Re: [Tails-dev] Sandboxing Tor Browser: strategy for trackin…

Delete this message

Reply to this message
Autore: u
Data:  
To: tails-dev
Oggetto: Re: [Tails-dev] Sandboxing Tor Browser: strategy for tracking "upstream" AppArmor profile
Hi,

intrigeri:
> I'm working on #5525 ("Sandbox the web browser"), and have an AppArmor
> profile that works locally for most basic use cases. Now, I'm
> wondering how to integrate it into Tails and I need your input.
>
> This profile was derived from the one I've worked a lot on for
> torbrowser-launcher (https://micahflee.com/torbrowser-launcher/).
>
> I think we have two solutions:
>
>    1. Download "upstream" profile and apply Tails-specific patch at
>       ISO build time


[..snip]

> #1 has the advantages that we get upstream improvements for free,
> and we're forced to track upstream, and to adjust our own patch
> whenever needed: otherwise, Tails ISO build fails.


[..snip]
> From my point of view, #1 feels cleaner: it forces us to do the right
> thing wrt. upstream, and it fails earlier (at build time). However,
> I see how it can be annoying to see the build suddenly start failing,
> if only few of us feel comfortable updating our profile delta.
> These disadvantages are slightly mitigated, though:


[..snip]

> => I'm in favor of #1.


Me too.

Indeed, as I am co-maintaining torbrowser-launcher in Debian and work on
AppArmor a lot these days, I can commit to track changes to the upstream
profile.

Do you want to point me at the Tails-specific patch so I can see what we
are talking about?

Anything else i should know or do?

For people who want to know more about AppArmor.. there is now already
better documentation on https://wiki.debian.org/AppArmor, and more to come.

Cheers!
u.