Opened 3 years ago

Closed 3 years ago

#22910 closed enhancement (fixed)

Deprecate the volatile extension dir options

Reported by: yawning Owned by: yawning
Priority: Medium Milestone:
Component: Archived/Tor Browser Sandbox Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by yawning)

Having massive "foot + gun" options in general is bad practice.

~The extra codecs will expose ffmpeg to the browser container, which is a concrete increase in attack surface for questionable gain (gstreamer is never allowed).~

The volatile extension dir gives firefox more write access than what anyone that's vaguely security conscious should be comfortable with, to critical browser components, and there's the ongoing about:addons fisasco.

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by cypherpunks

Please don't, sandboxed tor browser + enabling addons is still WAY more secure than vanilla Tor Browser. And you already put a very big "UNSAFE" next to them.

comment:2 Changed 3 years ago by yawning

Status: newaccepted

Volatile Extensions Dir: https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?id=701c0656be16440203147eb0ea6104486bb77096

I still need to think about ffmpeg, but really what should happen is that Tor Browser should bundle their own copy if it's that critical to functionality instead of pulling in one of 7 different .so files via dlopen.

comment:3 Changed 3 years ago by yawning

It looks like the browser people sort of considered the ffmpeg situation at #18946, and I initially added the pref in #20806.

The list of shared objects that FF will pull appears to be hardcoded in dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp. When I initially wrote this, it was also pulling in libgstreamer (which has explicitly always been rejected via the fine grained shared object code), but maybe that's gone now.

    "libavcodec-ffmpeg.so.57",
    "libavcodec-ffmpeg.so.56",
    "libavcodec.so.57",
    "libavcodec.so.56",
    "libavcodec.so.55",
    "libavcodec.so.54",
    "libavcodec.so.53",

    // "libgstreamer-0.10.so.0",
    // "libgstapp-0.10.so.0",
    // "libgstvideo-0.10.so.0",

comment:4 Changed 3 years ago by yawning

Description: modified (diff)
Summary: Deprecate the extra codecs/volatile extension dir optionsDeprecate the volatile extension dir options

The extra codec deprecation is now #22933, and this ticket is fixed in master.

comment:5 Changed 3 years ago by yawning

Resolution: fixed
Status: acceptedclosed
Note: See TracTickets for help on using tickets.