As the tbb for MACOSX will be sandboxed to prevent the tbb from revealing the user by mistake, we enforce some rules. There are however some open questions that should be answered after some discussion. The first goal of the policy is to prevent compromise of the tor browser bundle to compromise the users machine or the users privacy.
Tbb consists of 4 different components.
...
...
@@ -8,7 +8,7 @@ Tbb consists of 4 different components.
* Vidalia
Vidalia is responsible for launching each of the other components, and are now able force them into a sandbox.
=== Rules enforced by sandbox for bundled Firefox ===
### Rules enforced by sandbox for bundled Firefox
* FF may only talk tcp to the polipo, running on localhost (tcp localhost:8118)
* No write, except to $TMPDIR, and the PROFILE directory. Should be more finegrained.
* Is it possible to make TMPDIR a RAM disk or something else that doesn't actually write to the disk, perhaps a memory only file system that is already mounted?
...
...
@@ -29,7 +29,7 @@ Vidalia is responsible for launching each of the other components, and are now a
* What signals would it ever need and what do we gain by denying them?
* It does not need any signals, so we deny an attacker the possiblity to use them for whatever purpose.
=== Issues in need of discussion ===
### Issues in need of discussion
* TBB is not allowed to read the users preferences. This can make the browser look different than other windows (as it will use the default).
* No plugins - maybe we(or the user) wants flash etc?
* Flash probably isn't safe if the MAC address or local network is visible to flash
...
...
@@ -55,7 +55,7 @@ Vidalia is responsible for launching each of the other components, and are now a
Adium[30828]: *** -[NSCFArray initWithObjects:count:]: attempt to insert nil object at objects[0]
