[tbb-commits] [Git][tpo/applications/torbrowser-launcher][main] 8 commits: Fix path variables in AppArmor profile

boklm (@boklm) git at gitlab.torproject.org
Wed Oct 4 09:34:10 UTC 2023 


boklm pushed to branch main at The Tor Project / Applications / torbrowser-launcher


Commits:
6ec48451 by Fei1Yang at 2023-09-21T08:40:50+00:00
Fix path variables in AppArmor profile

- - - - -
629493a6 by anonym at 2023-09-28T15:06:51+02:00
AppArmor: allow executing glxtest

This "Firefox OpenGL probe utility" was added in Tor Browser 13.

- - - - -
41f20588 by anonym at 2023-09-28T15:07:16+02:00
AppArmor: allow reading/writing to /proc/PID/oom_score_adj

Firefox adjusts the OOM scores of its processes so that if they are
reaped they are killed in a sane order, e.g. the parent process last.

Source: hal/linux/LinuxProcessPriority.cpp

- - - - -
b257da03 by anonym at 2023-09-28T15:08:01+02:00
AppArmor: give read access to proc info about which command the browser's threads use

- - - - -
29e1fe41 by anonym at 2023-09-28T15:08:17+02:00
AppArmor: silence denial of sys_ptrace capability

We already allow ptrace for its relevant subprocesses via ptrace
rules, and I'm unsure if the full capability is really needed. I see
lots of other profiles which have ptrace rules without the capability
so I guess not. And I wonder if allowing the capability allows ptrace
for arbitrary processes, which would be really bad.

So let's assume it's not needed and we'll see what happens.

- - - - -
b80e0078 by anonym at 2023-09-28T15:08:58+02:00
AppArmor: silence denial to read /sys/class/input/

It is unclear to me what this is about.

- - - - -
25ebbe67 by intrigeri at 2023-10-04T11:13:50+02:00
Merge pull request #702 from Fei1Yang/apparmor-path

Fix path variables in AppArmor profile
- - - - -
4652b442 by intrigeri at 2023-10-04T11:25:46+02:00
Merge pull request #709 from anonym/tor-browser-13.0

Adapt AppArmor profile for Tor browser 13.0
- - - - -


3 changed files:

- apparmor/torbrowser.Browser.firefox
- apparmor/torbrowser.Tor.tor
- apparmor/tunables/torbrowser


Changes:

=====================================
apparmor/torbrowser.Browser.firefox
=====================================
@@ -1,7 +1,7 @@
 #include <tunables/global>
 #include <tunables/torbrowser>
 
-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
+@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/firefox.real
 
 profile torbrowser_firefox @{torbrowser_firefox_executable} {
   #include <abstractions/audio>
@@ -12,6 +12,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   #include <abstractions/opencl>
   #include if exists <abstractions/vulkan>
 
+  deny capability sys_ptrace,
+
   # Uncomment the following lines if you want to give the Tor Browser read-write
   # access to most of your personal files.
   # #include <abstractions/user-download>
@@ -46,10 +48,13 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   owner @{PROC}/@{pid}/environ r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/oom_score_adj rw,
   owner @{PROC}/@{pid}/smaps r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/statm r,
   owner @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/*/comm r,
   owner @{PROC}/@{pid}/task/*/stat r,
   @{PROC}/sys/kernel/random/uuid r,
 
@@ -70,6 +75,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   owner @{torbrowser_home_dir}/Downloads/ rwk,
   owner @{torbrowser_home_dir}/Downloads/** rwk,
   owner @{torbrowser_home_dir}/firefox rix,
+  owner @{torbrowser_home_dir}/glxtest ix,
   owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/* rw,
   owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/{,MozUpdater/bgupdate/}updater ix,
   owner @{torbrowser_home_dir}/updater ix,
@@ -111,6 +117,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   /sys/devices/system/node/ r,
   /sys/devices/system/node/node[0-9]*/meminfo r,
   /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_quota_us r,
+  deny /sys/class/input/ r,
   deny /sys/devices/virtual/block/*/uevent r,
 
   # Should use abstractions/gstreamer instead once merged upstream


=====================================
apparmor/torbrowser.Tor.tor
=====================================
@@ -1,7 +1,7 @@
 #include <tunables/global>
 #include <tunables/torbrowser>
 
-@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor
+@{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/TorBrowser/Tor/tor
 
 profile torbrowser_tor @{torbrowser_tor_executable} {
   #include <abstractions/base>


=====================================
apparmor/tunables/torbrowser
=====================================
@@ -1,2 +1,2 @@
-@{torbrowser_installation_dir}=@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*
+@{torbrowser_installation_dir}=@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser
 @{torbrowser_home_dir}=@{torbrowser_installation_dir}/Browser



View it on GitLab: https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/-/compare/ac85ac405c4892b2650ec2559591bfe3d2d7df40...4652b442d75e118b96296864ac68a5e7252dfc3b

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/-/compare/ac85ac405c4892b2650ec2559591bfe3d2d7df40...4652b442d75e118b96296864ac68a5e7252dfc3b
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20231004/972935c6/attachment-0001.htm>

More information about the tbb-commits mailing list