[Pkg-privacy-maintainers] Bug#913366: torbrowser-launcher: more apparmor fixes needed, otherwise fails to launch
Diederik de Haas
didi.debian at cknow.org
Sat Nov 10 00:42:23 GMT 2018
Package: torbrowser-launcher
Version: 0.3.1-1
Severity: grave
Tags: upstream patch
Justification: renders package unusable
I had applied the patch before, but I guess it got overwritten with a
new version (which I thought wasn't supposed to happen without asking).
Applied the patch again and then torbrowser started again.
For completeness sake, this is the patch intrigeri submitted upstream,
but the upstream pull request is now already waiting more then a month
for approval/merge, so it's probably good to apply this patch to the
Debian package in the meantime.
owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
+ owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
+ owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]*/update.{status,version} r,
+ owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]/updater rw,
owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
Cheers,
Diederik
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (101, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-2-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages torbrowser-launcher depends on:
ii ca-certificates 20180409
ii libdbus-glib-1-2 0.110-3
ii python3 3.6.7-1
ii python3-gpg 1.12.0-4
ii python3-pyqt5 5.11.3+dfsg-1+b1
ii python3-requests 2.20.0-2
ii python3-socks 1.6.8+dfsg-1
Versions of packages torbrowser-launcher recommends:
ii tor 0.3.4.9-5
Versions of packages torbrowser-launcher suggests:
ii apparmor 2.13.1-3+b1
ii python-pygame 1.9.4.post1+dfsg-2
-- Configuration Files:
/etc/apparmor.d/torbrowser.Browser.plugin-container changed:
@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
profile torbrowser_plugin_container {
#include <abstractions/gnome>
# Uncomment the following lines if you want Tor Browser
# to have direct access to your sound hardware. You will also
# need to remove, further bellow:
# - the "deny" word in the machine-id lines
# - the rules that deny reading /etc/pulse/client.conf
# and executing /usr/bin/pulseaudio
# #include <abstractions/audio>
# /etc/asound.conf r,
# owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
signal (receive) set=("term") peer=torbrowser_firefox,
deny /etc/host.conf r,
deny /etc/hosts r,
deny /etc/nsswitch.conf r,
deny /etc/resolv.conf r,
deny /etc/passwd r,
deny /etc/group r,
deny /etc/mailcap r,
deny /etc/machine-id r,
deny /var/lib/dbus/machine-id r,
/etc/mime.types r,
/usr/share/applications/gnome-mimeapps.list r,
/dev/shm/ r,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/status r,
owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r,
owner @{torbrowser_home_dir}/*.dat r,
owner @{torbrowser_home_dir}/*.manifest r,
owner @{torbrowser_home_dir}/*.so mr,
owner @{torbrowser_home_dir}/.cache/fontconfig/ rw,
owner @{torbrowser_home_dir}/.cache/fontconfig/** rw,
owner @{torbrowser_home_dir}/browser/** r,
owner @{torbrowser_home_dir}/components/*.so mr,
owner @{torbrowser_home_dir}/browser/components/*.so mr,
owner @{torbrowser_home_dir}/defaults/pref/ r,
owner @{torbrowser_home_dir}/defaults/pref/*.js r,
owner @{torbrowser_home_dir}/dependentlibs.list r,
owner @{torbrowser_home_dir}/fonts/ r,
owner @{torbrowser_home_dir}/fonts/** r,
owner @{torbrowser_home_dir}/omni.ja r,
owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]*/update.{status,version} r,
owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]*/updater rw,
owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw,
owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
owner @{torbrowser_home_dir}/Downloads/ rwk,
owner @{torbrowser_home_dir}/Downloads/** rwk,
owner @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/present r,
/sys/devices/system/node/ r,
/sys/devices/system/node/node[0-9]*/meminfo r,
deny /sys/devices/virtual/block/*/uevent r,
# Should use abstractions/gstreamer instead once merged upstream
/etc/udev/udev.conf r,
/run/udev/data/+pci:* r,
/sys/devices/pci[0-9]*/**/uevent r,
owner /{dev,run}/shm/shmfd-* rw,
# Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
owner /{dev,run}/shm/org.chromium.* rw,
# Deny access to DRM nodes, that's granted by the X abstraction, which is
# sourced by the gnome abstraction, that we include.
deny /dev/dri/** rwklx,
# Silence denial logs about permissions we don't need
deny /dev/dri/ rwklx,
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
# Silence denial logs about PulseAudio
deny /etc/pulse/client.conf r,
deny /usr/bin/pulseaudio x,
#include <local/torbrowser.Browser.plugin-container>
}
-- no debconf information
More information about the Pkg-privacy-maintainers
mailing list