Create Seatbealt profile(s) for Tor Browser

We need sandboxing profiles for Tor Browser. I pinged trams recently on #tor-dev as he worked on this for Tor Browser years ago (https://lists.torproject.org/pipermail/tor-qa/2013-November/000230.html ff.). He suggested we look at his IronFox (https://www.romab.com/ironfox/) and it would probably enough to just copy them over. We can get a .tar.gz bundle as well. (And I guess he would help in case we have questions ;) )

added TorBrowserTeam201612R component::applications/tor bundles/installation owner::tbb-team parent::19750 priority::very high resolution::fixed severity::normal sponsor::U status::closed tbb-security type::defect labels

I think I'd need OS X dev volunteers. :) looks around

Trac:
Parent: N/A to #19750 (moved)

Moving SponsorU items to October.

Trac:
Keywords: tbb-security TorBrowserTeam201609 deleted, TorBrowserTeam201610, tbb-security added

See: #8282 (moved) for an old bug (there are old sandbox profiles attached) in case this can be helpful.

Trac:
osx-sandbox-2016-10-28.zip

work in progress

There is more work to do, but I attached a "work in progress" zip snapshot that contains Seatbelt profiles for Tor Browser (tb.sb) and tor (tor.sb). The zip file also contains bash scripts for starting tor and firefox, as well as a skeleton TorBrowser-Data directory (required if starting from scratch). In theory, if a TorBrowser.app is added that contains recent builds of Torbutton and Tor-Launcher, the scripts can be used to start a sandboxed browser that uses a sandboxed tor.

Ignoring packaging concerns, there are many limitations, e.g.,

• This probably requires OSX 10.9 or later (this might be OK). We tested on 10.11.6 and 10.12.1. It definitely will not work on 10.6 due to changes in the sandbox profile file format (we could create separate profiles for 10.6 if necessary).
• It assumes the browser app bundle will be named TorBrowser.app.
• It assumes a portable model (i.e.g, TorBrowser.app is not in /Applications).
• It assumes that /tmp/Tor exists with mode 0700 or similar (the SOCKS and control port Unix domain sockets are placed there).
• The firefox process has full control port access, which is probably not desirable.
• The browser updater will not work due to the sandbox restrictions.

In the long run, we probably need something similar to what Yawning is working on for Linux (a separate process to start tor, check for updates, start firefox; a control port filter; other things).

Moving tickets over to November.

Trac:
Keywords: TorBrowserTeam201610 deleted, TorBrowserTeam201611 added

Trac:

screenshot that shows the new dmg "installer"

Here is a patch that packages the Seatbelt profiles with Tor Browser: https://gitweb.torproject.org/user/brade/tor-browser-bundle.git/commit/?h=bug20121-01&id=4be5e16ad106a3a0d2033eee6903b74acde48965

Note that Kathy and I had to create a new, larger background image for the dmg "installer", so while we were doing that we also replaced the "Tor Browser Bundle" logo with the newer one that omits the word "Bundle." Here is a screenshot that shows the new top level window with the "Sandboxed Tor Browser" folder open so you can see what that looks like too:

Trac:
Status: new to needs_review
Keywords: TorBrowserTeam201611 deleted, TorBrowserTeam201611R added

Moving our review tickets to December.

Trac:
Keywords: TorBrowserTeam201611R deleted, TorBrowserTeam201612R added

I think the limitations I mentioned above are fine for now. I built a bundle and uploaded it for testing to

https://people.torproject.org/~gk/testbuilds/TorBrowser-tbb-nightly-osx64_20121_ALL.dmg https://people.torproject.org/~gk/testbuilds/TorBrowser-tbb-nightly-osx64_20121_ALL.dmg.asc

I don't have an OS X >= 10.9 for testing right now, Arthur can you give it a whirl?

That said the patch looks good to me. Just a nit: there are two superfluous whitespaces in start-tor-with-sandbox.

I was a bit confused about the background image not exactly knowing what to do with the additional folder. I solved it by reading the README after I dragged the folder to the desktop but that might be a bit unintuitive. :)

Replying to gk:

That said the patch looks good to me. Just a nit: there are two superfluous whitespaces in start-tor-with-sandbox.

Thanks. We will fix those once we received feedback from Arthur.

I was a bit confused about the background image not exactly knowing what to do with the additional folder. I solved it by reading the README after I dragged the folder to the desktop but that might be a bit unintuitive. :)

We thought about putting a README at the top level (a 4th icon) but doing so will lead us quickly down the path of needing to translate the README text. We could do that though if you think it is better. Also note that you can open the folder from within the mounted dmg and view the README without copying anything off the dmg.

Do we need modifications after a patch for #20761 (moved) lands (given that we want to have unix domain sockets disabled by default for the time being)?

Replying to gk:

Do we need modifications after a patch for #20761 (moved) lands (given that we want to have unix domain sockets disabled by default for the time being)?

Because our start-browser-with-sandbox script enables use of Unix domain sockets via env vars, I don't think changing the default inside Tor Launcher will break anything. But once we have the patch for #20761 (moved) in hand, we will confirm via testing.

I tried it out now. Seems to be working very nicely!

I agree with gk that the .dmg folder layout is confusing. Maybe we could deliver the TorBrowser.app inside the "Sandboxed Tor Browser" folder so the user doesn't have to place it there themselves? (The text in the README is a little ambiguous about where to put TorBrowser.app, so initially I incorrectly placed it as a sibling of "Sandboxed Tor Browser" instead of as a child, and that of course resulted in an error.)

Also, maybe we should get rid of the Applications shortcut, since we don't want people to do put TorBrowser.app there. Is it possible to put a Desktop shortcut there instead? Or we could just have no shortcut, and no arrow.

Replying to arthuredelstein:

Also, maybe we should get rid of the Applications shortcut, since we don't want people to do put TorBrowser.app there. Is it possible to put a Desktop shortcut there instead? Or we could just have no shortcut, and no arrow.

That's a can of worms we had already open, see #12966 (moved) for something (more) promising?

Replying to arthuredelstein:

I tried it out now. Seems to be working very nicely!

Thanks for doing some testing. What version of OSX did you use?

I agree with gk that the .dmg folder layout is confusing. Maybe we could deliver the TorBrowser.app inside the "Sandboxed Tor Browser" folder so the user doesn't have to place it there themselves? (The text in the README is a little ambiguous about where to put TorBrowser.app, so initially I incorrectly placed it as a sibling of "Sandboxed Tor Browser" instead of as a child, and that of course resulted in an error.)

The problem with including TorBrowser.app inside the "Sandboxed Tor Browser" folder is that we would need to include a complete copy, which would double the size of the dmg files (without an installer that runs some code, I don't know of a way to avoid that). We could change the "Follow these steps" portion README text to be clearer. Here is an attempt at new text:

Follow these steps to use the sandbox profiles:

1. Copy this folder ("Sandboxed Tor Browser") to a local drive, but do not put it in /Applications.
2. Copy the TorBrowser app into your "Sandboxed Tor Browser" folder.
3. Open Terminal.
4. Run start-tor-with-sandbox and wait for Tor bootstrapping to finish.
5. Run start-browser-with-sandbox.

Is this better?