asciiwolf pushed to branch main at The Tor Project / Applications /
torbrowser-launcher
Commits:
e049fdcc by Thomas Ward at 2024-10-05T10:14:32+00:00
Update/Add Additional Abstractions for AppArmor
- - - - -
851ff330 by asciiwolf at 2024-10-05T10:14:32+00:00
There are two abstraction sets added.
- The first is D-Bus session abstractions.
There are D-Bus denies for opening dialog boxes and file open boxes, which need
D-Bus abstractions to access the user sessions. Fixed by including
abstractions/dbus-session (which also implicitly imports
abstractions/dbus-session-strict for systemd user sessions) in the AppArmor
rules, if the abstractions exist.
The abstractions/dbus-session rule also requires adding an AppArmor owner rule
for the ~/.cache/ibus/dbus-* socket. Otherwise, keyboard input will stop
working.
- The second is X abstractions.
Observed initially in #588, systems that do NOT have GNOME installed on them,
such as Lubuntu which uses LXQt and has ZERO GNOME components, will have issues
accessing X11 sockets.
In such systems, the implied abstractions/gnome already part of the AppArmor
profile do not exist. Therefore, AppArmor will not import abstractions/gnome
which includes the X abstractions because the GNOME abstractions definition
does not exist.
In such cases, components of the UI will not properly function with dialog
boxes. This is why this is separately explicitly required, despite GNOME
abstractions including X abstractions.
- - - - -
1 changed file:
- apparmor/torbrowser.Browser.firefox
Changes:
=====================================
apparmor/torbrowser.Browser.firefox
=====================================
@@ -11,6 +11,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
#include <abstractions/mesa>
#include <abstractions/opencl>
#include if exists <abstractions/vulkan>
+ #include if exists <abstractions/dbus-session>
+ #include if exists <abstractions/X>
deny capability sys_ptrace,
@@ -26,6 +28,9 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
network netlink raw,
network tcp,
+ # ibus socket
+ owner @{HOME}/.cache/ibus/dbus-* rw,
+
ptrace (trace) peer=@{profile_name},
signal (receive, send) set=("term") peer=@{profile_name},
View it on GitLab:
https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/-/compare/8761fed1972f6f14107be09414286c26263afdc1...851ff3304fbd02dfe9e51ddf3822e1b8c9b22182
--
View it on GitLab:
https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/-/compare/8761fed1972f6f14107be09414286c26263afdc1...851ff3304fbd02dfe9e51ddf3822e1b8c9b22182
You're receiving this email because of your account on gitlab.torproject.org.
_______________________________________________
tbb-commits mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-commits
