[tbb-bugs] #22692 [Applications/Tor Browser]: Backport Linux content sandboxing from Firefox 54
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jun 22 01:53:29 UTC 2017
#22692: Backport Linux content sandboxing from Firefox 54
------------------------------------------+----------------------
Reporter: jld | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
Tor Browser 7 is based on Firefox ESR 52, so it doesn't have content
process sandboxing on Linux; that wasn't enabled for non-Nightly builds
until 54. It's possible to configure with `--enable-content-sandbox`, but
there are some bug fixes and improvements that should be backported. I'm
told there's interest in doing that, so I came up with a list of patches
(which merge cleanly, so I also ran some basic tests).
First, a warning: The sandboxing isn't very strong yet, especially for the
threats that Tor Browser deals with: it still allows reading any file and
doing arbitrary `socket` and `connect` calls, for example, so there's
probably a way for a determined attacker to get a generic sandbox escape,
and it definitely allows obtaining PII such as MAC addresses.
The short version: https://github.com/mozilla/gecko-
dev/compare/esr52...jld:box52-test
The long version, as a list of Git commit identifiers from the gecko-dev
repository (I don't know if there's a way to map these to Hg besides
manually searching for commit messages), with vague descriptions:
{{{
2f25df5d1e7405ae76a15fb1c16bc3dd17d6bd98 prlimit64
f004938bbb928d3d9d04e119c6d448de4808f1d7 string split for pref
0d2bf66dfdb9601baf8cda464db66dc5773f1758 syscall allowed-list pref
5de2e3d5f6795f315a7e98319e4845e173b96ad8 vector fix for pref
eb0d19601af5af2228f7069243044f8ff4c5be73 crash-on-error flag
f2fa27edcadaa6ff38cbc16216b4cc63d438ae42 reporter part 1
f0666046d67d7d384eb458506e472091822c198a reporter part 2
6e97575e73b58a2ddcf76b244a93e4606d686a17 reporter part 3
7d9acbdacefe00cca9f9eaf8144900d29fa16d9b less networking
3c4e5389537a6841080e2e50390af2174e2d4f5c unbreak a11y (???)
f6b03fa2606c2892ffc903967eb6d7eab0a763a6 socketpair workaround
4821de2b5839e3f33d4ac647262d5d5255a71708 enable on non-nightly
dc7a177384f8f7acb94654b81c1af45b427d9260 gdbinit signal change
8f8a9f525559c6611de13fe5264753e5d62fa85b test "todo" fix
}}}
The most important part is the patch from bug 1286865 that makes
unexpected syscalls just fail instead of crashing on non-Nightly builds
("crash-on-error flag", above). There are two big optional pieces: the
three patches from bugs 1330326 and 1335323 that add a pref that's a list
of additional syscall numbers to allow (to make it easier to deal with
system libraries doing unexpected things), and the three other patches
from bug 1286865 that expose a log of rejected syscalls in about:support
(the "reporter"; it will still log to stderr without those).
The patch I've labelled "unbreak a11y" (which allows `accept4`) might not
be necessary; I think we still disable e10s on non-Nightly if
accessibility tools are in use. Alternately, commit `293bbaf3e964` from
bug 1361338 could be used instead but I haven't tried it on 52.
The one thing I know this breaks is WebRTC getting local network addresses
(see bugs 1345511, 1375122, and 1322506 for background; note that there
are other ways of getting that info that aren't blocked yet), but Tor
Browser disables WebRTC. Similarly, I've left out the part of bug 1286865
that submits Telemetry about rejected syscalls. There are also some
patches I omitted where returning an error won't break anything, or where
it's related to a feature (like WebAssembly) that's not on 52 ESR.
Hopefully that explains things well enough; let me know if anything needs
more clarification.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22692>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list