Get a working content process sandbox for Tor Browser on Windows

added GeorgKoppen201709 TorBrowserTeam201709R component::applications/tor browser ff52-esr owner::gk priority::very high resolution::fixed severity::major sponsor::4 status::closed tbb-e10s tbb-not-backported tbb-security type::task labels

Trac:
Cc: mikeperry to mikeperry, mcs

These are SponsorU tickets

Trac:
Sponsor: N/A to SponsorU

Trac:
Cc: mikeperry, mcs to mikeperry, mcs, arlolra

Trac:
Cc: mikeperry, mcs, arlolra to mikeperry, mcs, arlolra, sukhbir

As an update: Jacek wrote a WIP patch that should be able to do the trick for us and I opened https://bugzilla.mozilla.org/show_bug.cgi?id=1230910 to track the process of getting the problem fixed in Mozilla itself.

Trac:
Severity: N/A to Normal

This won't be needed for esr45 as e10s is not shipped enabled. Postponing for esr52.

Trac:
Reviewer: N/A to N/A
Sponsor: SponsorU to None
Keywords: ff45-esr deleted, ff52-esr added

Trac:
Parent: N/A to #21147 (moved)

Trac:
Cc: mikeperry, mcs, arlolra, sukhbir to mikeperry, mcs, arlolra, sukhbir, tom

We should start banging our head against this wall.

Trac:
Keywords: N/A deleted, TorBrowserTeam201702 added

This is Sponsor4 work

Trac:
Sponsor: None to Sponsor4

Replying to gk:

As an update: Jacek wrote a WIP patch that should be able to do the trick for us and I opened https://bugzilla.mozilla.org/show_bug.cgi?id=1230910 to track the process of getting the problem fixed in Mozilla itself.

I adapted the WIP and attached a version which let me build with sandboxing enabled in ESR52. Now, we just need to get it work. :)

Trac:
content-sandbox.patch

I am still waiting of Jacek's but it seems to me the two obvious blockers are SEH support and getting that assembly code in SmartSidestepResolverThunk::SmartStub() ported. Not sure what to do about the assembly but https://gcc.gnu.org/wiki/WindowsGCCImprovements mentions Casper Hornstrup having created an initial implementation that did not make it into GCC mainline. Code not being in GCC mainline is no issue for us in general, so maybe we should try to dig that code up and see whether we can get it to work with GCC 5? Or even better getting Casper to make it work?

Trac:
Keywords: N/A deleted, tbb-7.0-must added

Moving tickets to March

Trac:
Keywords: TorBrowserTeam201702 deleted, TorBrowserTeam201703 added

Adding to my plate.

Trac:
Keywords: N/A deleted, GeorgKoppen201703 added

The backport of https://bugzilla.mozilla.org/show_bug.cgi?id=1321724 breaks our build again:

/home/firefox/win52/gecko-dev/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc:61:32: error: ‘WinLocalAccountAndAdministratorSid’ was not declared in this scope
       deny_only_sids.push_back(WinLocalAccountAndAdministratorSid);

According to https://dxr.mozilla.org/mozilla-esr52/search?limit=100&redirect=false&q=__except%20path%3Asecurity/sandbox%2F you can use #12425 (moved) as an easy-fix/dirty-haxx just to get it working like #12113 (moved), but it's not safe, however.

Replying to cypherpunks:

According to https://dxr.mozilla.org/mozilla-esr52/search?limit=100&redirect=false&q=__except%20path%3Asecurity/sandbox%2F you can use #12425 (moved) as an easy-fix/dirty-haxx just to get it working like #12113 (moved), but it's not safe, however.

I'm pretty sure we cannot. try {} except {} can be replaced with setjmp/longjmp but __try / __except are a special MSVC extension that catches what would otherwise be a segfault.

Right now we're looking at a few options:

Rip out all __try / __except and just hope we don't hit an access violation in normal usage
MinGW's __try1 / __except1 construct
libseh from here: http://www.programmingunlimited.net/siteexec/content.cgi?page=mingw-seh

Preliminary testing of both 1 and 2 indicate these probably don't work. But we don't know exactly why yet.

Get a working content process sandbox for Tor Browser on Windows

Child items 0

Activity