summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2018-02-08 06:23:02 +0000
committerintrigeri <intrigeri@boum.org>2018-02-08 06:23:02 +0000
commit49f7a105f189b7944701c67d9a3c28026ea4b6bc (patch)
tree1be1708a3520a399a9e3a8b690fb2e81a09b28f5
parentf2171566dd762bfd4999f5b4d84ce2d1fa18502e (diff)
parent547bbdf40c21392a346b2fe80777b1080b7a461c (diff)
Merge remote-tracking branch 'origin/feature/12679-sandbox-firefox-content-renderers' into bugfix/15029-AppArmor-cups-backends
-rw-r--r--config/chroot_apt/preferences5
-rwxr-xr-xconfig/chroot_local-hooks/19-install-tor-browser-AppArmor-profile18
-rw-r--r--config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch248
3 files changed, 170 insertions, 101 deletions
diff --git a/config/chroot_apt/preferences b/config/chroot_apt/preferences
index 68b88bd..e57de88 100644
--- a/config/chroot_apt/preferences
+++ b/config/chroot_apt/preferences
@@ -45,11 +45,6 @@ Package: thunderbird* calendar-google-provider
Pin: origin deb.tails.boum.org
Pin-Priority: 999
-Explanation: Without this we FTBFS due to #15270 but the real fix (which should be in Tails 3.6~rc1) will come with #12679
-Package: torbrowser-launcher
-Pin: release o=Debian,n=stretch-backports
-Pin-Priority: 999
-
Package: obfs4proxy
Pin: release o=TorProject,n=obfs4proxy
Pin-Priority: 990
diff --git a/config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile b/config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile
index de4407b..3dfce1f 100755
--- a/config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile
+++ b/config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile
@@ -2,10 +2,9 @@
set -e
-echo "Installing AppArmor profile for Tor Browser"
+echo "Installing AppArmor profiles for Tor Browser"
PATCH='/usr/share/tails/torbrowser-AppArmor-profile.patch'
-PROFILE='/etc/apparmor.d/torbrowser'
### Functions
@@ -33,14 +32,17 @@ toggle_src_APT_sources() {
apt-get --yes update
}
-install_torbrowser_AppArmor_profile() {
+install_torbrowser_AppArmor_profiles() {
tmpdir="$(mktemp -d)"
(
cd "$tmpdir"
- apt-get source torbrowser-launcher/stretch-backports
+ apt-get source torbrowser-launcher/sid
install -m 0644 \
- torbrowser-launcher-*/apparmor/torbrowser.Browser.firefox \
- "$PROFILE"
+ torbrowser-launcher-*/apparmor/torbrowser.Browser.* \
+ /etc/apparmor.d/
+ install -m 0644 \
+ torbrowser-launcher-*/apparmor/tunables/* \
+ /etc/apparmor.d/tunables/
)
rm -r "$tmpdir"
}
@@ -48,7 +50,7 @@ install_torbrowser_AppArmor_profile() {
### Main
toggle_src_APT_sources on
-install_torbrowser_AppArmor_profile
+install_torbrowser_AppArmor_profiles
toggle_src_APT_sources off
-patch --forward --batch "$PROFILE" < "$PATCH"
+(cd / && patch --forward --batch -p1 < "$PATCH")
rm "$PATCH"
diff --git a/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch b/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch
index f38e591..770cfdb 100644
--- a/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch
+++ b/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch
@@ -1,89 +1,62 @@
---- etc/apparmor.d/torbrowser.Browser.firefox.orig 2017-04-19 16:30:32.000000000 +0000
-+++ etc/apparmor.d/torbrowser.Browser.firefox 2017-06-08 07:59:11.641571083 +0000
-@@ -1,13 +1,15 @@
- # Last modified
+--- a/etc/apparmor.d/torbrowser.Browser.firefox
++++ b/etc/apparmor.d/torbrowser.Browser.firefox
+@@ -1,8 +1,9 @@
#include <tunables/global>
+ #include <tunables/torbrowser>
-/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
+/usr/local/lib/tor-browser/firefox {
#include <abstractions/gnome>
-+ #include <abstractions/gstreamer>
+ #include <abstractions/ibus>
- # Uncomment the following line if you don't want the Tor Browser
- # to have direct access to your sound hardware. Note that this is not
- # enough to have working sound support in Tor Browser.
-- # #include <abstractions/audio>
-+ #include <abstractions/audio>
-
# Uncomment the following lines if you want to give the Tor Browser read-write
# access to most of your personal files.
-@@ -20,52 +22,58 @@
-
- ptrace (trace) peer=@{profile_name},
-
-+ /etc/asound.conf r,
- deny /etc/host.conf r,
-- deny /etc/hosts r,
-- deny /etc/nsswitch.conf r,
-+ /etc/hosts r,
-+ /etc/nsswitch.conf r,
- deny /etc/resolv.conf r,
-- deny /etc/passwd r,
-- deny /etc/group r,
-+ /etc/passwd r,
-+ /etc/group r,
+@@ -22,6 +23,8 @@
+ deny /etc/passwd r,
+ deny /etc/group r,
deny /etc/mailcap r,
+ deny @{HOME}/.local/share/gvfs-metadata/home r,
+ deny /run/resolvconf/resolv.conf r,
-- deny /etc/machine-id r,
-- deny /var/lib/dbus/machine-id r,
-+ /etc/machine-id r,
-+ /var/lib/dbus/machine-id r,
-
+ deny /etc/machine-id r,
+ deny /var/lib/dbus/machine-id r,
+@@ -29,6 +32,7 @@
/dev/ r,
/dev/shm/ r,
- owner @{PROC}/@{pid}/fd/ r,
+ owner @{PROC}/@{pid}/environ r,
+ owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
- owner @{PROC}/@{pid}/status r,
+@@ -36,28 +40,32 @@
owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/ r,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/* r,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/.** rwk,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/update.test/ rwk,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/.** rwk,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/ rw,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** rw,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser.bak/ rwk,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser.bak/** rwk,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/*.so mr,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/components/*.so mr,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/browser/components/*.so mr,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox rix,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/plugin-container Pix,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/{,TorBrowser/UpdateInfo/}updates/[0-9]*/updater ix,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/{,TorBrowser/UpdateInfo/}updates/0/MozUpdater/bgupdate/updater ix,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profiles.ini r,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/ r,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/** rwk,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor px,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/libstdc++.so.6 m,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Desktop/ rw,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Desktop/** rwk,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Downloads/ rw,
-- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Downloads/** rwk,
-+ /usr/local/lib/tor-browser/ r,
-+ /usr/local/lib/tor-browser/** r,
-+ /usr/local/lib/tor-browser/*.so{,.6} mr,
-+ /usr/local/lib/tor-browser/**/*.so mr,
-+ /usr/local/lib/tor-browser/browser/* r,
-+ /usr/local/lib/tor-browser/TorBrowser/Data/Browser/profiles.ini r,
+- owner @{torbrowser_installation_dir}/ r,
+- owner @{torbrowser_installation_dir}/* r,
+- owner @{torbrowser_installation_dir}/.** rwk,
+- owner @{torbrowser_installation_dir}/update.test/ rwk,
+- owner @{torbrowser_home_dir}/.** rwk,
+- owner @{torbrowser_home_dir}/ rw,
+- owner @{torbrowser_home_dir}/** rwk,
+- owner @{torbrowser_home_dir}.bak/ rwk,
+- owner @{torbrowser_home_dir}.bak/** rwk,
+- owner @{torbrowser_home_dir}/*.so mr,
+- owner @{torbrowser_home_dir}/components/*.so mr,
+- owner @{torbrowser_home_dir}/browser/components/*.so mr,
+- owner @{torbrowser_home_dir}/firefox rix,
+- owner @{torbrowser_home_dir}/plugin-container px -> torbrowser_plugin_container,
+- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/updater ix,
+- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/0/MozUpdater/bgupdate/updater ix,
+- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
+- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/ r,
+- owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
+- owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
+- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
+- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
++ @{torbrowser_home_dir}/ r,
++ @{torbrowser_home_dir}/** mr,
++ @{torbrowser_home_dir}/plugin-container px -> torbrowser_plugin_container,
+
+ owner "@{HOME}/Tor Browser/" rw,
+ owner "@{HOME}/Tor Browser/**" rwk,
@@ -91,7 +64,9 @@
+ owner "@{HOME}/Persistent/Tor Browser/**" rwk,
+ owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/" rw,
+ owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/**" rwk,
++ owner @{HOME}/.mozilla/firefox/bookmarks/ rwk,
+ owner @{HOME}/.mozilla/firefox/bookmarks/** rwk,
++ owner /live/persistence/TailsData_unlocked/bookmarks/ rwk,
+ owner /live/persistence/TailsData_unlocked/bookmarks/** rwk,
+ owner @{HOME}/.tor-browser/profile.default/ r,
+ owner @{HOME}/.tor-browser/profile.default/** rwk,
@@ -108,33 +83,32 @@
/etc/mailcap r,
/etc/mime.types r,
-@@ -103,9 +111,43 @@
+@@ -80,12 +88,6 @@
+ /sys/devices/system/node/node[0-9]*/meminfo r,
+ deny /sys/devices/virtual/block/*/uevent r,
- # Silence denial logs about permissions we don't need
- deny /dev/dri/ rwklx,
-+ deny @{HOME}/.cache/fontconfig/ rw,
-+ deny @{HOME}/.cache/fontconfig/** rw,
-+ deny @{HOME}/.config/gtk-2.0/ rw,
-+ deny @{HOME}/.config/gtk-2.0/** rw,
+- # Should use abstractions/gstreamer instead once merged upstream
+- /etc/udev/udev.conf r,
+- /run/udev/data/+pci:* r,
+- /sys/devices/pci[0-9]*/**/uevent r,
+- owner /{dev,run}/shm/shmfd-* rw,
+-
+ # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
+ owner /{dev,run}/shm/org.chromium.* rw,
+
+@@ -99,6 +101,32 @@
+ deny @{HOME}/.cache/fontconfig/** rw,
+ deny @{HOME}/.config/gtk-2.0/ rw,
+ deny @{HOME}/.config/gtk-2.0/** rw,
+ deny @{HOME}/.mozilla/firefox/bookmarks/ r,
- deny @{PROC}/@{pid}/net/route r,
- deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
- deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
++ deny @{PROC}/@{pid}/net/route r,
++ deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
++ deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
+ deny /usr/local/lib/tor-browser/TorBrowser/UpdateInfo/ rw,
+ deny /usr/local/lib/tor-browser/update.test/ rw,
+
-+ /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Cix -> gst_plugin_scanner,
-+ owner @{HOME}/.gstreamer*/ rw,
-+ owner @{HOME}/.gstreamer*/** rw,
-+ owner @{PROC}/[0-9]*/fd/ r,
-+
-+ deny /usr/bin/pulseaudio x,
-+
+ /usr/local/lib/tor-browser/firefox Pix,
+
-+ # Required for e10s
-+ /usr/local/lib/tor-browser/plugin-container Pix,
-+
+ # Grant access to assistive technologies
+ # (otherwise, Firefox crashes when Orca is enabled:
+ # https://labs.riseup.net/code/issues/9261)
@@ -149,10 +123,13 @@
+ # Deny access to the list of recently used files. This overrides the
+ # access to it that's granted by the freedesktop.org abstraction.
+ deny @{HOME}/.local/share/recently-used.xbel* rw,
-
- # KDE 4
- owner @{HOME}/.kde/share/config/* r,
-@@ -114,5 +156,11 @@
++
++ # Silence denial logs about permissions we don't need
++ deny /dev/dri/ rwklx,
+ deny @{PROC}/@{pid}/net/route r,
+ deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
+ deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
+@@ -110,5 +138,11 @@
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
@@ -165,3 +142,98 @@
+ deny /tmp/ rwklx,
}
+
+--- a/etc/apparmor.d/torbrowser.Browser.plugin-container
++++ b/etc/apparmor.d/torbrowser.Browser.plugin-container
+@@ -8,10 +8,10 @@ profile torbrowser_plugin_container {
+ # to have direct access to your sound hardware. You will also
+ # need to remove the "deny" word in the machine-id lines further
+ # bellow.
+- # #include <abstractions/audio>
+- # /etc/asound.conf r,
+- # owner @{PROC}/@{pid}/fd/ r,
+- # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
++ #include <abstractions/audio>
++ /etc/asound.conf r,
++ owner @{PROC}/@{pid}/fd/ r,
++ owner @{HOME}/.tor-browser/profile.default/tmp/mozilla-temp-* rw,
+
+ deny /etc/host.conf r,
+ deny /etc/hosts r,
+@@ -21,8 +21,8 @@ profile torbrowser_plugin_container {
+ deny /etc/group r,
+ deny /etc/mailcap r,
+
+- deny /etc/machine-id r,
+- deny /var/lib/dbus/machine-id r,
++ /etc/machine-id r,
++ /var/lib/dbus/machine-id r,
+
+ owner @{PROC}/@{pid}/mountinfo r,
+ owner @{PROC}/@{pid}/stat r,
+@@ -30,28 +30,26 @@ profile torbrowser_plugin_container {
+ owner @{PROC}/@{pid}/task/*/stat r,
+ @{PROC}/sys/kernel/random/uuid r,
+
+- owner @{torbrowser_home_dir}/*.dat r,
+- owner @{torbrowser_home_dir}/*.manifest r,
+- owner @{torbrowser_home_dir}/*.so mr,
+- owner @{torbrowser_home_dir}/.cache/fontconfig/ rw,
+- owner @{torbrowser_home_dir}/.cache/fontconfig/** rw,
+- owner @{torbrowser_home_dir}/browser/** r,
+- owner @{torbrowser_home_dir}/components/*.so mr,
+- owner @{torbrowser_home_dir}/browser/components/*.so mr,
+- owner @{torbrowser_home_dir}/defaults/pref/ r,
+- owner @{torbrowser_home_dir}/defaults/pref/*.js r,
+- owner @{torbrowser_home_dir}/fonts/ r,
+- owner @{torbrowser_home_dir}/fonts/** r,
+- owner @{torbrowser_home_dir}/omni.ja r,
+- owner @{torbrowser_home_dir}/plugin-container ixmr,
+- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
+- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw,
+- owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
+- owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
+- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
+- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
+- owner @{torbrowser_home_dir}/Downloads/ rwk,
+- owner @{torbrowser_home_dir}/Downloads/** rwk,
++ @{torbrowser_home_dir}/ r,
++ @{torbrowser_home_dir}/** mr,
++ @{torbrowser_home_dir}/plugin-container ixmr,
++
++ owner @{HOME}/.tor-browser/profile.default/tmp/* rw,
++
++ owner "@{HOME}/Tor Browser/" rw,
++ owner "@{HOME}/Tor Browser/**" rwk,
++ owner "@{HOME}/Persistent/Tor Browser/" rw,
++ owner "@{HOME}/Persistent/Tor Browser/**" rwk,
++
++ /etc/xul-ext/ r,
++ /etc/xul-ext/** r,
++ /usr/local/share/tor-browser-extensions/ r,
++ /usr/local/share/tor-browser-extensions/** rk,
++ /usr/share/xul-ext/ r,
++ /usr/share/xul-ext/** r,
++
++ /usr/share/doc/tails/website/ r,
++ /usr/share/doc/tails/website/** r,
+
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/cpu/present r,
+@@ -78,5 +76,10 @@ profile torbrowser_plugin_container {
+ deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
+ deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
+
+- #include <local/torbrowser.Browser.plugin-container>
++ # Deny access to global tmp directories, that's granted by the user-tmp
++ # abstraction, which is sourced by the gnome abstraction, that we include.
++ deny owner /var/tmp/** rwklx,
++ deny /var/tmp/ rwklx,
++ deny owner /tmp/** rwklx,
++ deny /tmp/ rwklx,
+ }
+--- a/etc/apparmor.d/tunables/torbrowser
++++ b/etc/apparmor.d/tunables/torbrowser
+@@ -1,2 +1 @@
+-@{torbrowser_installation_dir}=@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*
+-@{torbrowser_home_dir}=@{torbrowser_installation_dir}/Browser
++@{torbrowser_home_dir}=/usr/local/lib/tor-browser