[tor-dev] More tor browser sandboxing fun.

Stanisław Kosma stanko at riseup.net
Wed Sep 21 21:31:27 UTC 2016


On 21.09.2016 19:57, grarpamp wrote:
> On Wed, Sep 21, 2016 at 5:33 AM, Yawning Angel <yawning at schwanenlied.me> wrote:
>> Where: https://git.schwanenlied.me/yawning/sandboxed-tor-browser
> 
>> X11 is a huge mess of utter fail. Since the sandboxed processes get direct access to the host X server, this is an exploitation vector.
> 
> Is anyone actually actively throwing the full audit gamut
> at X11 these days, or is it still just one giant pile of 30 year
> legacy waiting to explode?
> 

At this point no further audit of X11 is necessary. It is well
understood that it is insecure by design. In fact why would you need an
audit, take look at X11 API for yourself:
* X11 client: Please send me all keyboard events
* X11 server: As you wish

That does not mean that you are without options. Firejail X11 sandboxing
guide [0] recommends running X11 applications inside a separate X11
server (like Xpra or Xephyr).

Additionally there are at least two display servers that took security a
little bit more seriously, i.e., Wayland and Mir. If you combine this
with Flatpak or Snappy, maybe something good will come out of this. I
would rather bet on Flatpak [1]. It is not there yet, but seems to be
solving right problem.

[0] https://firejail.wordpress.com/documentation-2/x11-guide/
[1] https://github.com/flatpak/flatpak/wiki/Sandbox


More information about the tor-dev mailing list