Child Tickets

Change History (2)

comment:1 Changed 3 days ago by sysrqb

(For reference, #20121 was the Tor Browser ticket)

comment:2 Changed 35 hours ago by rl1987

We should do some design work to decide how this should be implemented and how we want TBB et. al. to interact with sandboxed tor(1).

The contents of sandbox profile will largely depend on configuration in torrc - we allow and deny file/network/OS operations based on configuration. Changing configuration would require changing sandbox profile.

We could implement a command line argument that generates SBPL file from tor configuration without actually starting tor, e.g.:

tor --generate-sbpl tor.sb

Then the user (or TorBrowser.app) would launch tor (with same config) through sandbox-exec(1):

sandbox-exec -f tor.sb tor

There's libseccomp-based Linux sandboxing code in tor codebase already. Ideally we would want macOS code to be consistent with existing stuff in sandbox.c and perhaps reuse some of the logic.

Note that sandbox_init() C function is deprecated in modern macOS. So we probably shouldn't write code that sandboxes tor from inside process. Furthermore, Apple does seem to want 3rd party developers to use SBPL. Instead, they want everyone to use Xcode to configure what a program is and isn't allowed to do (not sure if we want to go that way - I would prefer the above approach).

Also sandbox-exec(1) is deprecated in macOS as of 10.13.5. So I'm not really convinced this would be a good investment for little-t-tor, as the underlying APIs are not exactly public and might disappear in next few years. We probably do not want to add Xcode as dependency to our macOS builds.

Last edited 35 hours ago by rl1987 (previous) (diff)
Note: See TracTickets for help on using tickets.