control: tags -1 +patch On Fri, Jan 15, 2021 at 9:36 PM Paul Wise <p...@debian.org> wrote: > > Package: torbrowser-launcher > Version: 0.3.3-3 > Severity: minor > File: /etc/apparmor.d/torbrowser.Browser.firefox > Usertags: warnings > > When I start torbrowser-launcher I get apparmor denials like the > following. There don't appear to be any consequences for this denial, > the Tor Browser window starts up and works just fine. Possibly the > Firefox sandboxing uses this file but I'm not sure. > > Jan 15 20:22:03 audit[874474]: AVC apparmor="DENIED" operation="open" > profile="torbrowser_firefox" name="/proc/874474/cgroup" pid=874474 > comm="firefox.real" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Thanks for the report! Enclose the patch I tested OK on my buster-backports system. Cheers, -- Roger Shimizu, GMT +9 Tokyo PGP/GPG: 4096R/6C6ACD6417B3ACB1
From: Roger Shimizu <r...@debian.org> Date: Sun, 25 Apr 2021 22:51:12 +0900 Subject: Update apparmor profile Closes: #980155 --- apparmor/torbrowser.Browser.firefox | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox index 57c0359..095b110 100644 --- a/apparmor/torbrowser.Browser.firefox +++ b/apparmor/torbrowser.Browser.firefox @@ -90,6 +90,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { /usr/share/gnome/applications/ r, /usr/share/gnome/applications/kde4/ r, /usr/share/poppler/cMap/ r, + /etc/xdg/mimeapps.list r, # Distribution homepage /usr/share/homepage/ r, @@ -121,6 +122,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { deny @{HOME}/.cache/fontconfig/** rw, deny @{HOME}/.config/gtk-2.0/ rw, deny @{HOME}/.config/gtk-2.0/** rw, + deny @{PROC}/@{pid}/cgroup r, deny @{PROC}/@{pid}/net/route r, deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,