Commit fab237b7 authored by anonym's avatar anonym
Browse files

Merge remote-tracking branch...

Merge remote-tracking branch 'origin/bugfix/16941-torbrowser-launcher-0.3.2+force-all-tests' into devel

Fix-committed: #16941
parents 2299f3a8 6a4b1ca7
diff --git a/etc/apparmor.d/torbrowser.Browser.firefox b/etc/apparmor.d/torbrowser.Browser.firefox
index 9f269e1..82def53 100644
index f782f35..a80365d 100644
--- a/etc/apparmor.d/torbrowser.Browser.firefox
+++ b/etc/apparmor.d/torbrowser.Browser.firefox
@@ -1,10 +1,11 @@
@@ -1,11 +1,12 @@
#include <tunables/global>
#include <tunables/torbrowser>
......@@ -10,31 +10,30 @@ index 9f269e1..82def53 100644
+@{torbrowser_firefox_executable} = /usr/local/lib/tor-browser/firefox.real
profile torbrowser_firefox @{torbrowser_firefox_executable} {
#include <abstractions/audio>
#include <abstractions/gnome>
+ #include <abstractions/ibus>
# Uncomment the following lines if you want to give the Tor Browser read-write
# access to most of your personal files.
@@ -25,13 +26,16 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
@@ -14,6 +15,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
# Audio support
/{,usr/}bin/pulseaudio Pixr,
+ /etc/asound.conf r,
#dbus,
network netlink raw,
@@ -29,6 +31,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny /etc/passwd r,
deny /etc/group r,
deny /etc/mailcap r,
+ deny @{HOME}/.local/share/gvfs-metadata/home r,
+ deny /run/resolvconf/resolv.conf r,
- deny /etc/machine-id r,
- deny /var/lib/dbus/machine-id r,
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
/dev/ r,
/dev/shm/ r,
+ owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
@@ -39,32 +43,36 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
@@ -44,36 +48,35 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r,
......@@ -50,13 +49,17 @@ index 9f269e1..82def53 100644
- owner @{torbrowser_home_dir}/*.so mr,
- owner @{torbrowser_home_dir}/.cache/fontconfig/ rwk,
- owner @{torbrowser_home_dir}/.cache/fontconfig/** rwkl,
- owner @{torbrowser_home_dir}/components/*.so mr,
- owner @{torbrowser_home_dir}/browser/components/*.so mr,
- owner @{torbrowser_home_dir}/browser/** r,
- owner @{torbrowser_home_dir}/{,browser/}components/*.so mr,
- owner @{torbrowser_home_dir}/Downloads/ rwk,
- owner @{torbrowser_home_dir}/Downloads/** rwk,
- owner @{torbrowser_home_dir}/firefox rix,
- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/updater ix,
- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/0/MozUpdater/bgupdate/updater ix,
- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/* rw,
- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/{,MozUpdater/bgupdate/}updater ix,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/.parentwritetest rw,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/ r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/{,**} rwk,
- owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
......@@ -74,8 +77,7 @@ index 9f269e1..82def53 100644
+ owner @{HOME}/.mozilla/firefox/bookmarks/** rwk,
+ owner /live/persistence/TailsData_unlocked/bookmarks/ rwk,
+ owner /live/persistence/TailsData_unlocked/bookmarks/** rwk,
+ owner @{HOME}/.tor-browser/profile.default/ r,
+ owner @{HOME}/.tor-browser/profile.default/** rwk,
+ owner @{HOME}/.tor-browser/profile.default/{,**} rwk,
+
+ /etc/xul-ext/ r,
+ /etc/xul-ext/** r,
......@@ -83,19 +85,19 @@ index 9f269e1..82def53 100644
+ /usr/local/share/tor-browser-extensions/** rk,
+ /usr/share/{xul-,web}ext/ r,
+ /usr/share/{xul-,web}ext/** r,
+ /usr/share/mozilla/extensions/ r,
+ /usr/share/mozilla/extensions/** r,
+ /usr/share/{chromium,mozilla}/extensions/ r,
+ /usr/share/{chromium,mozilla}/extensions/** r,
+
+ /usr/share/doc/tails/website/ r,
+ /usr/share/doc/tails/website/** r,
# Web Content processes
- owner @{torbrowser_firefox_executable} px -> torbrowser_plugin_container,
+ @{torbrowser_firefox_executable} px -> torbrowser_plugin_container,
# parent Firefox process when restarting after upgrade, Web Content processes
- owner @{torbrowser_firefox_executable} ixmr -> torbrowser_firefox,
+ @{torbrowser_firefox_executable} ixmr -> torbrowser_firefox,
/etc/mailcap r,
/etc/mime.types r,
@@ -88,12 +96,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
@@ -97,12 +100,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/sys/devices/system/node/node[0-9]*/meminfo r,
deny /sys/devices/virtual/block/*/uevent r,
......@@ -108,7 +110,7 @@ index 9f269e1..82def53 100644
# Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
owner /{dev,run}/shm/org.chromium.* rw,
@@ -107,6 +109,29 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
@@ -116,6 +113,29 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny @{HOME}/.cache/fontconfig/** rw,
deny @{HOME}/.config/gtk-2.0/ rw,
deny @{HOME}/.config/gtk-2.0/** rw,
......@@ -138,7 +140,7 @@ index 9f269e1..82def53 100644
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
@@ -122,5 +147,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
@@ -132,5 +152,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
......@@ -148,121 +150,6 @@ index 9f269e1..82def53 100644
+ deny owner /var/tmp/** rwklx,
+ deny /var/tmp/ rwklx,
+ deny owner /tmp/** rwklx,
+ deny /tmp/ rwklx,
}
diff --git a/etc/apparmor.d/torbrowser.Browser.plugin-container b/etc/apparmor.d/torbrowser.Browser.plugin-container
index fdf5fda..4015928 100644
--- a/etc/apparmor.d/torbrowser.Browser.plugin-container
+++ b/etc/apparmor.d/torbrowser.Browser.plugin-container
@@ -1,7 +1,7 @@
#include <tunables/global>
#include <tunables/torbrowser>
-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
+@{torbrowser_firefox_executable} = /usr/local/lib/tor-browser/firefox.real
profile torbrowser_plugin_container {
#include <abstractions/gnome>
@@ -12,9 +12,9 @@ profile torbrowser_plugin_container {
# - the "deny" word in the machine-id lines
# - the rules that deny reading /etc/pulse/client.conf
# and executing /usr/bin/pulseaudio
- # #include <abstractions/audio>
- # /etc/asound.conf r,
- # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
+ #include <abstractions/audio>
+ /etc/asound.conf r,
+ owner @{HOME}/.tor-browser/profile.default/tmp/mozilla-temp-* rw,
signal (receive) set=("term") peer=torbrowser_firefox,
@@ -26,8 +26,8 @@ profile torbrowser_plugin_container {
deny /etc/group r,
deny /etc/mailcap r,
- deny /etc/machine-id r,
- deny /var/lib/dbus/machine-id r,
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
/etc/mime.types r,
/usr/share/applications/gnome-mimeapps.list r,
@@ -42,34 +42,31 @@ profile torbrowser_plugin_container {
owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r,
- owner @{torbrowser_home_dir}/*.dat r,
- owner @{torbrowser_home_dir}/*.manifest r,
- owner @{torbrowser_home_dir}/*.so mr,
- owner @{torbrowser_home_dir}/.cache/fontconfig/ rw,
- owner @{torbrowser_home_dir}/.cache/fontconfig/** rw,
- owner @{torbrowser_home_dir}/browser/** r,
- owner @{torbrowser_home_dir}/components/*.so mr,
- owner @{torbrowser_home_dir}/browser/components/*.so mr,
- owner @{torbrowser_home_dir}/defaults/pref/ r,
- owner @{torbrowser_home_dir}/defaults/pref/*.js r,
- owner @{torbrowser_home_dir}/dependentlibs.list r,
- owner @{torbrowser_home_dir}/fonts/ r,
- owner @{torbrowser_home_dir}/fonts/** r,
- owner @{torbrowser_home_dir}/omni.ja r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
- owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]*/update.{status,version} r,
- owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]/updater rw,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw,
- owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
- owner @{torbrowser_home_dir}/Downloads/ rwk,
- owner @{torbrowser_home_dir}/Downloads/** rwk,
-
- owner @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container,
+ @{torbrowser_home_dir}/ r,
+ @{torbrowser_home_dir}/** mr,
+
+ owner @{HOME}/.tor-browser/profile.default/startupCache/* r,
+ owner @{HOME}/.tor-browser/profile.default/tmp/* rw,
+
+ owner "@{HOME}/Tor Browser/" rw,
+ owner "@{HOME}/Tor Browser/**" rwk,
+ owner "@{HOME}/Persistent/Tor Browser/" rw,
+ owner "@{HOME}/Persistent/Tor Browser/**" rwk,
+
+ owner @{HOME}/.tor-browser/profile.default/extensions/*.xpi r,
+ /etc/xul-ext/ r,
+ /etc/xul-ext/** r,
+ /usr/local/share/tor-browser-extensions/ r,
+ /usr/local/share/tor-browser-extensions/** rk,
+ /usr/share/{xul-,web}ext/ r,
+ /usr/share/{xul-,web}ext/** r,
+ /usr/share/mozilla/extensions/ r,
+ /usr/share/mozilla/extensions/** r,
+
+ /usr/share/doc/tails/website/ r,
+ /usr/share/doc/tails/website/** r,
+
+ @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/present r,
@@ -95,10 +92,16 @@ profile torbrowser_plugin_container {
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
+ deny @{HOME}/.cache/fontconfig/ w,
# Silence denial logs about PulseAudio
deny /etc/pulse/client.conf r,
deny /usr/bin/pulseaudio x,
- #include <local/torbrowser.Browser.plugin-container>
+ # Deny access to global tmp directories, that's granted by the user-tmp
+ # abstraction, which is sourced by the gnome abstraction, that we include.
+ deny owner /var/tmp/** rwklx,
+ deny /var/tmp/ rwklx,
+ deny owner /tmp/** rwklx,
+ deny /tmp/ rwklx,
}
diff --git a/etc/apparmor.d/tunables/torbrowser b/etc/apparmor.d/tunables/torbrowser
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment