summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbertagaz <bertagaz@ptitcanardnoir.org>2015-07-15 14:58:47 +0200
committerbertagaz <bertagaz@ptitcanardnoir.org>2015-07-15 14:58:47 +0200
commite2b338cc6c224d49929edfda17184d82a4b48900 (patch)
tree96f4fdfc96a5cb45d2b4d36d18dd3da9fd134514
parentcacd5a4c737829fa2a3793bc305deab5ab82943a (diff)
parent9549f82935f4806c0a689774c6637e883f89a2dc (diff)
Merge branch 'bugfix/9558-deny-tmp-to-tor-browser' into devel
Fix-committed: #9558
-rwxr-xr-xconfig/chroot_local-includes/usr/local/bin/tor-browser4
-rw-r--r--config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch15
-rw-r--r--features/torified_browsing.feature3
3 files changed, 20 insertions, 2 deletions
diff --git a/config/chroot_local-includes/usr/local/bin/tor-browser b/config/chroot_local-includes/usr/local/bin/tor-browser
index 80200a3..a6751fd 100755
--- a/config/chroot_local-includes/usr/local/bin/tor-browser
+++ b/config/chroot_local-includes/usr/local/bin/tor-browser
@@ -59,6 +59,10 @@ start_browser() {
/usr/local/bin/generate-tor-browser-profile
fi
+ TMPDIR="${PROFILE}/tmp"
+ mkdir --mode=0700 -p "$TMPDIR"
+ export TMPDIR
+
configure_best_tor_browser_locale "${PROFILE}"
# Workaround bug #8036
diff --git a/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch b/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch
index 222e288..d1df77c 100644
--- a/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch
+++ b/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch
@@ -1,5 +1,5 @@
diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
-index 7e68a08..c7db6da 100644
+index 7e68a08..2f40271 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -1,13 +1,15 @@
@@ -97,7 +97,7 @@ index 7e68a08..c7db6da 100644
/etc/mailcap r,
/etc/mime.types r,
-@@ -73,6 +87,31 @@
+@@ -73,10 +87,42 @@
/sys/devices/pci[0-9]*/**/uevent r,
owner /{dev,run}/shm/shmfd-* rw,
@@ -129,3 +129,14 @@ index 7e68a08..c7db6da 100644
# KDE 4
owner @{HOME}/.kde/share/config/* r,
+ # Xfce4
+ /etc/xfce4/defaults.list r,
+ /usr/share/xfce4/applications/ r,
++
++ # Deny access to global tmp directories, that's granted by the user-tmp
++ # abstraction, which is sourced by the gnome abstraction, that we include.
++ deny owner /var/tmp/** rwklx,
++ deny /var/tmp/ rwklx,
++ deny owner /tmp/** rwklx,
++ deny /tmp/ rwklx,
+ }
diff --git a/features/torified_browsing.feature b/features/torified_browsing.feature
index c21ee4e..c1885ba 100644
--- a/features/torified_browsing.feature
+++ b/features/torified_browsing.feature
@@ -65,12 +65,15 @@ Feature: Browsing the web using the Tor Browser
Scenario: I can view a file stored in "~/Tor Browser" but not in ~/.gnupg
Given I copy "/usr/share/synaptic/html/index.html" to "/home/amnesia/Tor Browser/synaptic.html" as user "amnesia"
And I copy "/usr/share/synaptic/html/index.html" to "/home/amnesia/.gnupg/synaptic.html" as user "amnesia"
+ And I copy "/usr/share/synaptic/html/index.html" to "/tmp/synaptic.html" as user "amnesia"
And I start the Tor Browser
And the Tor Browser has started and loaded the startup page
When I open the address "file:///home/amnesia/Tor Browser/synaptic.html" in the Tor Browser
Then I see "TorBrowserSynapticManual.png" after at most 10 seconds
When I open the address "file:///home/amnesia/.gnupg/synaptic.html" in the Tor Browser
Then I see "TorBrowserUnableToOpen.png" after at most 10 seconds
+ When I open the address "file:///tmp/synaptic.html" in the Tor Browser
+ Then I see "TorBrowserUnableToOpen.png" after at most 10 seconds
Scenario: The "Tails documentation" link on the Desktop works
When I double-click on the "Tails documentation" link on the Desktop