[tbb-dev] So, about the Linux sandbox in the long term?

Tom Ritter tom at ritter.vg
Tue May 30 15:34:30 UTC 2017

On 30 May 2017 at 07:45, Yawning Angel <yawning at schwanenlied.me> wrote:
> On Tue, 30 May 2017 11:04:00 +0000
> Georg Koppen <gk at torproject.org> wrote:
>> Oh, and it is not only Linux, OSX and Windows we need to take into
>> account for planning the future for our sandboxing work. Android is
>> coming later this year as a platform for Tor Browser as well. So, if
>> we start thinking about the need for rewriting parts of what we
>> include into Tor Browser now (and what is planned to get included
>> into Tor Browser for Mobile) Android requirements for sandboxing
>> should be considered, too.
> Oh boy.  I don't see AppArmor working at all, though this depends
> on the kernel.  seccomp + namespaces might work, though this also
> depends on how the kernel is built.
> Doesn't the OS handle containerization and secure updates?  Are we
> doing the play store thing?  Is tor-launcher even relevant on that
> platform, or is Orbot going to continue to handle all of that?
> (I suspect that Android will end up remaining as the redheaded step
>  child, depending on what path makes sense for the real computer
>  platforms.)

For updates, I suspect that the Google Play and F-Droid (and maybe a
custom Tor Project FDroid repo) are the way to go, and supporting
anything else would be too much trouble. See also
 I haven't looked closely at how FDroid or a custom fdroid repo works

The OS does handle containerization, thankfully. There are some IPC
mechanisms we should investigate (sending URL intents for example).
But the sandboxing options on Android are probably much more limited
than Desktop linux. I don't know of anyone who's played around with it
actually. I think the current plan is to integrate tor into the
Browser app; and not use Orbot - but I'm not sure where that would let
us do any network-lockdown sandboxing that might be possible.

I am not certain if an Android app has permission to rewrite itself.
We would need to investigate to be certain that this can only be done
by the updater.

Definitely a lot of questions here...


More information about the tbb-dev mailing list