Opened 4 months ago

Last modified 2 weeks ago

#22794 new defect

Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured.

Reported by: yawning Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, tbb-sandboxing, TorBrowserTeam201710
Cc: intrigeri, arthuredelstein Actual Points:
Parent ID: #20775 Points:
Reviewer: Sponsor:

Description

Discovered when trying to resolve #20775.

Unsandboxed Tor Browser 7.0.1:

socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 67
fcntl(67, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(67, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 68
close(68)                               = 0
socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 68
fcntl(68, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(68, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
close(68)                               = 0
setsockopt(67, SOL_TCP, TCP_NODELAY, [1], 4) = 0

socket(AF_UNIX, SOCK_STREAM, 0)         = 68
fcntl(68, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(68, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
close(67)                               = 0
connect(68, {sa_family=AF_UNIX, sun_path="/var/run/tor/socks"}, 106) = 0

If the first socket (AF_INET) call fails (as it will due to seccomp-bpf) the AF_LOCAL socket never gets created, and pages don't load. The failure mode doesn't appear to depend on errno (at least, it didn't make a difference if it was ENOSYS or EAFNOSUPPORT).

Using IPC should mean, "Tor Browser uses IPC, and only IPC", and not "Tor Browser refuses to work if non-IPC socket creation fails", because the whole point of using IPC in the first place is so that Tor Browser can be ran in a way that disallows non-IPC connections.

Child Tickets

Change History (9)

comment:1 Changed 4 months ago by yawning

A minimal/self contained LD_PRELOAD that can reproduce the behavior:

#include <sys/types.h>
#include <sys/socket.h>
#include <errno.h>
#include <stdio.h>

#define _GNU_SOURCE
#include <unistd.h>
#include <syscall.h>

int socket(int domain, int type, int protocol) {
  fprintf(stderr, "stub: socket(%d, 0x%08x, %d)\n", domain, type, protocol);
  if (domain != AF_LOCAL) {
    fprintf(stderr, "stub: domain is not AF_LOCAL, rejecting\n");
    errno = EAFNOSUPPORT;
    return -1;
  }
  return syscall(SYS_socket, domain, type, protocol);
}

And commenting out the rejection (as in always calling syscall(), regardless of the domain), magically makes things start to work.

comment:2 Changed 4 months ago by yawning

Parent ID: #20775

Setting a parent so it's obvious why the sandbox doesn't use Tor Browser's IPC support.

comment:3 Changed 4 months ago by yawning

Component: Applications/Tor Browser SandboxApplications/Tor Browser
Owner: changed from yawning to tbb-team

It also helps if I file this against the correct component.

comment:4 Changed 4 months ago by intrigeri

Cc: intrigeri added

comment:5 Changed 3 months ago by gk

Keywords: TorBrowserTeam201707 added

Hm, I wonder what is going on here. Putting it on our radar.

comment:6 Changed 3 months ago by arthuredelstein

Cc: arthuredelstein added

comment:7 Changed 3 months ago by gk

Keywords: TorBrowserTeam201708 added; TorBrowserTeam201707 removed

Moving our Tickets to August.

comment:8 Changed 6 weeks ago by gk

Keywords: TorBrowserTeam201709 added; TorBrowserTeam201708 removed

Items for September 2017.

comment:9 Changed 2 weeks ago by gk

Keywords: TorBrowserTeam201710 added; TorBrowserTeam201709 removed

Items for October 2017

Note: See TracTickets for help on using tickets.