From 376f7f552b22b0ba578e6ded961c72c47f7da9e2 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 16 May 2021 14:03:13 +0000
Subject: [PATCH] AppArmor: allow access needed for Firefox sandboxing via
 unprivileged user namespace

Most distributions now ship with unprivileged user namespaces enabled,
which Firefox uses to set up its own sandbox. That sandbox is more
fine-grained and powerful than our AppArmor policy, so let's allow
Firefox to use it.
---
 apparmor/torbrowser.Browser.firefox | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index f5ddc4a..b086cb7 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -130,7 +130,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
   deny /run/user/[0-9]*/dconf/user rw,
   deny /usr/bin/lsb_release x,
-  deny capability sys_admin,
 
   # Silence denial logs about PulseAudio
   deny /etc/pulse/client.conf r,
@@ -152,5 +151,11 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # Yubikey NEO also needs this:
   /sys/devices/**/hidraw/hidraw*/uevent r,
 
+  # Needed for Firefox sandboxing via unprivileged user namespaces
+  capability sys_admin,
+  capability sys_chroot,
+  owner @{PROC}/@{pid}/{gid,uid}_map w,
+  owner @{PROC}/@{pid}/setgroups w,
+
   #include <local/torbrowser.Browser.firefox>
 }
-- 
2.44.0