[Pkg-privacy-commits] [Git][pkg-privacy-team/torbrowser-launcher][debian/sid] 2 commits: debian/patches: cherry-pick 2 AppArmor patches from upstream

Mon Jan 10 08:25:38 GMT 2022


Roger Shimizu pushed to branch debian/sid at Privacy Maintainers / torbrowser-launcher


Commits:
1acdfbe9 by Roger Shimizu at 2021-12-12T00:02:55+09:00
debian/patches: cherry-pick 2 AppArmor patches from upstream

- AppArmor: allow Firefox to enumerate GPUs and use graphics
  acceleration.
- AppArmor: silence a denial for access we don't need.

- - - - -
aaec44e0 by Roger Shimizu at 2022-01-10T17:01:50+09:00
Prepare to release 0.3.5-2

- - - - -


4 changed files:

- debian/changelog
- + debian/patches/10-AppArmor-allow-Firefox-to-enumerate-GPUs-and-use-graph.patch
- + debian/patches/11-AppArmor-silence-a-denial-for-access-we-don-t-need.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,14 @@
+torbrowser-launcher (0.3.5-2) unstable; urgency=medium
+
+  * debian/patches:
+    - Add patch 09 to sync with ubuntu 0.3.3-6ubuntu1.
+    - From upstream: AppArmor: allow Firefox to enumerate GPUs and use
+      graphics acceleration.
+    - From upstream: AppArmor: silence a denial for access we don't
+      need.
+
+ -- Roger Shimizu <rosh at debian.org>  Mon, 10 Jan 2022 17:01:50 +0900
+
 torbrowser-launcher (0.3.5-1) unstable; urgency=medium
 
   * New upstream release 0.3.5


=====================================
debian/patches/10-AppArmor-allow-Firefox-to-enumerate-GPUs-and-use-graph.patch
=====================================
@@ -0,0 +1,65 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Tue, 26 Oct 2021 08:56:23 +0000
+Subject: AppArmor: allow Firefox to enumerate GPUs and use graphics
+ acceleration
+
+Modern web browsers and contents need graphics acceleration more and more.
+
+GNU/Linux systems are moving to Wayland, where one cannot rely on X.Org driver
+acceleration anymore, and everything instead happens in the kernel, libdrm,
+and Mesa.
+
+(cherry picked from commit 7af35f4475d1dab28f84f76146a5f743b60402ac)
+---
+ apparmor/torbrowser.Browser.firefox | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index 7ceaa13..0513832 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -5,8 +5,11 @@
+ 
+ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+   #include <abstractions/audio>
++  #include <abstractions/dri-enumerate>
+   #include <abstractions/gnome>
+   #include <abstractions/ibus>
++  #include <abstractions/mesa>
++  #include <abstractions/opencl>
+   #include if exists <abstractions/vulkan>
+   #include if exists <abstractions/dbus-session>
+   #include if exists <abstractions/X>
+@@ -101,6 +104,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+   /usr/share/homepage/ r,
+   /usr/share/homepage/** r,
+ 
++  /sys/bus/pci/devices/ r,
++  @{sys}/devices/pci[0-9]*/**/irq r,
+   /sys/devices/system/cpu/ r,
+   /sys/devices/system/cpu/present r,
+   /sys/devices/system/node/ r,
+@@ -121,12 +126,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+   # Required for Wayland display protocol support
+   owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
+ 
+-  # Deny access to DRM nodes, that's granted by the X abstraction, which is
+-  # sourced by the gnome abstraction, that we include.
+-  deny /dev/dri/** rwklx,
+-
+   # Silence denial logs about permissions we don't need
+-  deny /dev/dri/   rwklx,
+   deny @{HOME}/.cache/fontconfig/ rw,
+   deny @{HOME}/.cache/fontconfig/** rw,
+   deny @{HOME}/.config/gtk-2.0/ rw,
+@@ -163,5 +163,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+   owner @{PROC}/@{pid}/{gid,uid}_map w,
+   owner @{PROC}/@{pid}/setgroups w,
+ 
++  # Remove these rules once we can assume abstractions/vulkan is recent enough
++  # to include them
++  /etc/glvnd/egl_vendor.d/{*,.json} r,
++  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
++
+   #include <local/torbrowser.Browser.firefox>
+ }


=====================================
debian/patches/11-AppArmor-silence-a-denial-for-access-we-don-t-need.patch
=====================================
@@ -0,0 +1,25 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Tue, 26 Oct 2021 09:00:31 +0000
+Subject: AppArmor: silence a denial for access we don't need
+
+Firefox 91 only uses /etc/os-release to tweak the system's fonts list
+depending on the distribution. Tor Browser does not use the system's font,
+so that's not relevant.
+
+(cherry picked from commit 4b9d49c18315476b1a95878c2d84e8e8299db6c9)
+---
+ apparmor/torbrowser.Browser.firefox | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index 0513832..6fd13c9 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -32,6 +32,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+   deny /etc/host.conf r,
+   deny /etc/hosts r,
+   deny /etc/nsswitch.conf r,
++  deny /etc/os-release r,
+   deny /etc/resolv.conf r,
+   deny /etc/passwd r,
+   deny /etc/group r,


=====================================
debian/patches/series
=====================================
@@ -10,3 +10,5 @@ po/03-Add-Chinese-Traditional-translation.patch
 07-Fix-U2F-for-Yubikey-5-tokens.patch
 08-AppArmor-support-Wayland-display-protocol.patch
 09-Remove-extra-override-for-X11-sockets.patch
+10-AppArmor-allow-Firefox-to-enumerate-GPUs-and-use-graph.patch
+11-AppArmor-silence-a-denial-for-access-we-don-t-need.patch



View it on GitLab: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/compare/e02cdd2ce4bfaf50b9a95789d9ad9c0fce1615d8...aaec44e048d74d752e0465f19fcdaf24699cdd8b

-- 
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/compare/e02cdd2ce4bfaf50b9a95789d9ad9c0fce1615d8...aaec44e048d74d752e0465f19fcdaf24699cdd8b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-commits/attachments/20220110/b7be148d/attachment-0001.htm>
