[tor-bugs] #20773 [Applications/Tor Browser Sandbox]: Stop mounting `/proc` in the various containers once this is feasable.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 3 17:33:53 UTC 2017
#20773: Stop mounting `/proc` in the various containers once this is feasable.
----------------------------------------------+-------------------------
Reporter: yawning | Owner: yawning
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Resolution:
Keywords: sandbox-security | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+-------------------------
Comment (by yawning):
https://gitweb.torproject.org/tor-browser/sandboxed-tor-
browser.git/commit/?id=95857360ec7f84cf9f0a01855c15881c89919133
The only place that has `/proc` mounted is the updater container, which
while also important is not nearly as scary as firefox having access to
`/proc`, as the updater ostensibly only is fed signed/trusted inputs, and
doesn't have any sort of network access at all.
Firefox is still moderately unhappy about the lack of `/proc` and will
warn:
{{{
2017/07/03 17:26:21 firefox: Sandbox: unexpected multithreading found;
this prevents using namespace sandboxing. (If you're LD_PRELOAD'ing
nVidia GL: that's not necessary for Gecko.)
}}}
But nested namespaces are asking for a world of hurt, so it's unlikely
that it worked prior to this to begin with.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20773#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list