Backport Linux content sandboxing from Firefox 54
Tor Browser 7 is based on Firefox ESR 52, so it doesn't have content process sandboxing on Linux; that wasn't enabled for non-Nightly builds until 54. It's possible to configure with
--enable-content-sandbox, but there are some bug fixes and improvements that should be backported. I'm told there's interest in doing that, so I came up with a list of patches (which merge cleanly, so I also ran some basic tests).
First, a warning: The sandboxing isn't very strong yet, especially for the threats that Tor Browser deals with: it still allows reading any file and doing arbitrary
connect calls, for example, so there's probably a way for a determined attacker to get a generic sandbox escape, and it definitely allows obtaining PII such as MAC addresses.
The short version: https://github.com/mozilla/gecko-dev/compare/esr52...jld:box52-test
The long version, as a list of Git commit identifiers from the gecko-dev repository (I don't know if there's a way to map these to Hg besides manually searching for commit messages), with vague descriptions:
2f25df5d1e7405ae76a15fb1c16bc3dd17d6bd98 prlimit64 f004938bbb928d3d9d04e119c6d448de4808f1d7 string split for pref 0d2bf66dfdb9601baf8cda464db66dc5773f1758 syscall allowed-list pref 5de2e3d5f6795f315a7e98319e4845e173b96ad8 vector fix for pref eb0d19601af5af2228f7069243044f8ff4c5be73 crash-on-error flag f2fa27edcadaa6ff38cbc16216b4cc63d438ae42 reporter part 1 f0666046d67d7d384eb458506e472091822c198a reporter part 2 6e97575e73b58a2ddcf76b244a93e4606d686a17 reporter part 3 7d9acbdacefe00cca9f9eaf8144900d29fa16d9b less networking 3c4e5389537a6841080e2e50390af2174e2d4f5c unbreak a11y (???) f6b03fa2606c2892ffc903967eb6d7eab0a763a6 socketpair workaround 4821de2b5839e3f33d4ac647262d5d5255a71708 enable on non-nightly dc7a177384f8f7acb94654b81c1af45b427d9260 gdbinit signal change 8f8a9f525559c6611de13fe5264753e5d62fa85b test "todo" fix
The most important part is the patch from bug 1286865 that makes unexpected syscalls just fail instead of crashing on non-Nightly builds ("crash-on-error flag", above). There are two big optional pieces: the three patches from bugs 1330326 and 1335323 that add a pref that's a list of additional syscall numbers to allow (to make it easier to deal with system libraries doing unexpected things), and the three other patches from bug 1286865 that expose a log of rejected syscalls in about:support (the "reporter"; it will still log to stderr without those).
The patch I've labelled "unbreak a11y" (which allows
accept4) might not be necessary; I think we still disable e10s on non-Nightly if accessibility tools are in use. Alternately, commit
293bbaf3e964 from bug 1361338 could be used instead but I haven't tried it on 52.
The one thing I know this breaks is WebRTC getting local network addresses (see bugs 1345511, 1375122, and 1322506 for background; note that there are other ways of getting that info that aren't blocked yet), but Tor Browser disables WebRTC. Similarly, I've left out the part of bug 1286865 that submits Telemetry about rejected syscalls. There are also some patches I omitted where returning an error won't break anything, or where it's related to a feature (like WebAssembly) that's not on 52 ESR.
Hopefully that explains things well enough; let me know if anything needs more clarification.