Child Tickets

Change History (6)

comment:1 Changed 20 months ago by sysrqb

(For reference, #20121 was the Tor Browser ticket)

comment:2 Changed 20 months ago by rl1987

We should do some design work to decide how this should be implemented and how we want TBB et. al. to interact with sandboxed tor(1).

The contents of sandbox profile will largely depend on configuration in torrc - we allow and deny file/network/OS operations based on configuration. Changing configuration would require changing sandbox profile.

We could implement a command line argument that generates SBPL file from tor configuration without actually starting tor, e.g.:

tor --generate-sbpl

Then the user (or would launch tor (with same config) through sandbox-exec(1):

sandbox-exec -f tor

There's libseccomp-based Linux sandboxing code in tor codebase already. Ideally we would want macOS code to be consistent with existing stuff in sandbox.c and perhaps reuse some of the logic.

Note that sandbox_init() C function is deprecated in modern macOS. So we probably shouldn't write code that sandboxes tor from inside process. Furthermore, Apple does seem to want 3rd party developers to use SBPL. Instead, they want everyone to use Xcode to configure what a program is and isn't allowed to do (not sure if we want to go that way - I would prefer the above approach).

Also sandbox-exec(1) is deprecated in macOS as of 10.13.5. So I'm not really convinced this would be a good investment for little-t-tor, as the underlying APIs are not exactly public and might disappear in next few years. We probably do not want to add Xcode as dependency to our macOS builds.

Last edited 20 months ago by rl1987 (previous) (diff)

comment:3 Changed 20 months ago by ahf

Owner: set to ahf
Status: newassigned

Assigning this to myself. Have some promising experimental code.

comment:4 Changed 19 months ago by ahf

Started some early refactoring work for this to be possible in

comment:5 Changed 19 months ago by asn

Keywords: macos sandbox added

comment:6 Changed 8 months ago by gaba

Cc: ahf added
Owner: ahf deleted

Liberating some of the tickets that ahf had.

Note: See TracTickets for help on using tickets.