FS#65815 - [torbrowser-launcher] Update AppArmor profiles for Tor Browser 9
Attached to Project:
Community Packages
Opened by Jonas Witschel (diabonas) - Thursday, 12 March 2020, 22:45 GMT
Last edited by kpcyrd (kpcyrd) - Sunday, 20 December 2020, 22:53 GMT
Opened by Jonas Witschel (diabonas) - Thursday, 12 March 2020, 22:45 GMT
Last edited by kpcyrd (kpcyrd) - Sunday, 20 December 2020, 22:53 GMT
|
Details
When trying to start Tor Browser on a system with AppArmor
enabled, the main application window is a blank black screen
(rendering the browser completely unusable) and
/var/log/audit/audit.log contains a lot of entries of the
form
apparmor="DENIED" operation="mknod" profile="torbrowser_firefox" name="/dev/shm/org.mozilla.ipc.<pid>.<number>" pid=<pid> comm="firefox.real" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 The AppArmor profile has been fixed upstream in https://github.com/micahflee/torbrowser-launcher/pull/426, but these commits haven't made it to a released version yet. I suggest backporting these changes to the Arch Linux package to allow using Tor Browser with AppArmor enabled. After applying them, the browser is fully usable, with only a few harmless messages (denied reading /usr/bin/release and /usr/share/gtk-3.0/settings.ini, denied the CAP_SYS_ADMIN capability) present in the audit log. Additional info: * torbrowser-launcher 0.3.2-2 Steps to reproduce: - Enable AppArmor by adding "apparmor=1 security=apparmor" to the kernel command line, installing the apparmor package and enabling apparmor.service. - Try to start torbrowser-launcher. |
This task depends upon
Closed by kpcyrd (kpcyrd)
Sunday, 20 December 2020, 22:53 GMT
Reason for closing: Fixed
Additional comments about closing: 0.3.3-1
Sunday, 20 December 2020, 22:53 GMT
Reason for closing: Fixed
Additional comments about closing: 0.3.3-1
- https://github.com/micahflee/torbrowser-launcher/pull/442 (allow running the updater)
- https://github.com/micahflee/torbrowser-launcher/pull/434 (allow access to U2F devices)
Unrelated to this bug report, the package is not reproducible due to file system ordering issues. A suggested fix is available at https://github.com/micahflee/torbrowser-launcher/pull/478
In case somebody is looking for an updated package, because the current one is broken and unusable, I patched the PKGBUILD and edited the included patches to work with version 0.3.3.
I dropped the version string comparison patch and the up-to-date signing key because the upstream maintainers claim they fixed both issues here: https://github.com/micahflee/torbrowser-launcher/pull/526
Steps to reproduce:
mkdir torbrowser-launcher
cd torbrowser-launcher
wget https://raw.githubusercontent.com/archlinux/svntogit-community/195d837f88aa897b007c16ed5593a7cd5f054751/trunk/PKGBUILD
wget https://github.com/micahflee/torbrowser-launcher/pull/444/commits/66781d299d9dfd812c7aca9a04de7ea37f4d57e2.patch
wget https://github.com/micahflee/torbrowser-launcher/pull/416/commits/3a40129e865f2a7d8aece360f525579b314a7a7c.patch
patch -p1 < torbrowser-launcher-0.3.3-1.patch
makepkg -c
Of course, the resulting PKGBUILD is unacceptable for the repos because it links to two patch files from GitHub which were not rebased to v0.3.3. Those patches won't apply and the file checksums won't match. They either have to be rebased in their pull requests and the patch links in the PKGBUILD should be replaced, or the new editions have to be bundled with the PKGBUILD.
Regards.