[tor-bugs] #20773 [Applications/Tor Browser Sandbox]: Stop mounting `/proc` in the various containers once this is feasable.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Dec 17 08:33:20 UTC 2016
#20773: Stop mounting `/proc` in the various containers once this is feasable.
----------------------------------------------+-------------------------
Reporter: yawning | Owner: yawning
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+-------------------------
Comment (by cypherpunks):
Replying to [comment:6 yawning]:
> One thing that I *could* do, but would rather not is to do something
like [https://github.com/lxc/lxcfs lxcfs] and have the container "/proc"
be serviced by a FUSE process in the host system.
>
> This would work, but I'm inclined to reject this due to:
>
> * Yet another dependency, that needs to be SUID root.
> * It would be a lot of code.
> * Patching firefox to not fall over seems easier than "not-invented-
here-ing" a filesystem.
Please don't do this. FUSE is a mess, and SUID root just makes it almost
worse than downright allowing access to `/proc`. Just don't mount it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20773#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list