CHANGELOG.md

 # Tor Browser Launcher Changelog
 
+## 0.2.9
+
+* Fixed crash issue related to Tor Browser 7.5 changing how the currently installed version number is stored
+* Updated list of Tor Project dist mirrors
+* Fixed edge case crash for when stdout isn't writable
+* Updated AppStream metadata
+* Updated AppArmor profiles
+
 ## 0.2.8
 
 * Update URL to check for latest version, which changed in Tor Browser 7

apparmor/local/torbrowser.Browser.firefox

+# Site-specific additions and overrides for torbrowser.Browser.firefox.
+# For more details, please see /etc/apparmor.d/local/README. 

apparmor/local/torbrowser.Browser.plugin-container

+# Site-specific additions and overrides for torbrowser.Browser.firefox.
+# For more details, please see /etc/apparmor.d/local/README.

apparmor/local/torbrowser.Tor.tor

+# Site-specific additions and overrides for torbrowser.Browser.firefox.
+# For more details, please see /etc/apparmor.d/local/README.

apparmor/torbrowser.Browser.firefox

-# Last modified
 #include <tunables/global>
+#include <tunables/torbrowser>
 
 /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
   #include <abstractions/gnome>
 
-  # Uncomment the following line if you don't want the Tor Browser
-  # to have direct access to your sound hardware. Note that this is not
-  # enough to have working sound support in Tor Browser.
-  # #include <abstractions/audio>
-
   # Uncomment the following lines if you want to give the Tor Browser read-write
   # access to most of your personal files.
   # #include <abstractions/user-download>
   # @{HOME}/ r,
 
   #dbus,
+  network netlink raw,
   network tcp,
 
+  ptrace (trace) peer=@{profile_name},
+
   deny /etc/host.conf r,
   deny /etc/hosts r,
   deny /etc/nsswitch.conf r,
@@ -28,37 +26,38 @@
   deny /etc/machine-id r,
   deny /var/lib/dbus/machine-id r,
 
+  /dev/ r,
+  /dev/shm/ r,
+
+  owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/status r,
   owner @{PROC}/@{pid}/task/*/stat r,
   @{PROC}/sys/kernel/random/uuid r,
 
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/ r,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/* r,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/.** rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/update.test/ rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/.** rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/ rw,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** rw,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser.bak/ rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser.bak/** rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/*.so mr,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/components/*.so mr,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/browser/components/*.so mr,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox rix,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/plugin-container Pix,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/{,TorBrowser/UpdateInfo/}updates/[0-9]*/updater ix,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/{,TorBrowser/UpdateInfo/}updates/0/MozUpdater/bgupdate/updater ix,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profiles.ini r,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/ r,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/** rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor px,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/libstdc++.so.6 m,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Desktop/ rw,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Desktop/** rwk,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Downloads/ rw,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Downloads/** rwk,
+  owner @{torbrowser_installation_dir}/ r,
+  owner @{torbrowser_installation_dir}/* r,
+  owner @{torbrowser_installation_dir}/.** rwk,
+  owner @{torbrowser_installation_dir}/update.test/ rwk,
+  owner @{torbrowser_home_dir}/.** rwk,
+  owner @{torbrowser_home_dir}/ rw,
+  owner @{torbrowser_home_dir}/** rwk,
+  owner @{torbrowser_home_dir}.bak/ rwk,
+  owner @{torbrowser_home_dir}.bak/** rwk,
+  owner @{torbrowser_home_dir}/*.so mr,
+  owner @{torbrowser_home_dir}/components/*.so mr,
+  owner @{torbrowser_home_dir}/browser/components/*.so mr,
+  owner @{torbrowser_home_dir}/firefox rix,
+  owner @{torbrowser_home_dir}/plugin-container px -> torbrowser_plugin_container,
+  owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/updater ix,
+  owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/0/MozUpdater/bgupdate/updater ix,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/ r,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
 
   /etc/mailcap r,
   /etc/mime.types r,
@@ -88,7 +87,7 @@
   owner /{dev,run}/shm/shmfd-* rw,
 
   # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
-  owner /dev/shm/org.chromium.* rw,
+  owner /{dev,run}/shm/org.chromium.* rw,
 
   # Deny access to DRM nodes, that's granted by the X abstraction, which is
   # sourced by the gnome abstraction, that we include.
@@ -96,6 +95,10 @@
 
   # Silence denial logs about permissions we don't need
   deny /dev/dri/   rwklx,
+  deny @{HOME}/.cache/fontconfig/ rw,
+  deny @{HOME}/.cache/fontconfig/** rw,
+  deny @{HOME}/.config/gtk-2.0/ rw,
+  deny @{HOME}/.config/gtk-2.0/** rw,
   deny @{PROC}/@{pid}/net/route r,
   deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
   deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,

apparmor/torbrowser.Browser.plugin-container

+#include <tunables/global>
+#include <tunables/torbrowser>
+
+profile torbrowser_plugin_container {
+  #include <abstractions/gnome>
+
+  # Uncomment the following lines if you don'want the Tor Browser
+  # to have direct access to your sound hardware. You will also
+  # need to remove the "deny" word in the machine-id lines further
+  # bellow.
+  # #include <abstractions/audio>
+  # /etc/asound.conf r,
+  # owner @{PROC}/@{pid}/fd/ r,
+  # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
+
+  deny /etc/host.conf r,
+  deny /etc/hosts r,
+  deny /etc/nsswitch.conf r,
+  deny /etc/resolv.conf r,
+  deny /etc/passwd r,
+  deny /etc/group r,
+  deny /etc/mailcap r,
+
+  deny /etc/machine-id r,
+  deny /var/lib/dbus/machine-id r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/task/*/stat r,
+  @{PROC}/sys/kernel/random/uuid r,
+
+  owner @{torbrowser_home_dir}/*.dat r,
+  owner @{torbrowser_home_dir}/*.manifest r,
+  owner @{torbrowser_home_dir}/*.so mr,
+  owner @{torbrowser_home_dir}/.cache/fontconfig/   rw,
+  owner @{torbrowser_home_dir}/.cache/fontconfig/** rw,
+  owner @{torbrowser_home_dir}/browser/** r,
+  owner @{torbrowser_home_dir}/components/*.so mr,
+  owner @{torbrowser_home_dir}/browser/components/*.so mr,
+  owner @{torbrowser_home_dir}/defaults/pref/     r,
+  owner @{torbrowser_home_dir}/defaults/pref/*.js r,
+  owner @{torbrowser_home_dir}/fonts/   r,
+  owner @{torbrowser_home_dir}/fonts/** r,
+  owner @{torbrowser_home_dir}/omni.ja r,
+  owner @{torbrowser_home_dir}/plugin-container ixmr,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw,
+  owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
+  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
+  owner @{torbrowser_home_dir}/Downloads/ rwk,
+  owner @{torbrowser_home_dir}/Downloads/** rwk,
+
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/present r,
+  /sys/devices/system/node/ r,
+  /sys/devices/system/node/node[0-9]*/meminfo r,
+  deny /sys/devices/virtual/block/*/uevent r,
+
+  # Should use abstractions/gstreamer instead once merged upstream
+  /etc/udev/udev.conf r,
+  /run/udev/data/+pci:* r,
+  /sys/devices/pci[0-9]*/**/uevent r,
+  owner /{dev,run}/shm/shmfd-* rw,
+
+  # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
+  owner /{dev,run}/shm/org.chromium.* rw,
+
+  # Deny access to DRM nodes, that's granted by the X abstraction, which is
+  # sourced by the gnome abstraction, that we include.
+  deny /dev/dri/** rwklx,
+
+  # Silence denial logs about permissions we don't need
+  deny /dev/dri/   rwklx,
+  deny @{PROC}/@{pid}/net/route r,
+  deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
+  deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
+
+  #include <local/torbrowser.Browser.plugin-container>
+}

apparmor/torbrowser.Tor.tor

@@ -3,6 +3,7 @@
 /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor {
   #include <abstractions/base>
 
+  network netlink raw,
   network tcp,
   network udp,
 
@@ -11,12 +12,18 @@
   /etc/passwd r,
   /etc/resolv.conf r,
   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor mr,
-  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/ r,
+  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/ rw,
   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/* rw,
   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/lock rwk,
   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/Tor,Lib}/*.so mr,
   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/Tor,Lib}/*.so.* mr,
 
+  # Silence file_inherit logs
+  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/{browser/,}omni.ja r,
+  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/.parentlock rw,
+  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/extensions/*.xpi r,
+  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/startupCache/* r,
+
   @{PROC}/sys/kernel/random/uuid r,
   /sys/devices/system/cpu/ r,
 

apparmor/tunables/torbrowser

+@{torbrowser_installation_dir}=@{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*
+@{torbrowser_home_dir}=@{torbrowser_installation_dir}/Browser

apparmor/usr.bin.torbrowser-launcher

-# Last Modified: Thu Jan  2 15:12:38 2014
-#include <tunables/global>
-
-/usr/bin/torbrowser-launcher flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/python>
-  #include <abstractions/consoles>
-  #include <abstractions/gnome>
-  #include <abstractions/fonts>
-  #include <abstractions/X>
-  #include <abstractions/audio>
-  #include <abstractions/freedesktop.org>
-
-  capability sys_ptrace,
-
-  # This script doesn't really need to read the interpreter that's running it.
-  deny /usr/bin/python{2,3}.[0-7]* r,
-
-  /{usr/,}bin/{dash,grep,ps} rix,
-  /dev/ r,
-  /etc/magic r,
-  @{HOME}/.config/torbrowser/ rw,
-  @{HOME}/.config/torbrowser/** mrwk,
-  @{HOME}/.cache/torbrowser/ rw,
-  @{HOME}/.cache/torbrowser/** mrwk,
-  @{HOME}/.local/share/torbrowser/ rw,
-  @{HOME}/.local/share/torbrowser/** mrwk,
-  @{HOME}/.local/share/torbrowser/gnupg_homedir/* l,
-  @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/start-tor-browser.desktop Ux,
-
-  @{PROC}/ r,
-  @{PROC}/[0-9]*/{cmdline,mountinfo,stat,status} r,
-  @{PROC}/[0-9]*/task/** r,
-  @{PROC}/sys/kernel/pid_max r,
-  @{PROC}/tty/drivers r,
-  @{PROC}/uptime r,
-  /usr/bin/ r,
-  /usr/bin/{gpg,dirname,expr,file,getconf,id} rix,
-  /usr/bin/torbrowser-launcher r,
-  /usr/share/file/magic.mgc r,
-  /usr/share/file/magic/ r,
-  /usr/share/themes/** r,
-  /usr/share/torbrowser-launcher/** r,
-
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  owner @{HOME}/.config/dconf/user r,
-  owner /{,var/}run/user/*/dconf/user rw,
-
-  # including abstractions/audio is not enough to play modem sound
-  /usr/bin/pulseaudio Pixr,
-
-  #include <local/usr.bin.torbrowser-launcher>
-}

debian/NEWS.Debian

+torbrowser-launcher (0.2.9-2) unstable; urgency=medium
+
+  After applying this upgrade, please reboot the system.
+
+  Otherwise, any already running Tor Browser and newly started Tor Browser
+  will run under an unsupported combination of AppArmor profiles
+  and will behave erroneously.
+
+ -- intrigeri <intrigeri@debian.org>  Tue, 27 Mar 2018 22:10:49 +0900

debian/changelog

+torbrowser-launcher (0.2.9-3~bpo8+1) jessie-backports-sloppy; urgency=medium
+
+  * Rebuild for jessie-backports-sloppy.
+
+ -- Roger Shimizu <rosh@debian.org>  Sun, 24 Jun 2018 15:31:57 +0900
+
+torbrowser-launcher (0.2.9-3~bpo9+1) stretch-backports; urgency=medium
+
+  * Rebuild for stretch-backports.
+
+ -- Roger Shimizu <rosh@debian.org>  Sun, 24 Jun 2018 15:31:05 +0900
+
+torbrowser-launcher (0.2.9-3) unstable; urgency=medium
+
+  * Team upload.
+  * NEWS.Debian: recommend rebooting the system after upgrading to 0.2.9-2
+    (Closes: #894333)
+  * Update Vcs-* control fields wrt. the move to Salsa.
+
+ -- intrigeri <intrigeri@debian.org>  Fri, 25 May 2018 09:12:30 +0000
+
+torbrowser-launcher (0.2.9-2) unstable; urgency=medium
+
+  * debian/patches:
+    - Add AppArmor profiles, 2018-01 edition. Thanks to intrigeri.
+      Some breakdown of the patches:
+      + Make e10s work fine especially with a Linux 4.14 kernel
+      + Silencing all the denial logs I could observe
+      + Support for obfs4 and obfs3
+      + Various updates, refactoring and clean-ups
+    - Add a local patch to fix FTBFS:
+      Remove apparmor local path from setup.py
+
+ -- Roger Shimizu <rosh@debian.org>  Tue, 27 Mar 2018 22:10:49 +0900
+
+torbrowser-launcher (0.2.9-1) unstable; urgency=medium
+
+  * New upstream release 0.2.9 (Closes: #888236)
+  * debian/watch:
+    - Change filenamemangle to match with the filename in archive.
+  * debian/patches:
+    - Remove all upstreamed patches.
+  * debian/rules:
+    - Add new apparmor profile: torbrowser.Browser.plugin-container.
+
+ -- Roger Shimizu <rosh@debian.org>  Mon, 29 Jan 2018 23:17:18 +0900
+
+torbrowser-launcher (0.2.8-6) unstable; urgency=medium
+
+  * debian/rules:
+    - Clean up all built files during dh_clean. This makes
+      dpkg-buildpackage be able to run again. Thanks to
+      Andreas Beckmann for the bugreport. (Closes: #884419)
+  * debian/control:
+    - Add myself as uploader.
+    - Add libdbus-glib-1-2 as dependency (Closes: #862799).
+
+ -- Roger Shimizu <rosh@debian.org>  Wed, 03 Jan 2018 12:38:32 +0900
+
 torbrowser-launcher (0.2.8-5~bpo8+1) jessie-backports-sloppy; urgency=medium
 
   * Team upload.

debian/control

 Source: torbrowser-launcher
 Maintainer: Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>
-Uploaders: Ulrike Uhlig <ulrike@debian.org>
+Uploaders: Ulrike Uhlig <ulrike@debian.org>, Roger Shimizu <rosh@debian.org>
 Section: contrib/web
 Priority: optional
 Build-Depends:
@@ -13,8 +13,8 @@ Build-Depends:
 X-Python-Version: >= 2.7
 Standards-Version: 3.9.8
 Homepage: https://micahflee.com/torbrowser-launcher/
-Vcs-Git: https://anonscm.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git
-Vcs-Browser: https://anonscm.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git
+Vcs-Git: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher.git
+Vcs-Browser: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/tree/debian/sid
 
 Package: torbrowser-launcher
 Architecture: i386 amd64
@@ -23,6 +23,7 @@ Depends:
  ${python:Depends},
  ca-certificates,
  gnupg,
+ libdbus-glib-1-2,
  python-gtk2,
  python-lzma,
  python-parsley (>= 1.2),

debian/patches/0001-AppArmor-support-sysvinit-systems.patch

-From: intrigeri <intrigeri@boum.org>
-Date: Sat, 9 Sep 2017 17:28:02 +0000
-Subject: AppArmor: support sysvinit systems.
-
-With systemd (at least on current Debian sid), /run/shm is a symlink to
-/dev/shm, so "owner /dev/shm/org.chromium.* rw," is enough. With sysvinit,
-apparently things are set up differently (perhaps the symlinks are in the
-opposite direction?) so Firefox tries to access /run/shm/org.chromium.*,
-which was rejected.
-
-Let's support both!
-
-Thanks to gregor herrmann <gregoa@debian.org> for the bug report:
-https://bugs.debian.org/874383
-
-Note that this problem happens with pristine 0.2.8 profiles,
-without the changes brought by my apparmor-e10s branch.
-
-(cherry picked from commit 72d385fb95f85fa7e6d1c2a8b7102b73f61c8e80)
----
- apparmor/torbrowser.Browser.firefox | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
-index ff1bcdd..b1883c6 100644
---- a/apparmor/torbrowser.Browser.firefox
-+++ b/apparmor/torbrowser.Browser.firefox
-@@ -88,7 +88,7 @@
-   owner /{dev,run}/shm/shmfd-* rw,
- 
-   # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
--  owner /dev/shm/org.chromium.* rw,
-+  owner /{dev,run}/shm/org.chromium.* rw,
- 
-   # Deny access to DRM nodes, that's granted by the X abstraction, which is
-   # sourced by the gnome abstraction, that we include.

debian/patches/0001-Update-AppArmor-comments.patch

+From: Micah Lee <micah@micahflee.com>
+Date: Sun, 28 Jan 2018 11:19:20 -0800
+Subject: Update AppArmor comments
+
+---
+ apparmor/local/torbrowser.Browser.plugin-container | 2 +-
+ apparmor/local/torbrowser.Tor.tor                  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/apparmor/local/torbrowser.Browser.plugin-container b/apparmor/local/torbrowser.Browser.plugin-container
+index da8acb0..39c9217 100644
+--- a/apparmor/local/torbrowser.Browser.plugin-container
++++ b/apparmor/local/torbrowser.Browser.plugin-container
+@@ -1,2 +1,2 @@
+-# Site-specific additions and overrides for torbrowser.Browser.firefox.
++# Site-specific additions and overrides for torbrowser.Browser.plugin-container.
+ # For more details, please see /etc/apparmor.d/local/README.
+diff --git a/apparmor/local/torbrowser.Tor.tor b/apparmor/local/torbrowser.Tor.tor
+index da8acb0..8ba4033 100644
+--- a/apparmor/local/torbrowser.Tor.tor
++++ b/apparmor/local/torbrowser.Tor.tor
+@@ -1,2 +1,2 @@
+-# Site-specific additions and overrides for torbrowser.Browser.firefox.
++# Site-specific additions and overrides for torbrowser.Tor.tor.
+ # For more details, please see /etc/apparmor.d/local/README.

debian/patches/0002-Drop-spurious-trailing-whitespace.patch

+From: intrigeri <intrigeri@boum.org>
+Date: Sun, 28 Jan 2018 18:51:40 +0000
+Subject: Drop spurious trailing whitespace.
+
+---
+ apparmor/local/torbrowser.Browser.firefox | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/apparmor/local/torbrowser.Browser.firefox b/apparmor/local/torbrowser.Browser.firefox
+index 2bbf71e..da8acb0 100644
+--- a/apparmor/local/torbrowser.Browser.firefox
++++ b/apparmor/local/torbrowser.Browser.firefox
+@@ -1,2 +1,2 @@
+ # Site-specific additions and overrides for torbrowser.Browser.firefox.
+-# For more details, please see /etc/apparmor.d/local/README. 
++# For more details, please see /etc/apparmor.d/local/README.

debian/patches/0002-Update-mirror-list.patch

-From: Roger Shimizu <rogershimizu@gmail.com>
-Date: Sun, 24 Sep 2017 11:55:15 +0900
-Subject: Update mirror list
-Forwarded: https://github.com/micahflee/torbrowser-launcher/pull/289
-
-Except the official site, there're only 3 working mirror in current
-mirror list. So it's really necessary to update the list now.
-
-Got the latest list from:
- - https://www.torproject.org/getinvolved/mirrors.html.en
-And only keeps https links for security sake.
----
- share/torbrowser-launcher/mirrors.txt | 42 +++++++++++++++++++----------------
- 1 file changed, 23 insertions(+), 19 deletions(-)
-
-diff --git a/share/torbrowser-launcher/mirrors.txt b/share/torbrowser-launcher/mirrors.txt
-index cc24c7a..529b0bf 100644
---- a/share/torbrowser-launcher/mirrors.txt
-+++ b/share/torbrowser-launcher/mirrors.txt
-@@ -1,23 +1,27 @@
- https://www.torproject.org/dist/
--https://www.torservers.net/mirrors/torproject.org/dist/
--https://mirror.ml/tor/dist/
--https://tor.spline.inf.fu-berlin.de/dist/
--https://tormirror.almnet.de/dist/
--https://tor.dev-random.de/dist/
--https://www.unicorncloud.org/public/torproject.org/dist
--https://www.oignon.net/dist/
--https://mirror.hackthissite.org/tor
--https://tor.linuxlounge.net/dist/
--https://torproject.cryptowars.info/dist/
--https://tor.crazyhaze.de/dist/
-+https://mirror.unicorncloud.org/torproject.org/dist/
- https://creep.im/tor/dist/
--https://mirror.torland.me/torproject.org/dist/
-+https://mirror.velcommuta.de/tor/dist/
-+https://reichster.de/mirrors/torproject.org/dist/
-+https://www.moparisthebest.com/tor/dist/
-+https://sela.io/mirrors/torproject.org/dist/
-+https://nl.mirror.babylon.network/torproject/dist/
-+https://fr.mirror.babylon.network/torproject/dist/
-+https://fbnaia.homelinux.net/torproject/dist/
- https://tor.myrl.net/dist/
--https://torprojekt.userzap.de/dist/
--https://tor.myrl.net/dist/
--https://tor.beme-it.de/dist/
--http://tor.borgmann.tv/dist/
--https://otivpn.com/tor/dist
--https://www.eprci.com/tor/dist/
-+https://tor.eprci.net/dist/
- https://tor.stalkr.net/dist/
--https://torproject.gtor.org/dist/
-+https://tormirror.tb-itf-tor.de/dist/
-+https://tor.zilog.es/dist/
-+https://torproject.ph3x.at/dist/
-+https://tor-mirror.cyberguerrilla.org/dist/
-+https://tor.fr33tux.org/dist/
-+https://tor.ludikovsky.name/dist/
-+https://tor.ybti.net/dist/
-+https://tor.0x3d.lu/dist/
-+https://torproject.urown.net/dist/
-+https://tor.armbrust.me/dist/
-+https://torproject.mirror.metalgamer.eu/dist/
-+https://tor.heikorichter.name/dist/
-+https://tor.eff.org/dist/
-+https://tor.void.gr/dist/

debian/patches/0003-AppArmor-allow-plugin-container-to-read-file-app-ass.patch

+From: intrigeri <intrigeri@boum.org>
+Date: Mon, 29 Jan 2018 06:34:14 +0000
+Subject: AppArmor: allow plugin-container to read file/app association
+ information.
+
+We already allow the main browser profile to do that but with e10s
+plugin-container now needs it as well.
+---
+ apparmor/torbrowser.Browser.plugin-container | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/apparmor/torbrowser.Browser.plugin-container b/apparmor/torbrowser.Browser.plugin-container
+index ee30fd4..eb28cc0 100644
+--- a/apparmor/torbrowser.Browser.plugin-container
++++ b/apparmor/torbrowser.Browser.plugin-container
+@@ -24,6 +24,9 @@ profile torbrowser_plugin_container {
+   deny /etc/machine-id r,
+   deny /var/lib/dbus/machine-id r,
+ 
++  /etc/mime.types r,
++  /usr/share/applications/gnome-mimeapps.list r,
++
+   owner @{PROC}/@{pid}/mountinfo r,
+   owner @{PROC}/@{pid}/stat r,
+   owner @{PROC}/@{pid}/status r,

debian/patches/0003-AppArmor-allow-the-tor-process-to-modify-its-data-di.patch

-From: intrigeri <intrigeri@boum.org>
-Date: Sun, 24 Sep 2017 05:33:35 +0000
-Subject: AppArmor: allow the tor process to modify its data directory.
-Forwarded: https://github.com/micahflee/torbrowser-launcher/pull/290
-
-It's unclear to me why this is not needed _all the time_, but it does make sense
-that at least in some circumstances, it needs to do that, e.g. to create
-that directory.
-
-Originally reported by Chris Lamb <lamby@debian.org> on
-https://bugs.debian.org/876484.
----
- apparmor/torbrowser.Tor.tor | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/apparmor/torbrowser.Tor.tor b/apparmor/torbrowser.Tor.tor
-index 013f458..2410637 100644
---- a/apparmor/torbrowser.Tor.tor
-+++ b/apparmor/torbrowser.Tor.tor
-@@ -11,7 +11,7 @@
-   /etc/passwd r,
-   /etc/resolv.conf r,
-   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor mr,
--  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/ r,
-+  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/ rw,
-   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/* rw,
-   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/lock rwk,
-   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/Tor,Lib}/*.so mr,

debian/patches/0004-AppArmor-add-rules-needed-with-new-mediation-support.patch

-From: intrigeri <intrigeri@boum.org>
-Date: Thu, 26 Oct 2017 11:12:05 +0000
-Subject: AppArmor: add rules needed with new mediation support added in Linux 4.14.
-Forwarded: https://github.com/micahflee/torbrowser-launcher/pull/294
-
----
- apparmor/torbrowser.Browser.firefox | 3 +++
- apparmor/torbrowser.Tor.tor         | 7 +++++++
- 2 files changed, 10 insertions(+)
-
-diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
-index b1883c6..39ac6a2 100644
---- a/apparmor/torbrowser.Browser.firefox
-+++ b/apparmor/torbrowser.Browser.firefox
-@@ -15,8 +15,11 @@
-   # @{HOME}/ r,
- 
-   #dbus,
-+  network netlink raw,
-   network tcp,
- 
-+  ptrace (trace) peer=@{profile_name},
-+
-   deny /etc/host.conf r,
-   deny /etc/hosts r,
-   deny /etc/nsswitch.conf r,
-diff --git a/apparmor/torbrowser.Tor.tor b/apparmor/torbrowser.Tor.tor
-index 2410637..0ccd737 100644
---- a/apparmor/torbrowser.Tor.tor
-+++ b/apparmor/torbrowser.Tor.tor
-@@ -3,6 +3,7 @@
- /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor {
-   #include <abstractions/base>
- 
-+  network netlink raw,
-   network tcp,
-   network udp,
- 
-@@ -17,6 +18,12 @@
-   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/Tor,Lib}/*.so mr,
-   owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/Tor,Lib}/*.so.* mr,
- 
-+  # Silence file_inherit logs
-+  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/{browser/,}omni.ja r,
-+  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/.parentlock rw,
-+  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/extensions/*.xpi r,
-+  deny @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/startupCache/* r,
-+
-   @{PROC}/sys/kernel/random/uuid r,
-   /sys/devices/system/cpu/ r,
- 

debian/patches/0004-AppArmor-allow-Firefox-to-ptrace-plugin-container-an.patch

+From: intrigeri <intrigeri@boum.org>
+Date: Mon, 29 Jan 2018 06:36:55 +0000
+Subject: AppArmor: allow Firefox to ptrace plugin-container and to send it
+ term signals.
+
+With e10s Firefox does not need to ptrace itself anymore but instead it needs
+to ptrace and kill its child plugin-container processes.
+---
+ apparmor/torbrowser.Browser.firefox | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index 05f4d16..2069d6f 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -13,7 +13,8 @@
+   network netlink raw,
+   network tcp,
+ 
+-  ptrace (trace) peer=@{profile_name},
++  ptrace (trace) peer=torbrowser_plugin_container,
++  signal (send) set=("term") peer=torbrowser_plugin_container,
+ 
+   deny /etc/host.conf r,
+   deny /etc/hosts r,