[tor-bugs] #20121 [Applications/Tor bundles/installation]: Create Seatbealt profile(s) for Tor Browser
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Oct 28 20:08:23 UTC 2016
#20121: Create Seatbealt profile(s) for Tor Browser
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: defect | Status: new
Priority: Very High | Milestone:
Component: Applications/Tor | Version:
bundles/installation |
Severity: Normal | Resolution:
Keywords: tbb-security, TorBrowserTeam201610 | Actual Points:
Parent ID: #19750 | Points:
Reviewer: | Sponsor:
| SponsorU
-------------------------------------------------+-------------------------
Comment (by mcs):
There is more work to do, but I attached a "work in progress" zip snapshot
that contains Seatbelt profiles for Tor Browser (tb.sb) and tor (tor.sb).
The zip file also contains bash scripts for starting tor and firefox, as
well as a skeleton TorBrowser-Data directory (required if starting from
scratch). In theory, if a TorBrowser.app is added that contains recent
builds of Torbutton and Tor-Launcher, the scripts can be used to start a
sandboxed browser that uses a sandboxed tor.
Ignoring packaging concerns, there are many limitations, e.g.,
* This probably requires OSX 10.9 or later (this might be OK). We tested
on 10.11.6 and 10.12.1. It definitely will not work on 10.6 due to changes
in the sandbox profile file format (we could create separate profiles for
10.6 if necessary).
* It assumes the browser app bundle will be named TorBrowser.app.
* It assumes a portable model (i.e.g, TorBrowser.app is not in
/Applications).
* It assumes that /tmp/Tor exists with mode 0700 or similar (the SOCKS and
control port Unix domain sockets are placed there).
* The firefox process has full control port access, which is probably not
desirable.
* The browser updater will not work due to the sandbox restrictions.
In the long run, we probably need something similar to what Yawning is
working on for Linux (a separate process to start tor, check for updates,
start firefox; a control port filter; other things).
--
Ticket URL: <https://troodi.torproject.org/projects/tor/ticket/20121#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list