[tor-bugs] #20844 [Applications/Tor Browser Sandbox]: Inform me about sandbox violations

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Nov 30 20:58:20 UTC 2016


#20844: Inform me about sandbox violations
----------------------------------------------+-------------------------
 Reporter:  arma                              |          Owner:  yawning
     Type:  defect                            |         Status:  new
 Priority:  Medium                            |      Milestone:
Component:  Applications/Tor Browser Sandbox  |        Version:
 Severity:  Normal                            |     Resolution:
 Keywords:                                    |  Actual Points:
Parent ID:                                    |         Points:
 Reviewer:                                    |        Sponsor:
----------------------------------------------+-------------------------
Description changed by arma:

Old description:

> The bubblewrap seccomp sandbox prevents my sandboxed tor browser from
> doing certain system calls. That's great! But, what do I see when it
> attempts a forbidden system call?
>
> Yawning tells me the answer right now is that it silently doesn't do the
> forbidden action. That's not terrible, but if I want to debug our sandbox
> rules, or learn whether I'm being attacked by the website payload, it's
> not ideal.
>
> Apparently another option is that the kernel could send the process a
> SIGSYS signal. So in that case my browser would die with a sigsys signal,
> and I could conclude that apparently a sandbox violation occurred.
>
> But Yawning says that the sandbox rules aren't perfect, and in particular
> there are some edge cases involving "weird issues with x86 32 bit systems
> forgetting whitelisted syscalls". So killing by default will end up with
> some sad users.
>
> Apparently a third option would be to teach Firefox to hook the sigsys
> signal, and then it could log something about what it was doing at the
> time it got the signal. That involves some programming -- and I wonder if
> the timing is fine-grained enough that Firefox at the time of the sigsys
> signal can identify exactly which syscall it is doing?

New description:

 The bubblewrap seccomp sandbox prevents my sandboxed tor browser from
 doing certain system calls. That's great! But, what do I see when it
 attempts a forbidden system call?

 Yawning tells me the answer right now is that it silently doesn't do the
 forbidden action. That's not terrible, but if I want to debug our sandbox
 rules, or learn whether I'm being attacked by the website payload, it's
 not ideal.

 Apparently another option is that the kernel could send the process a
 SIGSYS signal. So in that case my browser would die with a sigsys signal,
 and I could conclude that apparently a sandbox violation occurred.

 But Yawning says that the sandbox rules aren't perfect, and in particular
 there are some edge cases involving "weird issues with x86 32 bit systems
 forgetting whitelisted syscalls". So killing by default will end up with
 some sad users.

 Apparently a third option would be to teach Firefox to hook the sigsys
 signal, and then it could log something about what it was doing at the
 time it got the signal. That involves some programming ~~-- and I wonder
 if the timing is fine-grained enough that Firefox at the time of the
 sigsys signal can identify exactly which syscall it is doing?~~

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20844#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list