intrigeri pushed to branch main at The Tor Project / Applications /
torbrowser-launcher
Commits:
692e28a1 by intrigeri at 2025-03-18T13:49:53+00:00
AppArmor: allow unprivileged user namespaces
Firefox uses userns to set up its own sandboxing.
On Debian, AppArmor was already allowing this by default, until a recent
upload (that is now in Trixie) updated the features pinning to a version that
now mediates usage of userns, so this functionality is now blocked by profiles
that don't explicitly allow it. Let's repair this.
Also reported as Debian#1098845.
- - - - -
91db109a by intrigeri at 2025-03-18T14:02:01+00:00
AppArmor: allow reading cgroups-v2 CPU bandwidth quota information
Firefox uses this info to determine how many CPUs the current thread actually
has access to, which seems like a reasonable thing to do for an app like Firefox
which manages a bunch of child processes. The call chain is: get_num_cpus →
cgroups_num_cpus → init_cgroups → load_cgroups → cpu_quota → max → "cpu.max".
- - - - -
7772a1ea by intrigeri at 2025-03-18T14:15:17+00:00
AppArmor: allow executing Firefox' own VA-API probe utility
This is necessary for Tor Browser to determine if VA-API is supported by the
host system, which in turn is needed to enable video hardware decoding.
- - - - -
9eb8686d by intrigeri at 2025-03-18T14:18:41+00:00
AppArmor: allow reading intel-media-driver feature files
Firefox reads these files when it runs the vaapitest tool and the VAAPI driver
for the Intel GEN8+ Graphics family is installed.
- - - - -
479b8f53 by intrigeri at 2025-03-18T17:00:32+00:00
Merge branch 'AppArmor-updates-for-current-Debian' into 'main'
AppArmor: various updates including 1 important fix for Debian Trixie
See merge request tpo/applications/torbrowser-launcher!24
- - - - -
1 changed file:
- apparmor/torbrowser.Browser.firefox
Changes:
=====================================
apparmor/torbrowser.Browser.firefox
=====================================
@@ -13,6 +13,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
#include if exists <abstractions/vulkan>
#include if exists <abstractions/dbus-session-strict>
+ userns,
+
deny capability sys_ptrace,
# Uncomment the following lines if you want to give the Tor Browser
read-write
@@ -94,6 +96,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so mr,
owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so.* mr,
+ owner @{torbrowser_home_dir}/vaapitest ix,
+
+ # intel-media-driver
+ /etc/igfx_user_feature*.txt r,
# parent Firefox process when restarting after upgrade, Web Content processes
owner @{torbrowser_firefox_executable} pxmr -> torbrowser_firefox,
@@ -121,6 +127,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable}
{
/sys/devices/system/node/ r,
/sys/devices/system/node/node[0-9]*/meminfo r,
/sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_quota_us r,
+
/sys/fs/cgroup/user.slice/user-[0-9]*.slice/user@[0-9]*.service/app.slice/app-gnome-torbrowser-[0-9]*.scope/cpu.max
r,
deny /sys/class/input/ r,
deny /sys/devices/virtual/block/*/uevent r,
View it on GitLab:
https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/-/compare/a734238b7279fb08fde02f6fa7238af882641974...479b8f53316161845c33941c9d5f6f3b4256156b
--
View it on GitLab:
https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/-/compare/a734238b7279fb08fde02f6fa7238af882641974...479b8f53316161845c33941c9d5f6f3b4256156b
You're receiving this email because of your account on gitlab.torproject.org.
_______________________________________________
tbb-commits mailing list -- [email protected]
To unsubscribe send an email to [email protected]
