Opened 5 years ago

Closed 3 years ago

#14270 closed project (fixed)

Make Tor Browser work with Unix Domain Socket option

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, TorBrowserTeam201610
Cc: mikeperry, ioerror, mcs, brade, adrelanos@…, whonix-devel@…, arthuredelstein Actual Points:
Parent ID: #19750 Points:
Reviewer: Sponsor: SponsorU

Description (last modified by gk)

Now that #12585 landed we should make Tor Browser aware of tor's Unix Domain Socket option in order to make use of it (we could test it in our upcoming hardened bundles). This is the parent ticket tracking this effort.

Child Tickets

TicketStatusOwnerSummaryComponent
#14271closedbradeMake Torbutton work with Unix Domain Socket optionApplications/Tor Browser
#14272closedbradeMake Tor Launcher work with Unix Domain Socket optionApplications/Tor Launcher
#14273closedmikeperryInvestigate missing Tor Browser patches to make Unix Domain Socket option workApplications/Tor Browser
#19733closedtbb-teamGETINFO response parser doesn't handle AF_UNIX entries.Applications/Tor Browser
#20111closedtbb-teamuse Unix domain sockets for SOCKS port by defaultApplications/Tor Browser
#20185closedtbb-teamTor Browser alpha is broken on Linux (and probably OS X) if directory is nested too deepApplications/Tor Browser
#20304closedmcsSOCKS socket does not support spaces and other special charactersApplications/Tor Browser
#20441closedtbb-teamBackport missing unix domain socket bug fix (bug 1311044)Applications/Tor Browser
#20490closedtbb-teamBackport fix for assertion failure due to patch for #20304 (bug 1311275)Applications/Tor Browser

Change History (22)

comment:1 Changed 5 years ago by gk

#3967 is at least relevant here. Might be superseded by work on #14271.

comment:2 Changed 5 years ago by mcs

Cc: mcs brade added

comment:3 Changed 5 years ago by intrigeri

Is my understanding correct that this will bring us security improvements if, and only if, Tor Browser is somehow confined by the OS to not be allowed to open other kinds of sockets (most notably INET ones)?

comment:4 in reply to:  3 ; Changed 5 years ago by gk

Replying to intrigeri:

Is my understanding correct that this will bring us security improvements if, and only if, Tor Browser is somehow confined by the OS to not be allowed to open other kinds of sockets (most notably INET ones)?

Confinement by OS is one option, yes, but patching Tor Browser to disallow other kinds of sockets would be another one. There might be other security improvements possible if one does neither of the above things but I am currently not aware of them. The current idea is to use the SocksSocket option + confinement (e.g. done by AppAmor).

comment:5 in reply to:  4 Changed 5 years ago by intrigeri

Replying to gk:

The current idea is to use the SocksSocket option + confinement (e.g. done by AppAmor).

Note that socket mediation with AppArmor is currently only available with out-of-tree kernel patches, that are only applied in Ubuntu (and perhaps OpenSUSE and/or hardened Gentoo) AFAIK. FTR, the Canonical guy who is working on having these patches in mainline Linux is John Johansen <john.johansen@…>.

Version 0, edited 5 years ago by intrigeri (next)

comment:6 Changed 5 years ago by proper

Cc: adrelanos@… added

comment:7 Changed 5 years ago by mikeperry

Keywords: tbb-4.5-alpha added

comment:8 Changed 5 years ago by gk

Keywords: tbb-security, tbb-4.5-alphatbb-security, tbb-4.5-alpha

Just for reference: https://bugzilla.mozilla.org/show_bug.cgi?id=892114 might already expose all we need if we are lucky.

comment:9 Changed 5 years ago by gk

Description: modified (diff)
Summary: Make Tor Browser work with SocksSocket optionMake Tor Browser work with Unix Domain Socket option

comment:10 Changed 4 years ago by gk

Keywords: tbb-4.5-alpha removed

comment:11 Changed 4 years ago by proper

Cc: whonix-devel@… added

comment:12 Changed 3 years ago by gk

Priority: MediumHigh
Sponsor: SponsorU

comment:13 Changed 3 years ago by yawning

Severity: Normal

https://git.schwanenlied.me/yawning/tor-firejail/commit/b08f80044887363316c84de2fcb884bc7d20aff9

Pros:

  • It works.
  • No patches to upstream.

Cons:

  • Requires a 3rd party sandboxing mechanism to be totally trustworthy (as in, the sandbox enforces the family limitations for calls I don't bother to hook).
  • The tor daemon still needs to listen on a port since tor-button thinks it's talking to the standard socks port, and about:tor pukes due to the GETINFO check.
  • The tor daemon needs to be running elsewhere (outside the sandbox, different sandbox), since the sandbox disallows non AF_LOCAL families.
  • The stub/profile/script modification maintainer feasts on user's tears and ignores cries for help.

comment:14 Changed 3 years ago by arthuredelstein

Parent ID: #19750

comment:15 Changed 3 years ago by gk

Keywords: TorBrowserTeam201608 added

Getting important SponsorU things on our August radar.

comment:16 Changed 3 years ago by gk

Keywords: TorBrowserTeam201609 added; TorBrowserTeam201608 removed

Tickets for September.

comment:17 Changed 3 years ago by arthuredelstein

Cc: arthuredelstein added

comment:18 Changed 3 years ago by gk

Keywords: TorBrowserTeam201610 added; TorBrowserTeam201609 removed

Moving SponsorU items to October.

comment:19 Changed 3 years ago by gk

Resolution: fixed
Status: newclosed

Seems we are done here, yay!

comment:20 Changed 3 years ago by gk

Resolution: fixed
Status: closedreopened

It seems we are missing a patch.

comment:21 Changed 3 years ago by bugzilla

Ticket in comment:1 wants to be resolved ;)

comment:22 Changed 3 years ago by gk

Resolution: fixed
Status: reopenedclosed

We are done here (again), I think.

Note: See TracTickets for help on using tickets.