AppArmor: drop the profile dedicated to Web Content processes.

Before Firefox 60, Web Content processes were instances of a dedicated
binary (plugin-container). But since Firefox 60, the Web Content processes are
instances of the very same executable as the parent Firefox process,
which makes it impossible to apply a different AppArmor policy to:

 - Web Content processes, that should ideally be more strictly confined

 - the new parent Firefox process that's spawned while restarting
   during a self-upgrade of Tor Browser

And indeed, we had to drop this distinction with commit
678d083491ceba5201d96b514173890944928540.

As a result, the new parent Firefox process that's spawned while restarting
during a self-upgrade of Tor Browser runs under the torbrowser_plugin_container
profile, i.e. more strictly confined than it should be, which breaks all kinds
of things.

A Firefox release manager tells me there's no plan to give Web Content processes
a dedicated binary again; let's give up and go back to confining the entire
browser under one single AppArmor profile, and rely on Firefox' own sandboxing
systems to protect itself against rogue Web Content processes.

diff --git a/apparmor/local/torbrowser.Browser.plugin-container b/apparmor/local/torbrowser.Browser.plugin-container
deleted file mode 100644 (file)
index e69de29..0000000

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 9f269e1702416ae99ab61c7efb46e025af522922..f91cdc36e382e97d00dda314eaf9b6fd5bef3c8e 100644 (file)
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -11,12 +11,22 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # #include <abstractions/user-download>
   # @{HOME}/ r,
 
+  # Uncomment the following lines if you want Tor Browser
+  # to have direct access to your sound hardware. You will also
+  # need to remove, further bellow:
+  #  - the "deny" word in the machine-id lines
+  #  - the rules that deny reading /etc/pulse/client.conf
+  #    and executing /usr/bin/pulseaudio
+  # #include <abstractions/audio>
+  # /etc/asound.conf r,
+  # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
+
   #dbus,
   network netlink raw,
   network tcp,
 
-  ptrace (trace) peer=torbrowser_plugin_container,
-  signal (send) set=("term") peer=torbrowser_plugin_container,
+  ptrace (trace) peer=@{profile_name},
+  signal (receive, send) set=("term") peer=@{profile_name},
 
   deny /etc/host.conf r,
   deny /etc/hosts r,
@@ -32,6 +42,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   /dev/ r,
   /dev/shm/ r,
 
+  owner @{PROC}/@{pid}/environ r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/stat r,
@@ -51,20 +62,24 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   owner @{torbrowser_home_dir}/*.so mr,
   owner @{torbrowser_home_dir}/.cache/fontconfig/ rwk,
   owner @{torbrowser_home_dir}/.cache/fontconfig/** rwkl,
-  owner @{torbrowser_home_dir}/components/*.so mr,
-  owner @{torbrowser_home_dir}/browser/components/*.so mr,
+  owner @{torbrowser_home_dir}/browser/** r,
+  owner @{torbrowser_home_dir}/{,browser/}components/*.so mr,
+  owner @{torbrowser_home_dir}/Downloads/ rwk,
+  owner @{torbrowser_home_dir}/Downloads/** rwk,
   owner @{torbrowser_home_dir}/firefox rix,
-  owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/updater ix,
-  owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/0/MozUpdater/bgupdate/updater ix,
+  owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/* rw,
+  owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/{,MozUpdater/bgupdate/}updater ix,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/.parentwritetest rw,
   owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/ r,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/{,**} rwk,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
   owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
   owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
   owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
   owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
 
-  # Web Content processes
-  owner @{torbrowser_firefox_executable} px -> torbrowser_plugin_container,
+  # parent Firefox process when restarting after upgrade, Web Content processes
+  owner @{torbrowser_firefox_executable} ixmr -> torbrowser_firefox,
 
   /etc/mailcap r,
   /etc/mime.types r,

diff --git a/apparmor/torbrowser.Browser.plugin-container b/apparmor/torbrowser.Browser.plugin-container
deleted file mode 100644 (file)
index 5cb2141..0000000
--- a/apparmor/torbrowser.Browser.plugin-container
+++ /dev/null
@@ -1,105 +0,0 @@
-#include <tunables/global>
-#include <tunables/torbrowser>
-
-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
-
-profile torbrowser_plugin_container {
-  #include <abstractions/gnome>
-
-  # Uncomment the following lines if you want Tor Browser
-  # to have direct access to your sound hardware. You will also
-  # need to remove, further bellow:
-  #  - the "deny" word in the machine-id lines
-  #  - the rules that deny reading /etc/pulse/client.conf
-  #    and executing /usr/bin/pulseaudio
-  # #include <abstractions/audio>
-  # /etc/asound.conf r,
-  # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
-
-  signal (receive) set=("term") peer=torbrowser_firefox,
-
-  deny /etc/host.conf r,
-  deny /etc/hosts r,
-  deny /etc/nsswitch.conf r,
-  deny /etc/resolv.conf r,
-  deny /etc/passwd r,
-  deny /etc/group r,
-  deny /etc/mailcap r,
-
-  deny /etc/machine-id r,
-  deny /var/lib/dbus/machine-id r,
-
-  /etc/mime.types r,
-  /usr/share/applications/gnome-mimeapps.list r,
-
-  /dev/shm/ r,
-
-  owner @{PROC}/@{pid}/environ r,
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/status r,
-  owner @{PROC}/@{pid}/task/*/stat r,
-  @{PROC}/sys/kernel/random/uuid r,
-
-  owner @{torbrowser_home_dir}/*.dat r,
-  owner @{torbrowser_home_dir}/*.manifest r,
-  owner @{torbrowser_home_dir}/*.so mr,
-  owner @{torbrowser_home_dir}/.cache/fontconfig/   rw,
-  owner @{torbrowser_home_dir}/.cache/fontconfig/** rw,
-  owner @{torbrowser_home_dir}/browser/** r,
-  owner @{torbrowser_home_dir}/components/*.so mr,
-  owner @{torbrowser_home_dir}/browser/components/*.so mr,
-  owner @{torbrowser_home_dir}/defaults/pref/     r,
-  owner @{torbrowser_home_dir}/defaults/pref/*.js r,
-  owner @{torbrowser_home_dir}/dependentlibs.list r,
-  owner @{torbrowser_home_dir}/fonts/   r,
-  owner @{torbrowser_home_dir}/fonts/** r,
-  owner @{torbrowser_home_dir}/omni.ja r,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
-  owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]*/update.{status,version} r,
-  owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]/updater rw,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/{,profile.default/}.parentwritetest rw,
-  owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
-  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
-  owner @{torbrowser_home_dir}/Downloads/ rwk,
-  owner @{torbrowser_home_dir}/Downloads/** rwk,
-
-  owner @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container,
-
-  /sys/devices/system/cpu/ r,
-  /sys/devices/system/cpu/present r,
-  /sys/devices/system/node/ r,
-  /sys/devices/system/node/node[0-9]*/meminfo r,
-  deny /sys/devices/virtual/block/*/uevent r,
-
-  # Should use abstractions/gstreamer instead once merged upstream
-  /etc/udev/udev.conf r,
-  /run/udev/data/+pci:* r,
-  /sys/devices/pci[0-9]*/**/uevent r,
-  owner /{dev,run}/shm/shmfd-* rw,
-
-  # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
-  owner /{dev,run}/shm/org.chromium.* rw,
-
-  # Deny access to DRM nodes, that's granted by the X abstraction, which is
-  # sourced by the gnome abstraction, that we include.
-  deny /dev/dri/** rwklx,
-
-  # Silence denial logs about permissions we don't need
-  deny /dev/dri/   rwklx,
-  deny @{PROC}/@{pid}/net/route r,
-  deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
-  deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
-
-  # Silence denial logs about PulseAudio
-  deny /etc/pulse/client.conf r,
-  deny /usr/bin/pulseaudio x,
-
-  #include <local/torbrowser.Browser.plugin-container>
-}

diff --git a/setup.py b/setup.py
index 37452ba06fcef82a943a81bdd162a874cdacbcd8..f9739ab53b9e7ef5464ef16061bb3a44b2a17983 100644 (file)
--- a/setup.py
+++ b/setup.py
@@ -81,11 +81,9 @@ if distro != 'Ubuntu':
         datafiles += [
             ('/etc/apparmor.d/', [
                 'apparmor/torbrowser.Browser.firefox',
-                'apparmor/torbrowser.Browser.plugin-container',
                 'apparmor/torbrowser.Tor.tor']),
             ('/etc/apparmor.d/local/', [
                 'apparmor/local/torbrowser.Browser.firefox',
-                'apparmor/local/torbrowser.Browser.plugin-container',
                 'apparmor/local/torbrowser.Tor.tor']),
             ('/etc/apparmor.d/tunables/', ['apparmor/tunables/torbrowser'])
         ]