[tor-bugs] #7008 [Tor bundles/installation]: Make it safe to run Flash in TBB
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Nov 12 22:10:58 UTC 2012
#7008: Make it safe to run Flash in TBB
--------------------------------------+-------------------------------------
Reporter: arma | Owner: mikeperry
Type: project | Status: new
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Keywords: SponsorJ | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Comment(by trams):
Patched plugin-container to run in sandboxed mode on osx, but saying that
running flash in a separate sandbox would make it Safe is a very strong
claim, considering the following:
1) We don't really know (atm) what is allowed to do trough the browser<->
plugin-container ipc channel
2) Flash leaves lots of open attack vectors, and some privacy concerns.
interestingly enough, flash does not seem to require network access, at
least not from my youtube testing. When we say safe, do we mean "safe from
exploits" or safe from flash leaking data?
The most troubling access that needs to be granted to flash are the
following:
(allow iokit-open
(iokit-user-client-class "AGPMClient")
(iokit-user-client-class "AppleGraphicsControlClient")
(iokit-user-client-class "Gen7DVDContext")
(iokit-user-client-class "Gen7Device")
(iokit-user-client-class "Gen7GLContext")
(iokit-user-client-class "IOAudioControlUserClient")
(iokit-user-client-class "IOAudioEngineUserClient")
(iokit-user-client-class "IOHIDParamUserClient")
(iokit-user-client-class "IOSurfaceRootUserClient")
(iokit-user-client-class "RootDomainUserClient")
(iokit-user-client-class "nvDevice")
(iokit-user-client-class "nvFermiGLContext"))
(allow ipc-posix-shm-read-data
(ipc-posix-name "/tmp/com.apple.csseed.27")
(ipc-posix-name "AudioIO26B")
(ipc-posix-name "CFPBS:7F:")
(ipc-posix-name "apple.shm.cfprefsd.501")
(ipc-posix-name "apple.shm.cfprefsd.daemon")
(ipc-posix-name "apple.shm.notification_center")
(ipc-posix-name "ls.27.186a6.66334873"))
(allow ipc-posix-shm-read-metadata
(ipc-posix-name "AudioIO26B"))
(allow ipc-posix-shm-write-data
(ipc-posix-name "AudioIO26B")
(ipc-posix-name "CFPBS:7F:"))
(allow mach-lookup
(global-name "com.apple.CoreServices.coreservicesd")
(global-name "com.apple.FontObjectsServer")
(global-name "com.apple.FontServer")
(global-name "com.apple.PowerManagement.control")
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.audio.audiohald")
(global-name "com.apple.audio.coreaudiod")
(global-name "com.apple.cfprefsd.agent")
(global-name "com.apple.cfprefsd.daemon")
(global-name "com.apple.coreservices.appleevents")
(global-name "com.apple.cvmsServ")
(global-name "com.apple.distributed_notifications at Uv3")
(global-name "com.apple.dock.server")
(global-name "com.apple.ls.boxd")
(global-name "com.apple.pasteboard.1")
(global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center")
(global-name "com.apple.system.opendirectoryd.libinfo")
(global-name "com.apple.window_proxies")
(global-name "com.apple.windowserver.active")
(global-name "com.apple.xpcd")
(global-name "org.mozilla.machname.783989704"))
Note that the IO-kits are different for different macs, (like genXdevice),
and also that this list can most likely be reduced at the cost of
stability and / or performance.
Note that tihs list is only from youtube, should other stuff like webcams
and voice be allowed, sensitivity increases as we need to grant access to
these devices, which will have privacy implications if abused.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7008#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list