Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#20781 closed enhancement (wontfix)

Figure out how to sandbox meek in a sensible way.

Reported by: yawning Owned by: yawning
Priority: Medium Milestone:
Component: Archived/Tor Browser Sandbox Version:
Severity: Normal Keywords: meek
Cc: brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Right now sandboxed-tor-browser does not support meek at all. This is suboptimal since it is popular.

There's two ways forward from my perspective:

  • The correct fix would be to add code to spin up another sandbox container (since I do not think that even a neutered firefox process should live in the tor sandbox), for the meek helper firefox instance.
  • The quick and dirty way would be to use meek_lite since obfs4proxy is allowed, and shipped versions contain the code. The downside is that it is even more distinct than meek usually is.

Child Tickets

Change History (7)

comment:1 Changed 4 years ago by dcf

Keywords: meek added

comment:2 Changed 4 years ago by yawning

I assume meek with firefox running as a helper will be affected by #20283 since it is an upstream issue, and I just removed /proc from the tor container.

Fixing this the right way is also going to be tricky since I'm fairly sure the tor container won't be able to see sockets from the meek container, and PTs don't support AF_LOCAL yet, so sandboxed-tor-browser probably will need to shuffle bytes back and forth between the two.

comment:3 Changed 4 years ago by yawning

At least some current Tor Browser builds use a version of obfs4proxy that predates meek_lite, so using meek_lite would need that to be bumped up (trivial), and special cases in the code to handle old versions of the browser.

comment:4 Changed 3 years ago by arma

Seems like using meek_lite is an obvious intermediate step.

Assuming we're going to continue working towards getting this sandbox thing in the hands of normal users. That's a great question for GeKo.

comment:5 Changed 3 years ago by mcs

Cc: brade mcs added

comment:6 Changed 3 years ago by yawning

Resolution: wontfix
Status: newclosed

There is no sensible way. Even in a separate container, a firefox process should never get access to the network interface.

comment:7 Changed 3 years ago by cypherpunks

Even with #23362?

Note: See TracTickets for help on using tickets.