Hello,
I went and tagged this, because I don't want to sit on the relatively large #22648 change.
Changes in version 0.0.8 - 2017-06-19: * Bug 20776: Remove the X11 `MIT-SHM` workaround from the stub. * Bug 22470: Resync the bridges. * Bug 22607: Make it clear that basically 0 active development is happening. * Bug 22648: Prevent the "easy" to fix X11 related sandbox escapes. * Bug 22650: Make it clear that Pulse Audio is potentially dangerous to enable.
Thanks to Jann Horn of Google Project Zero for providing the report that motivated #22648 and #22650.
Since there was some confusion, for clarity and the record, the sandbox does not, and never has, considered most X11 or PulseAudio related issues to be part of it's current threat model, with the exception of what (minimal if any) mitigations happen to be in place.
Both protocols likely still will allow sophisticated adversaries to do evil. The documentation on the trac wiki page has received updates to clarify this situation.
The recommendation for people that are concerned about such things always has been, and still is "Use a separate X11 isolation option"/"Wait for Wayland to magically fix everything", and "disable PulseAudio" support.
Note that this does not mean that I won't accept bug reports or suggestions to improve the X11/PulseAudio situations, but as the other change notes "Basically 0 active development is happening".
Tested on Arch Linux and Fedora 25. If it happens to break on something else, patches accepted.
Regards,
On Mon, 19 Jun 2017 12:44:47 +0000 Yawning Angel yawning@schwanenlied.me wrote:
Tested on Arch Linux and Fedora 25. If it happens to break on something else, patches accepted.
Errata:
* Builds on Debian Jessie appear to be broken without the following (trivial) patch. Thanks to arma for testing it.
https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?...
My inclination is not to tag because the patch is trivial.
Regards,