktop
++++ b/share/applications/torbrowser.desktop
+@@ -5,7 +5,7 @@ Name[cs]=Tor Browser
+ Name[hu]=Tor-böngésző
+ Name[pt_BR]=Navegador Tor
+ Name[be]=Tor Browser
+-GenericName=Tor browser
++GenericName=Tor Browser
+ GenericName[da]=Tor Browser
+ GenericName[hu]=Tor böngésző indító
+ GenericName[be]=Tor Browser
=====================================
debian/patches/13-AppArmor-include-vulkan-abstraction-if-it-s-available.patch
=====================================
@@ -0,0 +1,27 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Sun, 16 May 2021 13:47:54 +0000
+Subject: AppArmor: include vulkan abstraction if it's available
+
+Since the vulkan abstraction is not available on older AppArmor versions, this
+relies on the "conditional includes" AppArmor parser feature, which is available
+in AppArmor v2.10.4, v2.11.2, v2.12.1, and v2.13.
+
+closes #554
+
+(cherry picked from commit 4e216fe221f09e4d1e8b3cf8870284a6f730641f)
+---
+ apparmor/torbrowser.Browser.firefox | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index 38a0df0..96f88e3 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -7,6 +7,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+ #include <abstractions/audio>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
++ #include if exists <abstractions/vulkan>
+
+ # Uncomment the following lines if you want to give the Tor Browser read-write
+ # access to most of your personal files.
=====================================
debian/patches/14-AppArmor-allow-access-needed-for-Firefox-sandboxing-vi.patch
=====================================
@@ -0,0 +1,39 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Sun, 16 May 2021 14:03:13 +0000
+Subject: AppArmor: allow access needed for Firefox sandboxing via
+ unprivileged user namespace
+
+Most distributions now ship with unprivileged user namespaces enabled,
+which Firefox uses to set up its own sandbox. That sandbox is more
+fine-grained and powerful than our AppArmor policy, so let's allow
+Firefox to use it.
+
+(cherry picked from commit 376f7f552b22b0ba578e6ded961c72c47f7da9e2)
+---
+ apparmor/torbrowser.Browser.firefox | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index 96f88e3..60e2067 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -132,7 +132,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+ deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
+ deny /run/user/[0-9]*/dconf/user rw,
+ deny /usr/bin/lsb_release x,
+- deny capability sys_admin,
+
+ # Silence denial logs about PulseAudio
+ deny /etc/pulse/client.conf r,
+@@ -154,5 +153,11 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+ # Yubikey NEO also needs this:
+ /sys/devices/**/hidraw/hidraw*/uevent r,
+
++ # Needed for Firefox sandboxing via unprivileged user namespaces
++ capability sys_admin,
++ capability sys_chroot,
++ owner @{PROC}/@{pid}/{gid,uid}_map w,
++ owner @{PROC}/@{pid}/setgroups w,
++
+ #include <local/torbrowser.Browser.firefox>
+ }
=====================================
debian/patches/series
=====================================
@@ -17,6 +17,10 @@ po/12-Add-Czech-translation-to-desktop-files.patch
05-Fix-use-case-that-enforce-install-of-EN-version-on-n.patch
06-Fix-language-fallback-for-Chinese-Hong-Kong.patch
07-Use-gpg-instead-of-gpg2.patch
-08-Update-apparmor-profile.patch
+08-AppArmor-allow-usage-of-cgroups.patch
09-fix-failure-in-detect-installed-torbrowser.patch
-10-keyboard-input-need-this-patch-to-communicate-with-ibu.patch
+10-AppArmor-allow-usage-of-the-IBus-input-framework.patch
+11-Update-apparmor-profile.patch
+12-Fix-small-typo-in-desktop-file.patch
+13-AppArmor-include-vulkan-abstraction-if-it-s-available.patch
+14-AppArmor-allow-access-needed-for-Firefox-sandboxing-vi.patch
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/compare/f6b0eee14fbcdd77474ff0ad4d9093b94567fd48...7285dddb49140099fcad68678573c8763f7ae37a
--
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/compare/f6b0eee14fbcdd77474ff0ad4d9093b94567fd48...7285dddb49140099fcad68678573c8763f7ae37a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-commits/attachments/20210522/1994126d/attachment-0001.htm>
More information about the Pkg-privacy-commits
mailing list