intrigeri pushed to branch main at The Tor Project / Applications / torbrowser-launcher

Commits:

• 692e28a1
  by intrigeri at 2025-03-18T13:49:53+00:00

  AppArmor: allow unprivileged user namespaces
  
  Firefox uses userns to set up its own sandboxing.
  
  On Debian, AppArmor was already allowing this by default, until a recent
  upload (that is now in Trixie) updated the features pinning to a version that
  now mediates usage of userns, so this functionality is now blocked by profiles
  that don't explicitly allow it. Let's repair this.
  
  Also reported as Debian#1098845.
  

• 91db109a
  by intrigeri at 2025-03-18T14:02:01+00:00

  AppArmor: allow reading cgroups-v2 CPU bandwidth quota information
  
  Firefox uses this info to determine how many CPUs the current thread actually
  has access to, which seems like a reasonable thing to do for an app like Firefox
  which manages a bunch of child processes. The call chain is: get_num_cpus →
  cgroups_num_cpus → init_cgroups → load_cgroups → cpu_quota → max → "cpu.max".
  

• 7772a1ea
  by intrigeri at 2025-03-18T14:15:17+00:00

  AppArmor: allow executing Firefox' own VA-API probe utility
  
  This is necessary for Tor Browser to determine if VA-API is supported by the
  host system, which in turn is needed to enable video hardware decoding.
  

• 9eb8686d
  by intrigeri at 2025-03-18T14:18:41+00:00

  AppArmor: allow reading intel-media-driver feature files
  
  Firefox reads these files when it runs the vaapitest tool and the VAAPI driver
  for the Intel GEN8+ Graphics family is installed.
  

• 479b8f53
  by intrigeri at 2025-03-18T17:00:32+00:00

  Merge branch 'AppArmor-updates-for-current-Debian' into 'main'
  
  AppArmor: various updates including 1 important fix for Debian Trixie
  
  See merge request tpo/applications/torbrowser-launcher!24

1 changed file:

• apparmor/torbrowser.Browser.firefox

Changes:

   #include if exists <abstractions/vulkan>

   #include if exists <abstractions/dbus-session-strict>

+  userns,

+

   deny capability sys_ptrace,

   # Uncomment the following lines if you want to give the Tor Browser read-write

   owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,

   owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so mr,

   owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so.* mr,

+  owner @{torbrowser_home_dir}/vaapitest ix,

+

+  # intel-media-driver

+  /etc/igfx_user_feature*.txt r,

   # parent Firefox process when restarting after upgrade, Web Content processes

   owner @{torbrowser_firefox_executable} pxmr -> torbrowser_firefox,

   /sys/devices/system/node/ r,

   /sys/devices/system/node/node[0-9]*/meminfo r,

   /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_quota_us r,

+  /sys/fs/cgroup/user.slice/user-[0-9]*.slice/user@[0-9]*.service/app.slice/app-gnome-torbrowser-[0-9]*.scope/cpu.max r,

   deny /sys/class/input/ r,

   deny /sys/devices/virtual/block/*/uevent r,