git.lizzy.rs Git - torbrowser-launcher.git/commit

author	intrigeri <intrigeri@boum.org>
	Sun, 31 Mar 2019 14:33:45 +0000 (14:33 +0000)
committer	intrigeri <intrigeri@boum.org>
	Sun, 31 Mar 2019 14:55:24 +0000 (14:55 +0000)
commit	c5d37c0d055a97861366c3836d34073cf670dc0d
tree	289084c3da21dd0ecc3e12e8b9b12230b38e64d6	tree \| snapshot
parent	b2ba5b44ffa245bd12fa71c870e1374abdad9ec8	commit \| diff

AppArmor: drop the profile dedicated to Web Content processes.

Before Firefox 60, Web Content processes were instances of a dedicated
binary (plugin-container). But since Firefox 60, the Web Content processes are
instances of the very same executable as the parent Firefox process,
which makes it impossible to apply a different AppArmor policy to:

- Web Content processes, that should ideally be more strictly confined

- the new parent Firefox process that's spawned while restarting
during a self-upgrade of Tor Browser

And indeed, we had to drop this distinction with commit
678d083491ceba5201d96b514173890944928540.

As a result, the new parent Firefox process that's spawned while restarting
during a self-upgrade of Tor Browser runs under the torbrowser_plugin_container
profile, i.e. more strictly confined than it should be, which breaks all kinds
of things.

A Firefox release manager tells me there's no plan to give Web Content processes
a dedicated binary again; let's give up and go back to confining the entire
browser under one single AppArmor profile, and rely on Firefox' own sandboxing
systems to protect itself against rogue Web Content processes.

apparmor/local/torbrowser.Browser.plugin-container	[deleted file]	blob \| history
apparmor/torbrowser.Browser.firefox		diff \| blob \| history
apparmor/torbrowser.Browser.plugin-container	[deleted file]	blob \| history
setup.py		diff \| blob \| history