[tbb-bugs] #22692 [Applications/Tor Browser]: Backport Linux content sandboxing from Firefox 54

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jun 22 01:53:29 UTC 2017


#22692: Backport Linux content sandboxing from Firefox 54
------------------------------------------+----------------------
     Reporter:  jld                       |      Owner:  tbb-team
         Type:  enhancement               |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 Tor Browser 7 is based on Firefox ESR 52, so it doesn't have content
 process sandboxing on Linux; that wasn't enabled for non-Nightly builds
 until 54.  It's possible to configure with `--enable-content-sandbox`, but
 there are some bug fixes and improvements that should be backported.  I'm
 told there's interest in doing that, so I came up with a list of patches
 (which merge cleanly, so I also ran some basic tests).

 First, a warning: The sandboxing isn't very strong yet, especially for the
 threats that Tor Browser deals with: it still allows reading any file and
 doing arbitrary `socket` and `connect` calls, for example, so there's
 probably a way for a determined attacker to get a generic sandbox escape,
 and it definitely allows obtaining PII such as MAC addresses.

 The short version: https://github.com/mozilla/gecko-
 dev/compare/esr52...jld:box52-test

 The long version, as a list of Git commit identifiers from the gecko-dev
 repository (I don't know if there's a way to map these to Hg besides
 manually searching for commit messages), with vague descriptions:
 {{{
 2f25df5d1e7405ae76a15fb1c16bc3dd17d6bd98 prlimit64
 f004938bbb928d3d9d04e119c6d448de4808f1d7 string split for pref
 0d2bf66dfdb9601baf8cda464db66dc5773f1758 syscall allowed-list pref
 5de2e3d5f6795f315a7e98319e4845e173b96ad8 vector fix for pref
 eb0d19601af5af2228f7069243044f8ff4c5be73 crash-on-error flag
 f2fa27edcadaa6ff38cbc16216b4cc63d438ae42 reporter part 1
 f0666046d67d7d384eb458506e472091822c198a reporter part 2
 6e97575e73b58a2ddcf76b244a93e4606d686a17 reporter part 3
 7d9acbdacefe00cca9f9eaf8144900d29fa16d9b less networking
 3c4e5389537a6841080e2e50390af2174e2d4f5c unbreak a11y (???)
 f6b03fa2606c2892ffc903967eb6d7eab0a763a6 socketpair workaround
 4821de2b5839e3f33d4ac647262d5d5255a71708 enable on non-nightly
 dc7a177384f8f7acb94654b81c1af45b427d9260 gdbinit signal change
 8f8a9f525559c6611de13fe5264753e5d62fa85b test "todo" fix
 }}}

 The most important part is the patch from bug 1286865 that makes
 unexpected syscalls just fail instead of crashing on non-Nightly builds
 ("crash-on-error flag", above).  There are two big optional pieces: the
 three patches from bugs 1330326 and 1335323 that add a pref that's a list
 of additional syscall numbers to allow (to make it easier to deal with
 system libraries doing unexpected things), and the three other patches
 from bug 1286865 that expose a log of rejected syscalls in about:support
 (the "reporter"; it will still log to stderr without those).

 The patch I've labelled "unbreak a11y" (which allows `accept4`) might not
 be necessary; I think we still disable e10s on non-Nightly if
 accessibility tools are in use.  Alternately, commit `293bbaf3e964` from
 bug 1361338 could be used instead but I haven't tried it on 52.

 The one thing I know this breaks is WebRTC getting local network addresses
 (see bugs 1345511, 1375122, and 1322506 for background; note that there
 are other ways of getting that info that aren't blocked yet), but Tor
 Browser disables WebRTC.  Similarly, I've left out the part of bug 1286865
 that submits Telemetry about rejected syscalls.  There are also some
 patches I omitted where returning an error won't break anything, or where
 it's related to a feature (like WebAssembly) that's not on 52 ESR.

 Hopefully that explains things well enough; let me know if anything needs
 more clarification.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22692>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list