intrigeri pushed to branch main at The Tor Project / Applications / torbrowser-launcher
Commits: 692e28a1 by intrigeri at 2025-03-18T13:49:53+00:00 AppArmor: allow unprivileged user namespaces
Firefox uses userns to set up its own sandboxing.
On Debian, AppArmor was already allowing this by default, until a recent upload (that is now in Trixie) updated the features pinning to a version that now mediates usage of userns, so this functionality is now blocked by profiles that don't explicitly allow it. Let's repair this.
Also reported as Debian#1098845.
- - - - - 91db109a by intrigeri at 2025-03-18T14:02:01+00:00 AppArmor: allow reading cgroups-v2 CPU bandwidth quota information
Firefox uses this info to determine how many CPUs the current thread actually has access to, which seems like a reasonable thing to do for an app like Firefox which manages a bunch of child processes. The call chain is: get_num_cpus → cgroups_num_cpus → init_cgroups → load_cgroups → cpu_quota → max → "cpu.max".
- - - - - 7772a1ea by intrigeri at 2025-03-18T14:15:17+00:00 AppArmor: allow executing Firefox' own VA-API probe utility
This is necessary for Tor Browser to determine if VA-API is supported by the host system, which in turn is needed to enable video hardware decoding.
- - - - - 9eb8686d by intrigeri at 2025-03-18T14:18:41+00:00 AppArmor: allow reading intel-media-driver feature files
Firefox reads these files when it runs the vaapitest tool and the VAAPI driver for the Intel GEN8+ Graphics family is installed.
- - - - - 479b8f53 by intrigeri at 2025-03-18T17:00:32+00:00 Merge branch 'AppArmor-updates-for-current-Debian' into 'main'
AppArmor: various updates including 1 important fix for Debian Trixie
See merge request tpo/applications/torbrowser-launcher!24 - - - - -
1 changed file:
- apparmor/torbrowser.Browser.firefox
Changes:
===================================== apparmor/torbrowser.Browser.firefox ===================================== @@ -13,6 +13,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { #include if exists <abstractions/vulkan> #include if exists <abstractions/dbus-session-strict>
+ userns, + deny capability sys_ptrace,
# Uncomment the following lines if you want to give the Tor Browser read-write @@ -94,6 +96,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr, owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so mr, owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so.* mr, + owner @{torbrowser_home_dir}/vaapitest ix, + + # intel-media-driver + /etc/igfx_user_feature*.txt r,
# parent Firefox process when restarting after upgrade, Web Content processes owner @{torbrowser_firefox_executable} pxmr -> torbrowser_firefox, @@ -121,6 +127,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { /sys/devices/system/node/ r, /sys/devices/system/node/node[0-9]*/meminfo r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_quota_us r, + /sys/fs/cgroup/user.slice/user-[0-9]*.slice/user@[0-9]*.service/app.slice/app-gnome-torbrowser-[0-9]*.scope/cpu.max r, deny /sys/class/input/ r, deny /sys/devices/virtual/block/*/uevent r,
View it on GitLab: https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/-/compare...