[Pkg-privacy-maintainers] Bug#955821: torbrowser-launcher: include upstream patch to allow access to u2f tokens

Sun Apr 5 11:58:57 BST 2020

Package: torbrowser-launcher
Version: 0.3.2-7
Severity: wishlist
Tags: patch

Dear Maintainers,

it would be great if U2F devices (like a yubikey) would be usable by
default with torbrowser. I created an upstream merge request to allow
these devices in the apparmor profile a couple of months ago and it was
was merged [0] (thanks to intrigeri!), but there was no new torbrowser
release since then.
Would it be possible to include the patch in the debian package? That
would allow using salsa with U2F tokens (and any other Gitlab instance
that might come up ;))

cheers,
Birger


[0] https://github.com/micahflee/torbrowser-launcher/pull/434


-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (800, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages torbrowser-launcher depends on:
ii  ca-certificates   20190110
ii  libdbus-glib-1-2  0.110-5
ii  python3           3.8.2-2
ii  python3-gpg       1.13.1-7
ii  python3-pyqt5     5.14.1+dfsg-3
ii  python3-requests  2.23.0+dfsg-2
ii  python3-socks     1.6.8+dfsg-1

Versions of packages torbrowser-launcher recommends:
ii  tor  0.4.2.7-1

Versions of packages torbrowser-launcher suggests:
ii  apparmor  2.13.4-1

-- Configuration Files:
/etc/apparmor.d/local/torbrowser.Browser.firefox changed [not included]

-- no debconf information
-------------- next part --------------
>From 3052e6579dd489923bca95a82308e5f4b6399e68 Mon Sep 17 00:00:00 2001
From: Birger Schacht <birger at rantanplan.org>
Date: Sat, 4 Apr 2020 18:18:50 +0200
Subject: [PATCH] Add AppArmor patch to allow U2F devices

---
 .../0016-AppArmor-allow-u2f-devices.patch     | 28 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 debian/patches/0016-AppArmor-allow-u2f-devices.patch

diff --git a/debian/patches/0016-AppArmor-allow-u2f-devices.patch b/debian/patches/0016-AppArmor-allow-u2f-devices.patch
new file mode 100644
index 0000000..bc6130f
--- /dev/null
+++ b/debian/patches/0016-AppArmor-allow-u2f-devices.patch
@@ -0,0 +1,28 @@
+From: Birger Schacht <birger at rantanplan.org>
+Date: Wed, 23 Oct 2019 19:47:55 +0200
+Subject: [PATCH] Allow torbrowser to access u2f devices
+
+(cherry picked from 704e5ca3b46ac1bcf7931875fc7d33ad13910e10)
+---
+ apparmor/torbrowser.Browser.firefox | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index 42516b6..c067375 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -133,5 +133,14 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+   /etc/xfce4/defaults.list r,
+   /usr/share/xfce4/applications/ r,
+ 
++  # u2f (tested with Yubikey 4)
++  /sys/class/ r,
++  /sys/bus/ r,
++  /sys/class/hidraw/ r,
++  /run/udev/data/c24{7,9}:* r,
++  /dev/hidraw* rw,
++  # Yubikey NEO also needs this:
++  /sys/devices/**/hidraw/hidraw*/uevent r,
++
+   #include <local/torbrowser.Browser.firefox>
+ }
diff --git a/debian/patches/series b/debian/patches/series
index c1ae347..0eb4798 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@
 0013-AppArmor-Pass-the-environment-to-Firefox-content-pro.patch
 0014-AppArmor-allow-running-the-Firefox-updater-from-its-.patch
 0015-Update-setup.py.patch
+0016-AppArmor-allow-u2f-devices.patch
-- 
2.26.0

