[tor-bugs] #22794 [Applications/Tor Browser]: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Feb 2 06:09:48 UTC 2018
#22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured.
-------------------------------------------------+-------------------------
Reporter: yawning | Owner:
| pospeselr
Type: defect | Status:
| needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security, tbb-sandboxing, | Actual Points:
TorBrowserTeam201802R |
Parent ID: #20775 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by teor):
macOS legacy sandbox support has:
{{{
#include <sandbox.h>
...
kSBXProfileNoInternet TCP/IP networking is prohibited.
DEPRECATED.
kSBXProfileNoNetwork All sockets-based networking is
pro-
hibited. DEPRECATED.
}}}
sandbox-exec is also legacy, but it works from the command line:
https://paolozaino.wordpress.com/2015/10/20/maximum-security-and-privacy-
using-mac-os-sandbox-and-tor-browser-bundle/
Unfortunately, the replacement API doesn't seem to distinguish between
TCP/IP and unix sockets. We'd need to do some testing.
{{{
com.apple.security.network.client
Network socket for connecting to other machines
com.apple.security.network.server
Network socket for listening for incoming connections initiated by other
machines
}}}
https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW9
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22794#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list