Opened 10 months ago

Closed 9 months ago

Last modified 8 months ago

#20989 closed defect (fixed)

browser sandbox profile too restrictive on OSX 10.12.2

Reported by: mcs Owned by: mcs
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, tbb-sandboxing, TorBrowserTeam201701R
Cc: brade, gk, mactoruser Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor4

Description

A user reported via a blog comment that the browser fails to start via ./start-browser-with-sandbox on OSX 10.2.2. See:
https://blog.torproject.org/blog/tor-browser-65a6-released#comment-225250

As I commented on the blog, moving the line that reads (subpath "/usr/lib") within tb.sb from the (allow file-read-metadata ... ) section to the (allow file-read* ...) section seems to fix the problem.

Child Tickets

Change History (9)

comment:1 Changed 10 months ago by gk

Yes, but it is still not enough it seems:

b0x:Sandboxed Tor Browser admin$ ./start-browser-with-sandbox &
[2] 6065
Thunder:Sandboxed Tor Browser admin$ [warn] kq_init: detected broken kqueue; not using.: Undefined error: 0
2016-12-15 19:25:50.288 firefox[6070:278989] kCFURLVolumeIsAutomountedKey missing for file://localhost/Volumes/Tor%20Browser/: The file “Tor Browser” couldn’t be opened because you don’t have permission to view it.
1481822750600 addons.xpi-utils ERROR Unable to read anything useful from the database
0 migrated.
Dec 15 19:25:52.000 [notice] New control connection opened.
Dec 15 19:25:52.000 [warn] Got authentication cookie with wrong length (0)
Dec 15 19:25:52.000 [notice] New control connection opened.
2016-12-15 17:25:54.748 firefox[6070:278987] unable to obtain configuration from file://localhost/Library/Preferences/com.apple.ViewBridge.plist due to Error Domain=NSCocoaErrorDomain Code=257 "The file “com.apple.ViewBridge.plist” couldn’t be opened because you don’t have permission to view it." UserInfo={NSFilePath=/Library/Preferences/com.apple.ViewBridge.plist, NSUnderlyingError=0x7f8f0e911220 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}}
2016-12-15 17:25:54.754 firefox[6070:278987] IMKInputSession presentFunctionRowItemTextInputViewWithEndpoint:completionHandler: : *NO* NSRemoteViewController to client, NSError=Error Domain=NSCocoaErrorDomain Code=4097 "connection from pid 0" UserInfo={NSDebugDescription=connection from pid 0}, com.apple.inputmethod.EmojiFunctionRowItem
Last edited 10 months ago by gk (previous) (diff)

comment:2 Changed 10 months ago by mcs

Status: newneeds_information

Some of the messages may be unimportant or even desireable, e.g., no access to file://localhost/Volumes/Tor%20Browser/ (the still mounted Tor Browser dmg).

This message from tor is strange:

Dec 15 19:25:52.000 [warn] Got authentication cookie with wrong length (0)

I do not know what file://localhost/Library/Preferences/com.apple.ViewBridge.plist is used for. And also there is a mention of com.apple.inputmethod.EmojiFunctionRowItem.

I wonder if a third party system extension is installed, or maybe just a different keyboard layout is being used.

It would also be helpful to know what the symptoms are from the browser/user perspective. Does the browser open a window? Does the about:tor page show that Tor is not working? What happens if you try to load a website?

comment:3 Changed 10 months ago by mactoruser

There are no 3d party system extensions, I use the 2016 Macbook Pro 15' (with the Touch Bar)
so that is what com.apple.inputmethod.EmojiFunctionRowItem is.
Not sure about file://localhost/Library/Preferences/com.apple.ViewBridge.plist but why Tor Browser needs it anyway?
I hope there is a way to make this input method blocked in TorBrowser, since the way I see it it's just another potential fingerprinting issue of users with Touch Bar.

The Tor Browser window opens but Tor button is red, like when the Tor Daemon is down.
Nothing loads obviosuly.

Maybe this can help?
https://webkit.googlesource.com/WebKit/+/master/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb

Chromium has this plist in this array:
;; Open and Save panels
(define (webkit-powerbox)

(allow file-read* (literal "/Library/Preferences/com.apple.ViewBridge.plist"))
(allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
(allow file-issue-extension

(require-all

(extension-class "com.apple.app-sandbox.read")
(extension "com.apple.app-sandbox.read-write"))

(require-all

(extension-class "com.apple.app-sandbox.read-write")
(extension "com.apple.app-sandbox.read-write"))))

Last edited 10 months ago by mactoruser (previous) (diff)

comment:4 in reply to:  3 Changed 10 months ago by mcs

Replying to mactoruser:

There are no 3d party system extensions, I use the 2016 Macbook Pro 15' (with the Touch Bar)
so that is what com.apple.inputmethod.EmojiFunctionRowItem is.
Not sure about file://localhost/Library/Preferences/com.apple.ViewBridge.plist but why Tor Browser needs it anyway?

It is difficult to know, but it may be related to the Touch Bar.

I hope there is a way to make this input method blocked in TorBrowser, since the way I see it it's just another potential fingerprinting issue of users with Touch Bar.

It is unclear whether webpages can tell that the Touch Bar is available, but if they can there may be a fingerprinting issue.

The Tor Browser window opens but Tor button is red, like when the Tor Daemon is down.
Nothing loads obviosuly.

Maybe this can help?
https://webkit.googlesource.com/WebKit/+/master/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb

Chromium has this plist in this array:
;; Open and Save panels
(define (webkit-powerbox)

(allow file-read* (literal "/Library/Preferences/com.apple.ViewBridge.plist"))

...

Thanks! Are you willing to do some experiments for us? First, remove the following lines from tb.sb (otherwise, a new browser profile is created each time, which is not good):

 ; Disallow writes to the profiles ini file.
 (deny file-write*
       (torbrowser-data-dir-subpath "/Browser/profiles.ini")
 )

Then remove your TorBrowser-Data/Browser directory to delete any extra profiles.

Next, see what happens if you add the following line to tb.sb:

(allow file-read* (literal "/Library/Preferences/com.apple.ViewBridge.plist"))

If you still cannot visit any websites using the browser, edit your prefs.js file (TorBrowser-Data/Browser/*.default/prefs.js) and add the following lines:

user_pref("extensions.torbutton.loglevel", 0);
user_pref("extensions.torbutton.logmethod", 0);
user_pref("extensions.torlauncher.loglevel", 0);
user_pref("extensions.torlauncher.logmethod", 0);

Then share the ./start-tor-with-sandbox and ./start-browser-with-sandbox output with us.

One final thing to do is to open the macOS Console application and look for messages that contain SandboxViolation.

comment:5 Changed 9 months ago by gk

Keywords: TorBrowserTeam201701 added; TorBrowserTeam201612 removed

Moving our tickets to January 2017

comment:6 Changed 9 months ago by mcs

Cc: mactoruser added
Keywords: TorBrowserTeam201701R added; TorBrowserTeam201701 removed
Status: needs_informationneeds_review

Here is a patch that incorporates the changes we know are needed for macOS Sierra compatibility:
https://gitweb.torproject.org/user/brade/tor-browser-bundle.git/commit/?h=bug20989-01&id=1dfebd76618633e846f552f7dc5ed87da072995a

There may be other changes necessary for the new MacBook Pro with Touch Bar, but Kathy and I do not have a way to test on that kind of computer.

mactoruser: if you have time, please download the revised tb.sb file and try using it. Direct download link:
https://gitweb.torproject.org/user/brade/tor-browser-bundle.git/plain/Bundle-Data/mac-sandbox/tb.sb?h=bug20989-01&id=1dfebd76618633e846f552f7dc5ed87da072995a

comment:7 Changed 9 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

I took the patch (commit f55cbeea243675db8acf1015ca7e1ceed39f0933 on master). mactoruser: feedback and testing is still appreciated if you have some time to do so. Thanks!

comment:8 Changed 9 months ago by gk

Sponsor: Sponsor4

comment:9 Changed 8 months ago by mcs

I closed #21395 as a duplicate.

Note: See TracTickets for help on using tickets.