|
|
Tor Browser sandboxing and Tor launcher for all supported platforms
|
|
|
|
|
|
Facilitator: sysrqb
|
|
|
|
|
|
* Firefox is huge, complicated codebase
|
|
|
* history has shown this means exploits can be targetted at Tor Browser
|
|
|
* there was a prototype, "Sandboxed Tor Browser", time to revive it!
|
|
|
|
|
|
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux
|
|
|
|
|
|
|
|
|
How Tor Browser is structured
|
|
|
* TorLauncher runs in Firefox, and TorLauncher launches tor
|
|
|
* That means exploits in Firefox could then reach tor itself
|
|
|
|
|
|
How Sandboxed Tor Browser is structured
|
|
|
* TorLauncher starts first, it starts Firefox and tor separately
|
|
|
* Firefox is sandboxed, and isolated from the system with no direct internet access
|
|
|
|
|
|
Mozilla didn't like that design, too complicated, better handled by isolating components within Firefox itself
|
|
|
Tor devs weren't entirely convinced that this might still be worth it
|
|
|
|
|
|
The big downside is that only one set of sandboxing can apply at the OS level, so the Sandbox Tor Browser setup would disable the Firefox component sandboxing.
|
|
|
|
|
|
* Android is quite different, but lots of it is already provided by running Tor and Firefox as separate apps
|
|
|
* UNIX domain sockets are considered network, so removing network permission from Firefox means it cannot communicate with tor
|
|
|
* Android Binder interface and cross-process InputStreams might be a possisibilities
|
|
|
|
|
|
There isn't really something that we can see that would work on iOS.
|
|
|
|
|
|
X11 is a big problem here, but too big a problem for us to fix, so ignore it for now
|
|
|
|
|
|
Flatpak provides good, transparent sandboxing, the Tor Browser design should work with Flatpak
|
|
|
|
|
|
Tor Browser was using only a domain socket in alpha, but was switched back due to breakage. This still a promising idea.
|
|
|
|
|
|
Could TorBrowser unpack Firefox each time the starts? No go on MacOS or Android, but maybe Windows and GNU/Linux.
|
|
|
This would help remove issues where exploit gets write, that can't convert to execute via writing to Firefox files. |
|
|
\ No newline at end of file |