Now that #12585 (moved) landed we should make Tor Browser aware of tor's Unix Domain Socket option in order to make use of it (we could test it in our upcoming hardened bundles). This is the parent ticket tracking this effort.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Child items
...
Show closed items
Linked items
0
Link issues together to show that they're related.
Learn more.
Is my understanding correct that this will bring us security improvements if, and only if, Tor Browser is somehow confined by the OS to not be allowed to open other kinds of sockets (most notably INET ones)?
Is my understanding correct that this will bring us security improvements if, and only if, Tor Browser is somehow confined by the OS to not be allowed to open other kinds of sockets (most notably INET ones)?
Confinement by OS is one option, yes, but patching Tor Browser to disallow other kinds of sockets would be another one. There might be other security improvements possible if one does neither of the above things but I am currently not aware of them. The current idea is to use the SocksSocket option + confinement (e.g. done by AppAmor).
Trac: Summary: Make Tor Browser work with SocksSocket option to Make Tor Browser work with Unix Domain Socket option Description: Now that #12585 (moved) landed we should make Tor Browser aware of the SocksSocket feature in order to make use of it (we could test it in our upcoming hardened bundles). This is the parent ticket tracking this effort.
to
Now that #12585 (moved) landed we should make Tor Browser aware of tor's Unix Domain Socket option in order to make use of it (we could test it in our upcoming hardened bundles). This is the parent ticket tracking this effort.
Requires a 3rd party sandboxing mechanism to be totally trustworthy (as in, the sandbox enforces the family limitations for calls I don't bother to hook).
The tor daemon still needs to listen on a port since tor-button thinks it's talking to the standard socks port, and about:tor pukes due to the GETINFO check.
The tor daemon needs to be running elsewhere (outside the sandbox, different sandbox), since the sandbox disallows non AF_LOCAL families.
The stub/profile/script modification maintainer feasts on user's tears and ignores cries for help.