[Pkg-anonymity-tools] [torbrowser-launcher] 20/43: AppArmor: allow Firefox to get entropy from @{PROC}/sys/kernel/random/uuid.

Ulrike Uhlig u-guest at moszumanska.debian.org
Tue Sep 2 07:19:56 UTC 2014 

This is an automated email from the git hooks/post-receive script.

u-guest pushed a commit to branch master
in repository torbrowser-launcher.

commit 9ca4341cf699ae8f65d5be9b0092e04d0b23fe40
Author: intrigeri <intrigeri at boum.org>
Date:   Thu Aug 14 16:53:26 2014 +0000

    AppArmor: allow Firefox to get entropy from @{PROC}/sys/kernel/random/uuid.
    
    First, note that this file returns a different uuid each time it's read.
    
    I'm not sure what Firefox does when it can't get a random UUID from there. If it
    falls back to a fixed value, this might have problematic security implications:
    randomness is sometimes useful for security purposes. The only place I could
    find this file being used in the Firefox source tree is actually in the
    `arc4_seed_proc_sys_kernel_random_uuid` function. If that's really why Firefox
    tries to access this file, then I don't think we should block it.
    
    I've not seen that file being accessed by Firefox personally. But given
    troubadoour added it, and it can be found in the Firefox source code, with the
    above reasoning in mind, it seems that the safest thing to do is to allow
    Firefox to get the randomness it needs.
---
 apparmor/torbrowser.Browser.firefox | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 660ee72..8fe8cbb 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -20,7 +20,6 @@
   deny @{PROC}/[0-9]*/stat r,
   deny @{PROC}/[0-9]*/mountinfo r,
   deny @{PROC}/[0-9]*/task/** r,
-  deny @{PROC}/sys/kernel/random/uuid r,
   deny @{PROC}/[0-9]*/fd/ r,
   deny @{PROC}/[0-9]*/stat r,
   deny @{PROC}/[0-9]*/task/*/stat r,
@@ -28,6 +27,8 @@
   deny /etc/machine-id r,
   deny /var/lib/dbus/machine-id r,
 
+  @{PROC}/sys/kernel/random/uuid r,
+
   ## Missing in <abstractions/user-download> #######
   # Without this line, access is denied to @{HOME},
   # [dD]ownload{,s}, Desktop... for downloads.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/torbrowser-launcher.git

More information about the Pkg-anonymity-tools mailing list