[tbb-bugs] #22000 [Applications/Tor Browser]: update OSX browser sandbox profile for e10s
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri May 12 21:16:15 UTC 2017
#22000: update OSX browser sandbox profile for e10s
-------------------------------------------------+-------------------------
Reporter: brade | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, tbb-security, tbb- | Actual Points:
sandboxing, tbb-e10s,tbb-7.0-must- |
alpha,TorBrowserTeam201705 |
Parent ID: | Points:
Reviewer: | Sponsor:
| Sponsor4
-------------------------------------------------+-------------------------
Comment (by mcs):
Kathy and I were hoping to come up with a quick fix for this ticket, but
it turns out that nesting of sandbox configs is not supported on OSX. That
means that we either need to disable Mozilla's content process sandbox or
we need to disable our sandbox. Since it seems like there may be a way in
our sandbox profile to say "allow exec of this specific executable and
start it without a sandbox" and since (hopefully) Mozilla enables their
sandbox as early as possible, the second approach is probably the one to
use. In other words, our tb.sb profile would apply to the chrome process
and Mozilla's built in content process sandbox rules would apply to the
content/tab process. But we should look and see what we are giving up if
we do that, e.g., what does Mozilla allow that we don't want to allow?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22000#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list