[tor-bugs] #5791 [Tor bundles/installation]: Gather apparmor/selinux/sandbox instructions for each component of TBB
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sun May 13 14:34:54 UTC 2012
#5791: Gather apparmor/selinux/sandbox instructions for each component of TBB
--------------------------------------+-------------------------------------
Reporter: arma | Owner:
Type: project | Status: new
Priority: normal | Milestone: Sponsor Z: March 1, 2013
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Comment(by unknown):
Target SELinux policy is possible. After unpack TBB archive in
~/.torbrowser dir user with root privileges can start script relabeling
their files in right security context. If SELinux HOME_DIR parameters for
relative paths is used then recompilation and reloading security policy
module after unpack new TBB is not required, only file relabeling is
needed.
To start writing SELinux TBB target policy module already existed modules
can be used: for Mozilla and tor. They can be combined in one module and
pathnames changed to relative path with HOME_DIR. Tor module works good
for servers and outdated only slight, it need nonsignificant changes only.
Mozilla module supports FF significantly outdated and need hard efforts to
keep in actual state. At first time all not worked parts from Mozilla
module can be commented to disable security protections blindly. Only
preventing DNS and other network leakages functions can be added. I am not
sure about only SELinux functionality is enough or iptables will be needed
nevertheless to operating with traffic marked with SECMARKs.
Another interesting option of SELinux is sandbox but currently working in
RH/Fedora (only ?).
----
Primarily, more interesting is adapt iptables to actual state of manner
for flexible using TBB, system-tor-daemon, transparent torification,
blocking and logging leakages. My example of iptables rules from
#5741consist an awkward problem: if system group is used to separate TBB
processes from current users processes then all TBB processes itself are
not separable. TBB-Mozilla and TBB-Tor are not separable, we can log and
block DNS queries from that groups and all non tcp-traffic but we cannot
say to TBB-Mozilla make a tcp connections only to TBB-tor (localhost or
particular address).
I found interesting option "User UID" for tor config but this not helped.
Tor directory in TBB has permission '700' and that is right. If tor-uid
changed then tor cannot has access to its directory. If we can found a way
to starting Tor and FF from TBB with different system groups then we can
separate theirs traffics with iptables completely without need
SELinux/Apparmor/etc (at first time, iptables is not a replacement for
this). In that solution we need a way to secure deliver two different
passwords to two different system groups (tbb-browser-itself and tbb-tor-
itself) before starting. Using passwordless system groups is not
recommended: if malicious code execution with users rights can change its
groups then avoiding firewall separation is possible.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5791#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list