browser sandbox profile too restrictive on OSX 10.12.2

A user reported via a blog comment that the browser fails to start via ./start-browser-with-sandbox on OSX 10.2.2. See: https://blog.torproject.org/blog/tor-browser-65a6-released#comment-225250

As I commented on the blog, moving the line that reads (subpath "/usr/lib") within tb.sb from the (allow file-read-metadata ... ) section to the (allow file-read* ...) section seems to fix the problem.

added TorBrowserTeam201701R component::applications/tor browser owner::mcs priority::medium resolution::fixed severity::normal sponsor::4 status::closed tbb-sandboxing tbb-security type::defect labels

Yes, but it is still not enough it seems:

b0x:Sandboxed Tor Browser admin$ ./start-browser-with-sandbox &
[2] 6065
Thunder:Sandboxed Tor Browser admin$ [warn] kq_init: detected broken kqueue; not using.: Undefined error: 0
2016-12-15 19:25:50.288 firefox[6070:278989] kCFURLVolumeIsAutomountedKey missing for file://localhost/Volumes/Tor%20Browser/: The file “Tor Browser” couldn’t be opened because you don’t have permission to view it.
1481822750600 addons.xpi-utils ERROR Unable to read anything useful from the database
0 migrated.
Dec 15 19:25:52.000 [notice] New control connection opened.
Dec 15 19:25:52.000 [warn] Got authentication cookie with wrong length (0)
Dec 15 19:25:52.000 [notice] New control connection opened.
2016-12-15 17:25:54.748 firefox[6070:278987] unable to obtain configuration from file://localhost/Library/Preferences/com.apple.ViewBridge.plist due to Error Domain=NSCocoaErrorDomain Code=257 "The file “com.apple.ViewBridge.plist” couldn’t be opened because you don’t have permission to view it." UserInfo={NSFilePath=/Library/Preferences/com.apple.ViewBridge.plist, NSUnderlyingError=0x7f8f0e911220 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}}
2016-12-15 17:25:54.754 firefox[6070:278987] IMKInputSession presentFunctionRowItemTextInputViewWithEndpoint:completionHandler: : *NO* NSRemoteViewController to client, NSError=Error Domain=NSCocoaErrorDomain Code=4097 "connection from pid 0" UserInfo={NSDebugDescription=connection from pid 0}, com.apple.inputmethod.EmojiFunctionRowItem

Some of the messages may be unimportant or even desireable, e.g., no access to file://localhost/Volumes/Tor%20Browser/ (the still mounted Tor Browser dmg).

This message from tor is strange: Dec 15 19:25:52.000 [warn] Got authentication cookie with wrong length (0)

I do not know what file://localhost/Library/Preferences/com.apple.ViewBridge.plist is used for. And also there is a mention of com.apple.inputmethod.EmojiFunctionRowItem.

I wonder if a third party system extension is installed, or maybe just a different keyboard layout is being used.

It would also be helpful to know what the symptoms are from the browser/user perspective. Does the browser open a window? Does the about:tor page show that Tor is not working? What happens if you try to load a website?

Trac:
Status: new to needs_information

There are no 3d party system extensions, I use the 2016 Macbook Pro 15' (with the Touch Bar) so that is what com.apple.inputmethod.EmojiFunctionRowItem is. Not sure about file://localhost/Library/Preferences/com.apple.ViewBridge.plist but why Tor Browser needs it anyway? I hope there is a way to make this input method blocked in TorBrowser, since the way I see it it's just another potential fingerprinting issue of users with Touch Bar.

The Tor Browser window opens but Tor button is red, like when the Tor Daemon is down. Nothing loads obviosuly.

Maybe this can help? https://webkit.googlesource.com/WebKit/+/master/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb

Chromium has this plist in this array: ;; Open and Save panels (define (webkit-powerbox) (allow file-read* (literal "/Library/Preferences/com.apple.ViewBridge.plist")) (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write")) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (extension "com.apple.app-sandbox.read-write")) (require-all (extension-class "com.apple.app-sandbox.read-write") (extension "com.apple.app-sandbox.read-write"))))

Trac:
Username: mactoruser

Replying to mactoruser:

There are no 3d party system extensions, I use the 2016 Macbook Pro 15' (with the Touch Bar) so that is what com.apple.inputmethod.EmojiFunctionRowItem is. Not sure about file://localhost/Library/Preferences/com.apple.ViewBridge.plist but why Tor Browser needs it anyway?

It is difficult to know, but it may be related to the Touch Bar.

I hope there is a way to make this input method blocked in TorBrowser, since the way I see it it's just another potential fingerprinting issue of users with Touch Bar.

It is unclear whether webpages can tell that the Touch Bar is available, but if they can there may be a fingerprinting issue.

The Tor Browser window opens but Tor button is red, like when the Tor Daemon is down. Nothing loads obviosuly.

Maybe this can help? https://webkit.googlesource.com/WebKit/+/master/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb

Chromium has this plist in this array: ;; Open and Save panels (define (webkit-powerbox) (allow file-read* (literal "/Library/Preferences/com.apple.ViewBridge.plist")) ...

Thanks! Are you willing to do some experiments for us? First, remove the following lines from tb.sb (otherwise, a new browser profile is created each time, which is not good):

 ; Disallow writes to the profiles ini file.
 (deny file-write*
       (torbrowser-data-dir-subpath "/Browser/profiles.ini")
 )

Then remove your TorBrowser-Data/Browser directory to delete any extra profiles.

Next, see what happens if you add the following line to tb.sb: (allow file-read* (literal "/Library/Preferences/com.apple.ViewBridge.plist"))

If you still cannot visit any websites using the browser, edit your prefs.js file (TorBrowser-Data/Browser/*.default/prefs.js) and add the following lines:

user_pref("extensions.torbutton.loglevel", 0);
user_pref("extensions.torbutton.logmethod", 0);
user_pref("extensions.torlauncher.loglevel", 0);
user_pref("extensions.torlauncher.logmethod", 0);

Then share the ./start-tor-with-sandbox and ./start-browser-with-sandbox output with us.

One final thing to do is to open the macOS Console application and look for messages that contain SandboxViolation.

Moving our tickets to January 2017

Trac:
Keywords: TorBrowserTeam201612 deleted, TorBrowserTeam201701 added

Here is a patch that incorporates the changes we know are needed for macOS Sierra compatibility: https://gitweb.torproject.org/user/brade/tor-browser-bundle.git/commit/?h=bug20989-01&id=1dfebd76618633e846f552f7dc5ed87da072995a

There may be other changes necessary for the new MacBook Pro with Touch Bar, but Kathy and I do not have a way to test on that kind of computer.

mactoruser: if you have time, please download the revised tb.sb file and try using it. Direct download link: https://gitweb.torproject.org/user/brade/tor-browser-bundle.git/plain/Bundle-Data/mac-sandbox/tb.sb?h=bug20989-01&id=1dfebd76618633e846f552f7dc5ed87da072995a

Trac:
Keywords: TorBrowserTeam201701 deleted, TorBrowserTeam201701R added
Status: needs_information to needs_review
Cc: brade, gk to brade, gk, mactoruser

I took the patch (commit f55cbeea243675db8acf1015ca7e1ceed39f0933 on master). mactoruser: feedback and testing is still appreciated if you have some time to do so. Thanks!

Trac:
Resolution: N/A to fixed
Status: needs_review to closed

Trac:
Sponsor: N/A to Sponsor4

I closed #21395 (moved) as a duplicate.

closed

mentioned in issue #21395 (moved)

mentioned in issue #21395 (moved)

mentioned in issue #21395 (moved)

moved to tpo/applications/tor-browser#20989 (closed)