[tor-bugs] #10943 [Tor Messenger]: Sandboxing Instantbird
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 27 01:50:27 UTC 2015
#10943: Sandboxing Instantbird
-------------------------------+------------------------------------------
Reporter: sukhbir | Owner: ioerror
Type: task | Status: new
Priority: normal | Milestone:
Component: Tor Messenger | Version:
Resolution: | Keywords: SponsorO, TorMessengerPublic
Actual Points: | Parent ID:
Points: |
-------------------------------+------------------------------------------
Comment (by ioerror):
After spending part of the weekend looking into minijail stuff - I've
decided that it makes sense to do three things at least:
* enable all build hardening options (AddressSanitizer, gcc/clang/linker
hardening, etc)
* write some kind of sandbox policy when the OS provides a facility (eg:
GNU/Linux: AppArmor, OSX: seatbelt, Windows: o_0)
* write or use a small launcher for other priv dropping (GNU/Linux:
minijail/mbox/custom, OSX: o_0, Windows: o_0)
Does it seem possible to ship a copy of minijail or related libraries?
`minijail0` is 61K `libminijail.so` is 62K and `libminijailpreload.so` is
64K.
`minijail0` or a similar tool may need `libcap-dev` or perhaps not if we
don't need capabilities:
```
ldd minijail0
linux-vdso.so.1 (0x00007ffc2fdce000)
libcap.so.2 => /lib/x86_64-linux-gnu/libcap.so.2
(0x00007f549ebbf000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2
(0x00007f549e9bb000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f549e611000)
libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1
(0x00007f549e40c000)
/lib64/ld-linux-x86-64.so.2 (0x00007f549edf2000)
```
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10943#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list