Tor Browser sandboxing and Tor launcher for all supported platforms
Facilitator: sysrqb
-
Firefox is huge, complicated codebase
-
history has shown this means exploits can be targetted at Tor Browser
-
there was a prototype, "Sandboxed Tor Browser", time to revive it!
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux
How Tor Browser is structured
- TorLauncher runs in Firefox, and TorLauncher launches tor
- That means exploits in Firefox could then reach tor itself
How Sandboxed Tor Browser is structured
- TorLauncher starts first, it starts Firefox and tor separately
- Firefox is sandboxed, and isolated from the system with no direct internet access
Mozilla didn't like that design, too complicated, better handled by isolating components within Firefox itself Tor devs weren't entirely convinced that this might still be worth it
The big downside is that only one set of sandboxing can apply at the OS level, so the Sandbox Tor Browser setup would disable the Firefox component sandboxing.
- Android is quite different, but lots of it is already provided by running Tor and Firefox as separate apps
- UNIX domain sockets are considered network, so removing network permission from Firefox means it cannot communicate with tor
- Android Binder interface and cross-process InputStreams might be a possisibilities
There isn't really something that we can see that would work on iOS.
X11 is a big problem here, but too big a problem for us to fix, so ignore it for now
Flatpak provides good, transparent sandboxing, the Tor Browser design should work with Flatpak
Tor Browser was using only a domain socket in alpha, but was switched back due to breakage. This still a promising idea.
Could TorBrowser unpack Firefox each time the starts? No go on MacOS or Android, but maybe Windows and GNU/Linux. This would help remove issues where exploit gets write, that can't convert to execute via writing to Firefox files.