From 629493a62dfff6b46ba890bd936ae4e1f1de2ecc Mon Sep 17 00:00:00 2001 From: anonym Date: Wed, 23 Aug 2023 09:39:17 +0200 Subject: [PATCH 1/5] AppArmor: allow executing glxtest This "Firefox OpenGL probe utility" was added in Tor Browser 13. --- apparmor/torbrowser.Browser.firefox | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox index 85a0d82c..37dabd0f 100644 --- a/apparmor/torbrowser.Browser.firefox +++ b/apparmor/torbrowser.Browser.firefox @@ -70,6 +70,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { owner @{torbrowser_home_dir}/Downloads/ rwk, owner @{torbrowser_home_dir}/Downloads/** rwk, owner @{torbrowser_home_dir}/firefox rix, + owner @{torbrowser_home_dir}/glxtest ix, owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/* rw, owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/{,MozUpdater/bgupdate/}updater ix, owner @{torbrowser_home_dir}/updater ix, From 41f20588bf0b6432f0d6a3522847c4c7c221a99f Mon Sep 17 00:00:00 2001 From: anonym Date: Thu, 7 Sep 2023 15:59:47 +0200 Subject: [PATCH 2/5] AppArmor: allow reading/writing to /proc/PID/oom_score_adj Firefox adjusts the OOM scores of its processes so that if they are reaped they are killed in a sane order, e.g. the parent process last. Source: hal/linux/LinuxProcessPriority.cpp --- apparmor/torbrowser.Browser.firefox | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox index 37dabd0f..a5d9e574 100644 --- a/apparmor/torbrowser.Browser.firefox +++ b/apparmor/torbrowser.Browser.firefox @@ -46,6 +46,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, From b257da0390f2abbaeea1409ab09c8c2095c3ed1d Mon Sep 17 00:00:00 2001 From: anonym Date: Thu, 7 Sep 2023 18:14:24 +0200 Subject: [PATCH 3/5] AppArmor: give read access to proc info about which command the browser's threads use --- apparmor/torbrowser.Browser.firefox | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox index a5d9e574..c669c923 100644 --- a/apparmor/torbrowser.Browser.firefox +++ b/apparmor/torbrowser.Browser.firefox @@ -51,6 +51,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/*/comm r, owner @{PROC}/@{pid}/task/*/stat r, @{PROC}/sys/kernel/random/uuid r, From 29e1fe419ae6062977cbe1c821944ae1cbc87a1a Mon Sep 17 00:00:00 2001 From: anonym Date: Thu, 7 Sep 2023 18:17:18 +0200 Subject: [PATCH 4/5] AppArmor: silence denial of sys_ptrace capability We already allow ptrace for its relevant subprocesses via ptrace rules, and I'm unsure if the full capability is really needed. I see lots of other profiles which have ptrace rules without the capability so I guess not. And I wonder if allowing the capability allows ptrace for arbitrary processes, which would be really bad. So let's assume it's not needed and we'll see what happens. --- apparmor/torbrowser.Browser.firefox | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox index c669c923..2212c0f2 100644 --- a/apparmor/torbrowser.Browser.firefox +++ b/apparmor/torbrowser.Browser.firefox @@ -12,6 +12,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { #include #include if exists + deny capability sys_ptrace, + # Uncomment the following lines if you want to give the Tor Browser read-write # access to most of your personal files. # #include From b80e0078eef2b72923575e21daaaf39212e759ea Mon Sep 17 00:00:00 2001 From: anonym Date: Thu, 7 Sep 2023 18:29:30 +0200 Subject: [PATCH 5/5] AppArmor: silence denial to read /sys/class/input/ It is unclear to me what this is about. --- apparmor/torbrowser.Browser.firefox | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox index 2212c0f2..3e19f63d 100644 --- a/apparmor/torbrowser.Browser.firefox +++ b/apparmor/torbrowser.Browser.firefox @@ -117,6 +117,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { /sys/devices/system/node/ r, /sys/devices/system/node/node[0-9]*/meminfo r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_quota_us r, + deny /sys/class/input/ r, deny /sys/devices/virtual/block/*/uevent r, # Should use abstractions/gstreamer instead once merged upstream