[tor-reports] State of the Linux sandbox - Dec 2016
Yawning Angel
yawning at schwanenlied.me
Tue Jan 3 11:59:48 UTC 2017
Hello,
The Linux sandbox shipped it's first release 0.0.2 to users in December
2016, when Tor Browser 6.5a6 was released (the sandbox code isn't
explcitily tied to the alpha, but the deterministic build binaries are
currently done as part of the alpha Linux build).
The bulk of my work in December was getting something that was
shippable developed, and dealing with the few bugs that slipped past my
testing and developing improvements for 0.0.3.
Pending 0.0.3 blockers:
* #21057 Change the metadata URL(s) for the stable bundle.
* Tagging it.
Improvements in 0.0.3-dev (unreleased):
* Fixed the two crash bugs present in 0.0.2 that affected a fraction
of the userbase.
* Switched back to the gosecco library as my seccomp-bpf compiler,
removing the build time libseccomp2 dependency.
* Deprecated 32bit x86 support. The x86 32 bit sandbox isn't as good
due to seccomp-bpf limitations among other things (and in general
exploit mitigation/hardening options are weaker on that platform),
so I made the decision to only support x86_64 for the foreseeable
future.
* Improved the updater robustness, by allowing it to fall back to
complete updates in addition to incremental.
* Implemented a background update check mechanism, with notifications
integrated to the user's desktop environment (libnotify is required
to see update notifications).
* Numerous other minor bugfixes/improvements.
Tor Browser bugs that affect the sandbox:
* #20283 Tor Browser should run without a `/proc` filesystem.
I personally think this is the biggest problem with the existing
sandbox, as /proc has, quite frankly an unacceptable amount of
information regarding the user and the host system that firefox
under no circumstances should be exposed to.
Once the bug is fixed, changing the container setup will take all of
5 mins on my end...
* #21091 Hide the "Check for Tor Browser Update..." menu entry when
running under the sandbox. (This has a trivial branch)
Since my tasking is changing this year, development on this from me
will likely slow down considerably, but I think I got it to an ok state
(apart from the /proc thing, which is beyond my control).
Regards,
--
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20170103/28e88e50/attachment.sig>
More information about the tor-reports
mailing list