Opened 4 months ago

Last modified 4 months ago

#20781 new enhancement

Figure out how to sandbox meek in a sensible way.

Reported by: yawning Owned by: yawning
Priority: Medium Milestone:
Component: Applications/Tor Browser Sandbox Version:
Severity: Normal Keywords: meek
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Right now sandboxed-tor-browser does not support meek at all. This is suboptimal since it is popular.

There's two ways forward from my perspective:

  • The correct fix would be to add code to spin up another sandbox container (since I do not think that even a neutered firefox process should live in the tor sandbox), for the meek helper firefox instance.
  • The quick and dirty way would be to use meek_lite since obfs4proxy is allowed, and shipped versions contain the code. The downside is that it is even more distinct than meek usually is.

Child Tickets

Change History (3)

comment:1 Changed 4 months ago by dcf

  • Keywords meek added

comment:2 Changed 4 months ago by yawning

I assume meek with firefox running as a helper will be affected by #20283 since it is an upstream issue, and I just removed /proc from the tor container.

Fixing this the right way is also going to be tricky since I'm fairly sure the tor container won't be able to see sockets from the meek container, and PTs don't support AF_LOCAL yet, so sandboxed-tor-browser probably will need to shuffle bytes back and forth between the two.

comment:3 Changed 4 months ago by yawning

At least some current Tor Browser builds use a version of obfs4proxy that predates meek_lite, so using meek_lite would need that to be bumped up (trivial), and special cases in the code to handle old versions of the browser.

Note: See TracTickets for help on using tickets.