[tor-bugs] #20844 [Applications/Tor Browser Sandbox]: Inform me about sandbox violations
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Nov 30 20:58:20 UTC 2016
#20844: Inform me about sandbox violations
----------------------------------------------+-------------------------
Reporter: arma | Owner: yawning
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+-------------------------
Description changed by arma:
Old description:
> The bubblewrap seccomp sandbox prevents my sandboxed tor browser from
> doing certain system calls. That's great! But, what do I see when it
> attempts a forbidden system call?
>
> Yawning tells me the answer right now is that it silently doesn't do the
> forbidden action. That's not terrible, but if I want to debug our sandbox
> rules, or learn whether I'm being attacked by the website payload, it's
> not ideal.
>
> Apparently another option is that the kernel could send the process a
> SIGSYS signal. So in that case my browser would die with a sigsys signal,
> and I could conclude that apparently a sandbox violation occurred.
>
> But Yawning says that the sandbox rules aren't perfect, and in particular
> there are some edge cases involving "weird issues with x86 32 bit systems
> forgetting whitelisted syscalls". So killing by default will end up with
> some sad users.
>
> Apparently a third option would be to teach Firefox to hook the sigsys
> signal, and then it could log something about what it was doing at the
> time it got the signal. That involves some programming -- and I wonder if
> the timing is fine-grained enough that Firefox at the time of the sigsys
> signal can identify exactly which syscall it is doing?
New description:
The bubblewrap seccomp sandbox prevents my sandboxed tor browser from
doing certain system calls. That's great! But, what do I see when it
attempts a forbidden system call?
Yawning tells me the answer right now is that it silently doesn't do the
forbidden action. That's not terrible, but if I want to debug our sandbox
rules, or learn whether I'm being attacked by the website payload, it's
not ideal.
Apparently another option is that the kernel could send the process a
SIGSYS signal. So in that case my browser would die with a sigsys signal,
and I could conclude that apparently a sandbox violation occurred.
But Yawning says that the sandbox rules aren't perfect, and in particular
there are some edge cases involving "weird issues with x86 32 bit systems
forgetting whitelisted syscalls". So killing by default will end up with
some sad users.
Apparently a third option would be to teach Firefox to hook the sigsys
signal, and then it could log something about what it was doing at the
time it got the signal. That involves some programming ~~-- and I wonder
if the timing is fine-grained enough that Firefox at the time of the
sigsys signal can identify exactly which syscall it is doing?~~
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20844#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list