Commit 42063998 authored by anonym's avatar anonym
Browse files

Merge remote-tracking branch 'origin/feature/14606-silence-tor-browser-apparmor-logs' into testing

Refs: #14606
parents 2593cffc 01b8f986
......@@ -104,7 +104,18 @@
/etc/mailcap r,
/etc/mime.types r,
@@ -100,6 +108,33 @@
@@ -96,10 +104,44 @@
# Silence denial logs about permissions we don't need
deny /dev/dri/ rwklx,
+ deny @{HOME}/.cache/fontconfig/ rw,
+ deny @{HOME}/.cache/fontconfig/** rw,
+ deny @{HOME}/.config/gtk-2.0/ rw,
+ deny @{HOME}/.config/gtk-2.0/** rw,
+ deny @{HOME}/.mozilla/firefox/bookmarks/ r,
+ deny /usr/local/lib/tor-browser/TorBrowser/UpdateInfo/ rw,
+ deny /usr/local/lib/tor-browser/update.test/ rw,
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
......@@ -138,7 +149,7 @@
# KDE 4
owner @{HOME}/.kde/share/config/* r,
@@ -107,5 +142,11 @@
@@ -107,5 +145,11 @@
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
......@@ -232,6 +232,11 @@ Upgrade Tor Browser
See the dedicated page: [[tor-browser]]
Upgrade Tor Browser AppArmor profile
See the dedicated page: [[browser-apparmor-patch]]
Upgrade Thunderbird
[[!meta title="Upstream our changes to Tor Browser's AppArmor policy"]]
# Preparation (first time)
If you don't have our `torbrowser-launcher` Git repo, clone it:
git clone
and add a remote for Debian, which is our immediate upstream:
git remote add debian
and add a remote for the final upstream:
git remote add upstream-repo
# Make our repo up-to-date
git checkout master && \
git pull && \
git fetch debian && \
git fetch upstream-repo
Finally, make our repo up-to-date:
LATEST_TAG="$(git tag --list 'debian/*' --sort=version:refname | tail -n1)"
git merge --no-ff "${LATEST_TAG}"
Just pay attentioin that you didn't merge some unwanted version from
Debian experimental!
# Prepare a branch for upstream
Prepare a branch, e.g.:
git checkout -b "${UPSTREAM_FEATURE_BRANCH}" upstream-repo/master
Edit `apparmor/torbrowser.Browser.firefox` accordingly, and commit. Then:
git checkout -b "${TAILS_FEATURE_BRANCH}" origin/master
Then submit `TAILS_FEATURE_BRANCH` for review on the Tails'
side, and ask the reviewer to submit `UPSTREAM_FEATURE_BRANCH` as a
pull request to
[upstream]( once s/he
is happy with its state (alternatively, the reviewer reminds the patch
submitter to send it).
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment