[tbb-dev] So, about the Linux sandbox in the long term?

intrigeri intrigeri at boum.org
Mon Jun 5 09:04:24 UTC 2017


Yawning Angel:
> On Sat, 27 May 2017 12:27:21 +0200
> intrigeri <intrigeri at boum.org> wrote:
>> With Micah Lee's Tor Browser Launcher (TBL) on Linux with AppArmor
>> enabled, this is not a problem: the sandboxing is done by the kernel
>> and thus different confinement rules can be (and actually are) applied
>> to the Firefox and Tor processes.

> Quickly skimming the firefox profile included in TBL, does `network
> tcp,` do what I think it does?

It does: TBL wasn't converted to using Unix sockets yet. Besides, the
network filtering AppArmor support relies on kernel patches that
haven't made their way upstream yet, so currently only Ubuntu and
OpenSUSE (I think) would block network access if `network tcp,' was
removed. So indeed AppArmor is currently not 100% enough for the kind
of sandboxing we're looking for. Sorry I forgot that part in my
last post!

> The differences in approaches, IMO, is totally irrelevant to "does
> there need to be fundamental architectural changes" since: […]

Agreed on all that.

>> After reading this thread, it seems to me that both architectural
>> issues need to be fixed anyway on the long term, regardless of TBL.
>> And once they are, having TBL (or similar) in common Linux distros
>> will be a great way to provide a good (and perhaps safe enough?)
>> sandboxed-TB user experience on Debian, Ubuntu, Mint and their
>> derivatives. And as a bonus, TBL verifies the initial download of TB
>> better than what most users are able to do.

> FWIW, `sandboxed-tor-browser` folds in a lot of the functionality of
> `tor-browser-launcher`[1], because the only sane way to bolt on a meta
> process based sandbox was to have it also manage installation/updating.


> Honestly, I don't see a reason for `tor-browser-launcher` to exist at
> all in the brave new meta-process launcher based world.

I think the only current good reason to keep it around is that it's
already packaged for some common distros, has users there, and nobody
looked at packaging sandboxed-tor-browser for them yet.

> If the new launcher can handle installation/updates (as IMO, it
> should), then package the new launcher.

Absolutely. This will address the UX/security problems I was referring
to wrt. the "download an app via a tarball and then double-click it"
model on Linux.

So I'm glad we decided *not* to have TBL included in the upcoming new
Debian release (Stretch), albeit for unrelated reasons.

> If people want to continue to use AppArmor, then the meta-process
> launcher package can include the necessary AppArmor profiles.

I'll be glad to work on this once the long-term plans are clearer :)


More information about the tbb-dev mailing list