Opened 3 years ago

Closed 2 years ago

#20121 closed defect (fixed)

Create Seatbealt profile(s) for Tor Browser

Reported by: gk Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Normal Keywords: tbb-security, TorBrowserTeam201612R
Cc: brade, mcs, arthuredelstein Actual Points:
Parent ID: #19750 Points:
Reviewer: Sponsor: SponsorU

Description

We need sandboxing profiles for Tor Browser. I pinged trams recently on #tor-dev as he worked on this for Tor Browser years ago (https://lists.torproject.org/pipermail/tor-qa/2013-November/000230.html ff.). He suggested we look at his IronFox (https://www.romab.com/ironfox/) and it would probably enough to just copy them over. We can get a .tar.gz bundle as well. (And I guess he would help in case we have questions ;) )

Child Tickets

Attachments (2)

osx-sandbox-2016-10-28.zip (4.6 KB) - added by mcs 2 years ago.
work in progress
dmg-screenshot.png (428.4 KB) - added by mcs 2 years ago.
screenshot that shows the new dmg "installer"

Download all attachments as: .zip

Change History (20)

comment:1 Changed 3 years ago by gk

I think I'd need OS X dev volunteers. :) *looks around*

comment:2 Changed 3 years ago by mcs

Parent ID: #19750

comment:3 Changed 3 years ago by gk

Keywords: TorBrowserTeam201610 added; TorBrowserTeam201609 removed

Moving SponsorU items to October.

comment:4 Changed 3 years ago by gk

See: #8282 for an old bug (there are old sandbox profiles attached) in case this can be helpful.

Changed 2 years ago by mcs

Attachment: osx-sandbox-2016-10-28.zip added

work in progress

comment:5 Changed 2 years ago by mcs

There is more work to do, but I attached a "work in progress" zip snapshot that contains Seatbelt profiles for Tor Browser (tb.sb) and tor (tor.sb). The zip file also contains bash scripts for starting tor and firefox, as well as a skeleton TorBrowser-Data directory (required if starting from scratch). In theory, if a TorBrowser.app is added that contains recent builds of Torbutton and Tor-Launcher, the scripts can be used to start a sandboxed browser that uses a sandboxed tor.

Ignoring packaging concerns, there are many limitations, e.g.,

  • This probably requires OSX 10.9 or later (this might be OK). We tested on 10.11.6 and 10.12.1. It definitely will not work on 10.6 due to changes in the sandbox profile file format (we could create separate profiles for 10.6 if necessary).
  • It assumes the browser app bundle will be named TorBrowser.app.
  • It assumes a portable model (i.e.g, TorBrowser.app is not in /Applications).
  • It assumes that /tmp/Tor exists with mode 0700 or similar (the SOCKS and control port Unix domain sockets are placed there).
  • The firefox process has full control port access, which is probably not desirable.
  • The browser updater will not work due to the sandbox restrictions.

In the long run, we probably need something similar to what Yawning is working on for Linux (a separate process to start tor, check for updates, start firefox; a control port filter; other things).

comment:6 Changed 2 years ago by gk

Keywords: TorBrowserTeam201611 added; TorBrowserTeam201610 removed

Moving tickets over to November.

Changed 2 years ago by mcs

Attachment: dmg-screenshot.png added

screenshot that shows the new dmg "installer"

comment:7 Changed 2 years ago by mcs

Keywords: TorBrowserTeam201611R added; TorBrowserTeam201611 removed
Status: newneeds_review

Here is a patch that packages the Seatbelt profiles with Tor Browser:
https://gitweb.torproject.org/user/brade/tor-browser-bundle.git/commit/?h=bug20121-01&id=4be5e16ad106a3a0d2033eee6903b74acde48965

Note that Kathy and I had to create a new, larger background image for the dmg "installer", so while we were doing that we also replaced the "Tor Browser Bundle" logo with the newer one that omits the word "Bundle." Here is a screenshot that shows the new top level window with the "Sandboxed Tor Browser" folder open so you can see what that looks like too:

screenshot that shows the new dmg "installer"

comment:8 Changed 2 years ago by gk

Keywords: TorBrowserTeam201612R added; TorBrowserTeam201611R removed

Moving our review tickets to December.

comment:9 Changed 2 years ago by gk

I think the limitations I mentioned above are fine for now. I built a bundle and uploaded it for testing to

https://people.torproject.org/~gk/testbuilds/TorBrowser-tbb-nightly-osx64_20121_ALL.dmg
https://people.torproject.org/~gk/testbuilds/TorBrowser-tbb-nightly-osx64_20121_ALL.dmg.asc

I don't have an OS X >= 10.9 for testing right now, Arthur can you give it a whirl?

That said the patch looks good to me. Just a nit: there are two superfluous whitespaces in start-tor-with-sandbox.

I was a bit confused about the background image not exactly knowing what to do with the additional folder. I solved it by reading the README after I dragged the folder to the desktop but that might be a bit unintuitive. :)

comment:10 in reply to:  9 Changed 2 years ago by mcs

Replying to gk:

That said the patch looks good to me. Just a nit: there are two superfluous whitespaces in start-tor-with-sandbox.

Thanks. We will fix those once we received feedback from Arthur.

I was a bit confused about the background image not exactly knowing what to do with the additional folder. I solved it by reading the README after I dragged the folder to the desktop but that might be a bit unintuitive. :)

We thought about putting a README at the top level (a 4th icon) but doing so will lead us quickly down the path of needing to translate the README text. We could do that though if you think it is better. Also note that you can open the folder from within the mounted dmg and view the README without copying anything off the dmg.

comment:11 Changed 2 years ago by gk

Do we need modifications after a patch for #20761 lands (given that we want to have unix domain sockets disabled by default for the time being)?

comment:12 in reply to:  11 Changed 2 years ago by mcs

Replying to gk:

Do we need modifications after a patch for #20761 lands (given that we want to have unix domain sockets disabled by default for the time being)?

Because our start-browser-with-sandbox script enables use of Unix domain sockets via env vars, I don't think changing the default inside Tor Launcher will break anything. But once we have the patch for #20761 in hand, we will confirm via testing.

comment:13 Changed 2 years ago by arthuredelstein

I tried it out now. Seems to be working very nicely!

I agree with gk that the .dmg folder layout is confusing. Maybe we could deliver the TorBrowser.app inside the "Sandboxed Tor Browser" folder so the user doesn't have to place it there themselves? (The text in the README is a little ambiguous about where to put TorBrowser.app, so initially I incorrectly placed it as a sibling of "Sandboxed Tor Browser" instead of as a child, and that of course resulted in an error.)

Also, maybe we should get rid of the Applications shortcut, since we don't want people to do put TorBrowser.app there. Is it possible to put a Desktop shortcut there instead? Or we could just have no shortcut, and no arrow.

comment:14 in reply to:  13 Changed 2 years ago by gk

Replying to arthuredelstein:

Also, maybe we should get rid of the Applications shortcut, since we don't want people to do put TorBrowser.app there. Is it possible to put a Desktop shortcut there instead? Or we could just have no shortcut, and no arrow.

That's a can of worms we had already open, see #12966 for something (more) promising?

comment:15 in reply to:  13 ; Changed 2 years ago by mcs

Replying to arthuredelstein:

I tried it out now. Seems to be working very nicely!

Thanks for doing some testing. What version of OSX did you use?

I agree with gk that the .dmg folder layout is confusing. Maybe we could deliver the TorBrowser.app inside the "Sandboxed Tor Browser" folder so the user doesn't have to place it there themselves? (The text in the README is a little ambiguous about where to put TorBrowser.app, so initially I incorrectly placed it as a sibling of "Sandboxed Tor Browser" instead of as a child, and that of course resulted in an error.)

The problem with including TorBrowser.app inside the "Sandboxed Tor Browser" folder is that we would need to include a complete copy, which would double the size of the dmg files (without an installer that runs some code, I don't know of a way to avoid that).
We could change the "Follow these steps" portion README text to be clearer. Here is an attempt at new text:

Follow these steps to use the sandbox profiles:

1. Copy this folder ("Sandboxed Tor Browser") to a local drive, but do not put it in /Applications.
2. Copy the TorBrowser app into your "Sandboxed Tor Browser" folder.
3. Open Terminal.
4. Run start-tor-with-sandbox and wait for Tor bootstrapping to finish.
5. Run start-browser-with-sandbox.

Is this better?

comment:16 in reply to:  15 Changed 2 years ago by arthuredelstein

Replying to mcs:

Replying to arthuredelstein:

I tried it out now. Seems to be working very nicely!

Thanks for doing some testing. What version of OSX did you use?

10.11.6

The problem with including TorBrowser.app inside the "Sandboxed Tor Browser" folder is that we would need to include a complete copy, which would double the size of the dmg files (without an installer that runs some code, I don't know of a way to avoid that).

Got it -- makes sense.

We could change the "Follow these steps" portion README text to be clearer. Here is an attempt at new text:

Follow these steps to use the sandbox profiles:

1. Copy this folder ("Sandboxed Tor Browser") to a local drive, but do not put it in /Applications.
2. Copy the TorBrowser app into your "Sandboxed Tor Browser" folder.
3. Open Terminal.
4. Run start-tor-with-sandbox and wait for Tor bootstrapping to finish.
5. Run start-browser-with-sandbox.

Is this better?

Yes, thanks!

comment:17 Changed 2 years ago by mcs

Here is a revised patch:
https://gitweb.torproject.org/user/brade/tor-browser-bundle.git/commit/?h=bug20121-02&id=2381600d638bf11032dbaade342d72c62f1f3e21

We removed the line in start-tor-with-sandbox that had the extra whitespace, we updated the README text per comment:15, and we rebased to the latest master.

comment:18 Changed 2 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Let's go with that one and see what happens. This is commit b774796a7d1232b2e0d3a0257823456ccf5f56db on master now.

Note: See TracTickets for help on using tickets.