AppArmor: allow Firefox to read processes and tasks' stats.

This partially reverts commit 04b24660, that made the opposite change for
reasons that are unknown to me.

stat files are used in the JiffiesSinceBoot function
(xpcom/ds/TimeStamp_posix.cpp), which is used to compute process lifetime.
The consequences of blocking this access are unclear to me: it might plug issues
wrt. anonymity that the Tor Browser team would have missed (ask them?), but it
can as well introduce security issues by forcing Firefox to downgrade to worse
sources of information. If crypto is in play there, we would be playing
a dangerous game by blocking Firefox from accessing this information.

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 41b1a7123efacf0fcd17cce51538d11f2a5ceb7b..da90762fdc65aa8cb6c7bf6ee47861aeb662051b 100644 (file)
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -21,16 +21,15 @@
   deny /etc/group r,
   deny /etc/mailcap r,
 
-  deny @{PROC}/[0-9]*/stat r,
   deny @{PROC}/[0-9]*/mountinfo r,
   deny @{PROC}/[0-9]*/task/** r,
   deny @{PROC}/[0-9]*/fd/ r,
-  deny @{PROC}/[0-9]*/stat r,
-  deny @{PROC}/[0-9]*/task/*/stat r,
 
   deny /etc/machine-id r,
   deny /var/lib/dbus/machine-id r,
 
+  @{PROC}/[0-9]*/stat r,
+  @{PROC}/[0-9]*/task/*/stat r,
   @{PROC}/sys/kernel/random/uuid r,
 
   ## Missing in <abstractions/user-download> #######